}}

Permissions Reference

Enterprise DC/OS Updated: June 9, 2017

You can control DC/OS access by resource and operation. This topic provides a reference for each of the available DC/OS permissions. Permissions can be applied to users and groups using either the DC/OS GUI or the IAM API.

Enforcement

The DC/OS permissions are enforced based on your security mode.

Permission Category Disabled Permissive Strict
Admin Router permissions (dcos:adminrouter) x x x
Mesos permissions (dcos:mesos) x
Marathon and Metronome permissions (dcos:service) x x
Secret store permissions (dcos:secrets) x x x
Superuser permissions (dcos:superuser) x x x

Permissions

Here are the available CRUD actions (create, read, update, and delete). full indicates that the permission only supports all CRUD actions, and that individual CRUD permissions are not available.

Admin Router Permissions

Permission string full C R U D
dcos:adminrouter:acs
Controls access to the security and access management features.
x
dcos:adminrouter:ops:ca:ro
Controls access to the read-only endpoints of the Certificate Authority API and the dcos security cluster ca commands of the Enterprise DC/OS CLI.
x
dcos:adminrouter:ops:ca:rw
Controls user access to all endpoints of the Certificate Authority API and the dcos security cluster ca commands of the Enterprise DC/OS CLI.
x
dcos:adminrouter:ops:exhibitor
Controls access to the Exhibitor UI and API. This permission allows users to remove the ZooKeeper state after uninstalling a service.
x
dcos:adminrouter:ops:historyservice
Controls access to the History Service.
x
dcos:adminrouter:ops:mesos-dns
Controls access to the Mesos DNS API.
x
dcos:adminrouter:ops:mesos
Controls access to the Mesos master UI and API.
x
dcos:adminrouter:ops:metadata
Controls access to the Metadata endpoint.
x
dcos:adminrouter:ops:networking
Controls access to Network Metrics endpoint.
x
dcos:adminrouter:ops:slave
Controls access to the Mesos agent UI and API.
x
dcos:adminrouter:ops:system-health
Controls access to the System health API.
x
dcos:adminrouter:ops:system-logs
Controls access to System logs API.
x
dcos:adminrouter:ops:system-metrics
Controls access to System metrics API.
x
dcos:adminrouter:package
Controls access to the Cosmos API, which provides access to the DC/OS Universe.
x
dcos:adminrouter:service:<service-name>
Controls access the UI and API of an installed DC/OS service.
x
dcos:adminrouter:service:marathon
Controls access to the native Marathon instance.
x
dcos:adminrouter:service:metronome
Controls access to DC/OS Jobs (Metronome).
x

Marathon and Metronome Permissions

Permission string full C R U D
dcos:service:marathon:marathon:admin:config
Controls access to the GET /v2/info Marathon endpoint.
x
dcos:service:marathon:marathon:admin:events
Controls view access to the Marathon events endpoints GET v2/events and GET/POST/DELETE /v2/eventSubscriptions.
x
dcos:service:marathon:marathon:admin:leader
Controls access to the GET/DELETE /v2/leader endpoint.
x x x
dcos:service:marathon:marathon:services:/[<service-group] Controls access to DC/OS services launched by the native Marathon instance. x x x x x
dcos:service:metronome:metronome:jobs[:<job-group>]
Controls access to jobs and job groups.
x x x x x

Mesos Permissions

Permission string full C R U D
dcos:mesos:agent:container:app_id[:<service-or-job-group>]
Controls access to the debugging features for a specific service or job.
x
dcos:mesos:agent:container:role[:<role-name>]
Controls access to the debugging features for a specific role.
x
dcos:mesos:agent:endpoint:path[:<endpoint>]
Controls access to unprotected Mesos endpoints.
x
dcos:mesos:agent:executor:app_id[:<service-or-job-group>]
Controls view access to service and job executor information.
x
dcos:mesos:agent:flags
Controls view access to agent flag configurations.
x
dcos:mesos:agent:framework:role[:<role-name>]
Controls view access to DC/OS services registered with a particular role.
x
dcos:mesos:agent:log
Controls access to the agent logs.
x
dcos:mesos:agent:nested_container_session:app_id[:<service-or-job-group>]
Controls access, by service or job group, to launching a container within a container of a service or job while debugging.
x
dcos:mesos:agent:nested_container_session:role[:<role-name>]
Controls access, by role, to launching a container within a container of a service or job while debugging.
x
dcos:mesos:agent:nested_container_session:user[:<linux-user-name>]
Controls access, by Linux user, to launching a container within a container of a service or job while debugging. The users of both nested containers must be the same.
x
dcos:mesos:agent:sandbox:app_id[:<service-or-job-group>]
Controls access to the Mesos sandbox.
x
dcos:mesos:agent:task:app_id[:<service-or-job-group>]
Controls access to task information.
x
dcos:mesos:master:endpoint:path[:<path>]
Controls access to these unprotected Mesos endpoints: logging/toggle, /metrics/snapshot, and /files/debug.
x
dcos:mesos:master:executor:app_id[:<service-or-job-group>]
Controls access to executor service and job groups.
x
dcos:mesos:master:flags
Controls view access to master flag configurations.
x
dcos:mesos:master:framework:principal[:<service-account-id>]
Controls access, by service account ID, to the Mesos tear down endpoint, which allows you to uninstall a DC/OS service.
x
dcos:mesos:master:framework:role[:<role-name>]
Controls access, by role, to register as a framework with Mesos.
x
dcos:mesos:master:log
Controls access to the Mesos master logs.
x
dcos:mesos:master:quota:role[:<role-name>]
Controls access, by role, to the resource quota.
x x
dcos:mesos:master:reservation:principal[:<service-account-id>]
Controls access, by user or service account, to unreserve resources.
x
dcos:mesos:master:reservation:role[:<role-name>]
Controls access, by role, to reserve resources.
x
dcos:mesos:master:task:app_id[:<service-or-job-group>]
Controls access to run tasks.
x
dcos:mesos:master:task:user[:<linux-user-name>]
Controls access to run tasks as a specific Linux user.
x
dcos:mesos:master:volume:principal[:<service-account-id>]
Controls access to destroy a volume.
x
dcos:mesos:master:volume:role[:<role-name>]
Controls access to create a volume for the given Mesos role.
x
dcos:mesos:master:weight:role[:<role-name>]
Control access to the weight for a given Mesos role.
x x

Secret Store Permissions

Permission string full C R U D
dcos:secrets:default:[<path-name>/]<secret-name>
Controls access to individual secrets.
x x x x x
dcos:secrets:list:default:/[<path>]
Controls view access to the names of secrets.
x

Superuser Permissions

Permission string full C R U D
dcos:superuser
Controls complete access to the DC/OS cluster.
x