}}

The Admin Router enforces its permissions in all security modes. These coarse-grained permissions often affect access to services started by systemd. They also control access to specific tabs of the DC/OS web interface.

The following tables identify and discuss each of the Admin Router permissions.

Resource Action
dcos:adminrouter:ops:ca:ro full
Grants a user access to the read-only endpoints of the DC/OS Certificate Authority API and the read-only dcos security cluster ca commands of the Enterprise DC/OS CLI.
Resource Action
dcos:adminrouter:ops:ca:rw full
Grants a user access to all endpoints of the DC/OS Certificate Authority API and all of the dcos security cluster ca commands of the Enterprise DC/OS CLI.
Resource Action
dcos:adminrouter:ops:exhibitor full
Grants a user access to the Exhibitor UI/API. This will allow them to remove ZooKeeper state after uninstalling a service.
Resource Action
dcos:adminrouter:ops:historyservice full
Controls the ability to view the contents of the Dashboard and Nodes tabs in the DC/OS web interface. This permission also controls access to the History Service API, which gives a user read-only access to all task information across the cluster, so it should be granted with care.
Resource Action
dcos:adminrouter:ops:mesos full
Allows access to:
Mesos master UI and API: in disabled and permissive security modes, the user can view basic information about any task. While the user cannot directly modify app definitions or kill tasks, they can shut down frameworks, set quota/weights/reservations/volumes, or register new Mesos frameworks. To restrict a user’s access, you must upgrade to strict mode, where the additional Mesos permissions allow more granular controls.
Tasks tab of the DC/OS web interface: allows a user read-only access. In disabled security mode, the user will be able to see the Tasks tab of any service. However, the user will need explicit user service permissions to view the Tasks tab of jobs. In permissive security mode, the user will also need user service permissions to view the Tasks tab. In strict security mode, the user will also need Mesos permissions to view the Tasks tab.
dcos task command of the DC/OS CLI: allows you to list tasks and retrieve task information such as sandbox data.
Resource Action
dcos:adminrouter:ops:mesos-dns full
Controls access to the Mesos DNS API. This permission does not affect any part of the DC/OS web interface, nor does it control any set of DC/OS CLI commands.
Resource Action
dcos:adminrouter:ops:metadata full
Grants access to all of the following endpoints, each of which serves up a different metadata file.
/metadata: DC/OS version, master IP address
/dcos-metadata/bootstrap-config.json: security-related information such as the security mode of the cluster
/pkgpanda/active.buildinfo.full.json: SHAs of the packages
Resource Action
dcos:adminrouter:ops:networking full
Grants access to network metrics from either the Networking tab of the DC/OS web interface or the Networking API.
Resource Action
dcos:adminrouter:ops:slave full
Allows access to:
Mesos master UI and API: in disabled and permissive security modes, the user can view basic information about any task. While the user cannot directly modify app definitions or kill tasks, they can shut down frameworks, set quota/weights/reservations/volumes, or register new Mesos frameworks. To restrict a user’s access, you must upgrade to strict mode, where the additional Mesos permissions allow more granular controls.
Tasks tab of the DC/OS web interface: allows a user read-only access. In disabled security mode, the user will be able to see the Tasks tab of any service or job. In permissive security mode, the user will need user service permissions to view the Tasks tab. In strict security mode, the user will need Mesos permissions to view the Tasks tab.
dcos task command of the DC/OS CLI: allows you to list tasks and retrieve task information such as sandbox data.
Resource Action
dcos:adminrouter:ops:system-health full
This permission controls access to the hostname:1050/system/health/v1 endpoint, which is used to populate the component health page of the web interface.
Resource Action
dcos:adminrouter:package full
Provides access to packages and package repos from the Universe tab of the DC/OS web interface, the dcos package commands of the DC/OS CLI, and the Cosmos API. Toggles the view of the Universe tab in the DC/OS web interface on and off. Users with this permission should be highly trusted. Not only can such users install any package, they can change the location of the Universe. A bad actor with this permission could point to a repo containing malware or other malicious executables.
Resource Action
dcos:adminrouter:service:marathon full
Controls the ability to access the native Marathon instance via:
● The Services tab of the DC/OS web interface. This permission toggles the view of the Services tab in the DC/OS web interface on and off.
● The dcos marathon commands of the DC/OS CLI.
● The Marathon REST API.
In disabled mode, this permission does not just grant access to the native Marathon instance, it also grants access to the Marathon services. In permissive and strict modes, the user will need this permission as well as user service permissions to access the services.
Resource Action
dcos:adminrouter:service:metronome full
Controls the ability to access the Metronome instance via:
● The Jobs tab of the DC/OS web interface. This permission toggles the view of the Jobs tab in the DC/OS web interface on and off.
● The dcos job commands of the DC/OS CLI.
● The Metronome API.
In disabled mode, this permission does not just grant access to the Metronome instance, it also grants access to the Metronome jobs. In permissive and strict modes, the user will need this permission as well as user service permissions to access the jobs.
Resource Action
dcos:adminrouter:service:service-name full
Controls the ability to access the UI or the API of a service at the following path: http[s]://cluster-url/service/service-name. The service must include the following in its app definition
"labels": {
    "DCOS_SERVICE_NAME": "service-name",
    "DCOS_SERVICE_PORT_INDEX": "0",
    "DCOS_SERVICE_SCHEME": "http"
}
Replace service-name in the permission string with the value provided for "DCOS_SERVICE_NAME" in the app definition.