}}

Tutorial – Setting Permissions for Services

Enterprise DC/OS Preview Updated: January 10, 2017

This tutorial demonstrates how to implement user permissions for DC/OS services in the permissive security mode. When you are done you will have multi-tenancy by using DC/OS permissions.

Prerequisites:

Create users and groups

  1. Create user groups from the Services > Create Group tab of the DC/OS web interface.

    In this example a group called prod-a and a group called prod-b are created. After the groups are created you should see two folders. This is where you will deploy services for the respective groups and set the permissions for each unit.

  2. Create your users and groups and define the required permissions for each group.

    1. Select the System tab and then select Organization > Users.

    2. Select New User. In this example, two users are created (Cory and Nick).

      When you’re done you should see the two users.

      Next we will create the groups and assign permissions to the DC/OS services.

    3. Select the System tab and then select Organization > Groups.

    4. Select New Group. In this example, two groups are created:

      • prod-a group for managing the DC/OS services for user Cory.
      • prod-b group for managing the DC/OS services for user Nick.

Define the permissions

  1. Select the System tab and then select Organization > Groups.

  2. Select the prod-a group and select Add Permission. In this example, permissions are assigned to prod-a to allow users to create their own services!

  3. Select the Insert Permission String toggle to enter using the string format. Strings are case sensitive.

    All of the required permissions for each group are added here. These permission will allow users to have access to the DC/OS cluster and deploy their own services from the Universe. These permission will also restrict each group so that they can only see their own DC/OS services.

  4. Add each of these permissions for the prod-a group.

    • dcos:adminrouter:service:marathon = full
    • dcos:service:marathon:marathon:services:/prod-a = full
    • dcos:adminrouter:ops:slave = full
    • dcos:adminrouter:ops:mesos = full
    • dcos:adminrouter:package = full

    Here’s what the permissions view should look like after adding:

  5. Add each of these permissions for the prod-b group.

    • dcos:adminrouter:service:marathon = full
    • dcos:service:marathon:marathon:services:/prod-b = full
    • dcos:adminrouter:ops:slave = full
    • dcos:adminrouter:ops:mesos = full
    • dcos:adminrouter:package = full

    Now that the permissions are assigned, you can assign them to users!

  6. Select the System tab and then select Organization > Users and select Cory.

  7. Select Group Membership then place your cursor in the search box and select prod-agroup.

  8. Select the System tab and then select Organization > Users and select Nick.

  9. Select Group Membership then place your cursor in the search box and select prod-bgroup.

Log in to the DC/OS web interface as user

  1. Log in as Cory to the DC/OS web interface. You can see that user Cory only has access to the Services and Universe tabs. Also, Cory can only see the prod-a services.

    Tip: To log out of as the current user, choose Sign Out from the lower-left dropup menu.

    Let’s push an Nginx service from the Universe into prod-a group.

  2. Select Universe and start typing nginx in the search box, then click to select.

    1. Choose the Advanced Installation option.

    2. In the name field, specify /prod-a/nginx and then click Review and Install and Install.

      Now let’s go back to the Services tab and you’ll see that Cory was able to deploy Nginx into the prod-a group.

  3. Repeat the previous steps for Nick. Be sure to specify /prod-b/nginx for name.

  4. Repeat the previous steps for Nick. Be sure to specify /prod-b/nginx for name.

  5. While logged in as Cory or Nick, click on the nginx launch icon to view the success message.

Now let’s look at the Services tab from the superuser view.

Monitor user accounts in the DC/OS web interface as superuser

  1. Log out of the current user and then back in as a user with superuser permission. You will see that both services are running in the prod-a and prod-b groups.