}}

Mesos master and agent permissions

Enterprise DC/OS Preview Updated: February 10, 2017

About Mesos master and agent permissions

The Mesos master and agent permissions provide very fine-grained controls and are available only in the strict security mode. In any other security mode, these permissions will be ignored.

Master permissions

The master permissions protect objects and data accessible from the Mesos master nodes.

Resource Action
dcos:mesos:master:endpoint:path[:path] read
Grants a user permission to access particular Mesos endpoints that are not otherwise protected. The full list follows:
/logging/toggle
/metrics/snapshot
/files/debug
Resource Action
dcos:mesos:master:executor:app_id[:service-or-job-group] read
Grants a user permission to view information about executors running in any service/job group or within a specified service/job group. See the Apache Mesos documentation for more information about executors.
Important: When referencing a job group in a user service permission, you use . as a separator and do not include a prefatory separator. To reference a job group in a Mesos permission, you must use / as a separator and include a prefatory separator.
Examples:
dcos:mesos:master:executor:app_id can view information about executors running in any service or job group.
dcos:mesos:master:executor:app_id:/dev/tweeter can view information about executors running in the /dev/tweeter job/service group or any of its subdirectories.
Resource Action
dcos:mesos:master:flags read
Grants a user permission to view every master’s flag configuration. See the Apache Mesos documentation for more information.
Resource Action
dcos:mesos:master:framework:principal[:service_account_id] delete
Grants a user permission to tear down a framework that was registered under the specified service account ID. This may be necessary in situations where the framework fails to clean up after itself, such as after an irrecoverable scheduler crash.
Examples:
dcos:mesos:master:framework:principal can tear down frameworks registered under any service account ID.
dcos:mesos:master:framework:principal:my_service can tear down a framework that registered using the my_service service account ID.
Resource Action
dcos:mesos:master:framework:role[:role_name] create
Grants a service account permission to register as a Mesos framework (called a ‘scheduler service’ in DC/OS) with a specific Mesos role or with any role. See the Apache Mesos documentation for more information about roles.
Examples:
dcos:mesos:master:framework:role can register with any role.
dcos:mesos:master:framework:role:* can register with Mesos default role.
dcos:mesos:master:framework:role:hdfs can register a service under the hdfs role.
Resource Action
dcos:mesos:master:log read
Grants a user permission to read or download the Mesos master log. See the Apache Mesos documentation for more information.
Resource Action
dcos:mesos:master:quota:role[:role_name] read update
Grants a user permission to read or update the resource quota for a specific Mesos role or any role. See the Apache Mesos documentation for more information about quotas.
Examples:
dcos:mesos:master:quota:role can read or update the resource quota of any role.
dcos:mesos:master:quota:role:kafka can read or update the resource quota of the service registered with the kafka role.
Resource Action
dcos:mesos:master:reservation:principal[:service_account_id] delete
Grants a user or service account permission to unreserve resources that were reserved by the given principal, i.e., service account. This may be necessary in situations where the framework fails to clean up after itself, such as after an irrecoverable scheduler crash. See the Apache Mesos documentation for more information about reservations.
Examples:
dcos:mesos:master:reservation:principal can unreserve resources reserved by any principal, i.e., service account.
dcos:mesos:master:reservation:principal:my_service can unreserve resources reserved by the my_service principal, i.e., service account.
Resource Action
dcos:mesos:master:reservation:role[:role_name] create
Grants a user or service account permission to create a reservation for the given Mesos role. See the Apache Mesos documentation for more information about reservations.
Examples:
dcos:mesos:master:reservation:role can create a reservation for any role.
dcos:mesos:master:reservation:role:cassandra can create a reservation for a service registered with the cassandra role.
Resource Action
dcos:mesos:master:task:app_id[:service-or-job-group] create
Grants a service account permission to execute tasks in any service/job group or within a specified service/job group.
Important: When referencing a job group in a user service permission, you use . as a separator and do not include a prefatory separator. To reference a job group in a Mesos permission, you must use / as a separator and include a prefatory separator.
Examples:
dcos:mesos:master:task:app_id can execute tasks in any service or job group.
dcos:mesos:master:task:app_id:/dev/tweeter can execute tasks in the /dev/tweeter job/service group or any of its subdirectories.
Resource Action
dcos:mesos:master:task:user[:linux_user_name] create
Grants a service account permission to run tasks as a specified Linux user. See the following for some examples:
dcos:mesos:master:task:user can run tasks as any Linux user.
dcos:mesos:master:task:user:root can run tasks as the root Linux user.
Resource Action
dcos:mesos:master:volume:principal[:service_account_id] delete
Grants a user or service account permission to destroy a volume. You can optionally specify the ID of the service account used to create the volume to restrict this permission further. This may be necessary in situations where the framework fails to clean up after itself, such as after an irrecoverable scheduler crash.
Examples:
dcos:mesos:master:volume:principal can destroy a volume created by any service or user.
dcos:mesos:master:volume:principal:my_service can destroy a volume created by the my_service service account.
Resource Action
dcos:mesos:master:volume:role[:role_name] create
Grants a user or service account permission to create a volume for the given Mesos role.
Examples:
dcos:mesos:master:volume:role can create a volume for any role.
dcos:mesos:master:volume:role:hdfs can create a volume for a service registered with the hdfs role.
Resource Action
dcos:mesos:master:weight:role[:role_name] read update
Grants a user permission to read or update the weight for a given Mesos role. See the Apache Mesos documentation for more information about weights.
Examples:
dcos:mesos:master:weight:role can read or update the weight of any role.
dcos:mesos:master:weight:role:arangodb3 can read or update the weight for a service registered with the arangodb3 role.

