Accessing system and component logs

ENTERPRISE

PREVIEW

You can restrict user access to system and component logs.

Here is the permission that is required to view the system and component logs:

Permission string full C R U D
dcos:adminrouter:ops:system-logs
Controls access to System logs API.
x

Prerequisites:

  • DC/OS and DC/OS CLI are installed and you are logged in as a superuser.

Via the DC/OS GUI

Create the Users and Grant Permission

  1. Select Organization and choose Users. Select an existing or create a new user.

    New user

  2. From the Permissions tab, select ADD PERMISSION.

    Add permission to user

  3. Click INSERT PERMISSION STRING to toggle the dialog and paste in the following permissions and click ADD PERMISSIONS.

    dcos:adminrouter:ops:system-logs full
    

    Add permission

    The permissions tab should now look like this:

    prod-group permissions complete

Log In to the CLI As User

  1. Log into the DC/OS CLI as the user.

    dcos auth login
    
  2. Run this command to access the system and component logs.

    dcos node log --leader --component=dcos-mesos-master
    

    You should see the logs from the Mesos master.

    If you do not have the correct permissions, you will see this output:

    You are not authorized to perform this operation
    

Via the IAM API

Prerequisite: If your security mode is permissive or strict, you must get the root cert before issuing the curl commands in this section.

Tips:

  • Service resources often include / characters that must be replaced with %252F in curl requests, as shown in the examples below.
  • When using the API to manage permissions, you must create the permission before granting it. If the permission already exists, the API will return an informative message and you can continue to assign the permission.

Create and Grant the Permissions

  1. Use the following command to create the permission.

    curl -X PUT --cacert dcos-ca.crt \
    -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    -H 'Content-Type: application/json' $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:system-logs \
    -d '{"description":"Grants access to system and component logs."}'
    
  2. Use the following command to grant the permission to the user (<username>).

    curl -X PUT --cacert dcos-ca.crt \
    -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:system-logs/users/<username>/full
    

Log In to the CLI As User

  1. Log into the DC/OS CLI as the user.

    dcos auth login
    
  2. Run this command to access the system and component logs.

    dcos node log --leader --component=dcos-mesos-master
    

    You should see the logs from the Mesos master.

    If you do not have the correct permissions, you will see this output:

    You are not authorized to perform this operation