Agent permissions

The agent permissions protect objects and data accessible from the Mesos agent nodes.

Resource Action
dcos:mesos:agent:endpoint:path[:endpoint] read
Grants a user permission to access particular Mesos endpoints that are not otherwise protected.
Examples:
dcos:mesos:agent:endpoint:path grants access to the /logging/toggle, /metrics/snapshot`, /files/debug, /containers, and /monitor/statistics endpoints on agents.
dcos:mesos:agent:endpoint:path:/logging/toggle grants access to the /logging/toggle endpoint.
dcos:mesos:agent:endpoint:path:/metrics/snapshot grants access to the /metrics/snapshot endpoint.
dcos:mesos:agent:endpoint:path:/files/debug grants access to the /files/debug endpoint.
dcos:mesos:agent:endpoint:path:/containers grants access to the /containers endpoint.
dcos:mesos:agent:endpoint:path:/monitor/statistics grants access to the /monitor/statistics endpoint.
Resource Action
dcos:mesos:agent:executor:app_id[:service-or-job-group] read
Grants a user permission to view information about executors running in any service/job group or within a specified service/job group. See the Apache Mesos documentation for more information about executors.
Important: When referencing a job group in a user service permission, you use . as a separator and do not include a prefatory separator. To reference a job group in a Mesos permission, you must use / as a separator and include a prefatory separator.
Examples:
dcos:mesos:agent:executor:app_id can view information about executors running in any service or job group.
dcos:mesos:agent:executor:app_id:/dev/tweeter can view information about executors running in the /dev/tweeter job/service group or any of its subdirectories.
Resource Action
dcos:mesos:agent:flags read
Grants a user permission to view every agent’s flag configuration. See the Apache Mesos documentation for more information.
Resource Action
dcos:mesos:agent:framework:role[:role_name] read
Grants a user permission to view information about frameworks (called ‘scheduler services’ in DC/OS) registered with a particular role, as well as their tasks, if the framework does not support app_id namespaces, i.e., service/job groups.
Examples:
dcos:mesos:agent:framework:role can view information about any service.
dcos:mesos:agent:framework:role:* can view information about services registered with the Mesos default role.
dcos:mesos:agent:framework:role:hdfs can view information about services registered under the hdfs role.
Resource Action
dcos:mesos:agent:log read
Grants a user permission to read or download the Mesos agent log. See the Apache Mesos documentation for more information.
Resource Action
dcos:mesos:agent:sandbox:app_id[:service-or-job-group] read
Grants a user permission to browse the sandbox and view logs of tasks running in any service/job group or within a specified service/job group.
Important: When referencing a job group in a user service permission, you use . as a separator and do not include a prefatory separator. To reference a job group in a Mesos permission, you must use / as a separator and include a prefatory separator.
Examples:
dcos:mesos:agent:sandbox:app_id can browse the sandbox and view the logs of tasks running in any service or job group.
dcos:mesos:agent:sandbox:app_id:/dev/tweeter can browse the sandbox and view the logs of tasks running in the /dev/tweeter job/service group or any of its subdirectories.
Resource Action
dcos:mesos:agent:task:app_id[:service-or-job-group] read
Grants a user permission to view information about tasks running in any service/job group or within a specified service/job group.
Important: When referencing a job group in a user service permission, you use . as a separator and do not include a prefatory separator. To reference a job group in a Mesos permission, you must use / as a separator and include a prefatory separator.
Examples:
dcos:mesos:agent:task:app_id can view information about tasks running in any service or job group.
dcos:mesos:agent:task:app_id:/dev/tweeter can view information about tasks running in the /dev/tweeter job/service group or any of its subdirectories.