}}

Tutorial – Restricting Access to DC/OS Service Groups

Enterprise DC/OS Updated: April 18, 2017

This tutorial demonstrates how to implement user permissions for DC/OS services in the permissive security mode. When you are done you will have multi-tenancy by using DC/OS permissions.

Prerequisites:

Create users and groups

  1. Create service groups from the Services > Services > Create Group.

    In this example a group called prod-a and a group called prod-b are created. After the groups are created you should see two folders. This is where you will deploy services for the user groups and set the permissions for each unit.

  2. Create your users and groups and define the required permissions for each group.

    1. Select Organization > Users and create a new user. In this example, two users are created (Cory and Nick).

      When you’re done you should see the two users.

      Next we will create the groups and assign permissions to the DC/OS services.

    2. Create user groups from the Organization > Groups.

    3. Select New Group. In this example, two groups are created:

      • prod-a-group for managing the DC/OS services for user Cory.
      • prod-b-group for managing the DC/OS services for user Nick.

Define the permissions

  1. Select Organization > Groups.

  2. Select the prod-a-group and select Add Permission. In this example, permissions are assigned to prod-a to allow users to create their own services!

  3. Select the INSERT PERMISSION STRING toggle to enter using the string format. Strings are case sensitive.

    All of the required permissions for each group are added here. These permissions will allow users to have access to the DC/OS cluster and deploy their own services. These permissions will also restrict each group so that they can only see their own DC/OS services.

  4. Add each of these permissions for the prod-a-group and click Close.

    dcos:adminrouter:service:marathon full
    dcos:adminrouter:service:nginx full
    dcos:service:marathon:marathon:services:/prod-a full
    dcos:adminrouter:ops:slave full
    dcos:adminrouter:ops:mesos full
    dcos:adminrouter:package full
    

    Here’s what the permissions view should look like after adding:

  5. Add each of these permissions for the prod-b-group and click Close.

    dcos:adminrouter:service:marathon full
    dcos:adminrouter:service:nginx full
    dcos:service:marathon:marathon:services:/prod-b full
    dcos:adminrouter:ops:slave full
    dcos:adminrouter:ops:mesos full
    dcos:adminrouter:package full
    

    Now that the permissions are assigned to groups, you can add users to the groups to inherit the permissions.

  6. Select Organization > Users and select Cory.

  7. Select Group Membership and then type prod-agroup in the search box, then click to select.

  8. Select Organization > Users and select Nick.

  9. Select Group Membership and then type prod-bgroup in the search box, then click to select.

Log in to the DC/OS web interface as user

  1. Log in as Cory to the DC/OS web interface. You can see that user Cory only has access to the Services and Universe tabs. Also, Cory can only see the prod-a services.

    Tip: To log out of the current user, click on the cluster name in the top-left and select Sign Out.

    Let’s deploy an NGINX service to prod-a-group.

  2. Select Services > Services and the click the plus sign (+) to deploy a service.

    1. Select JSON Configuration and paste in the following app definition:
      {
        "id": "/prod-a/nginx",
        "cmd": "rm -rf /usr/share/nginx/html && ln -s /mnt/mesos/sandbox/hello-nginx-master/ /usr/share/nginx/html && nginx -g 'daemon off;'",
        "instances": 1,
        "cpus": 1,
        "mem": 1024,
        "disk": 0,
        "gpus": 0,
        "fetch": [
          {
            "uri": "https://github.com/mesosphere/hello-nginx/archive/master.zip",
            "extract": true,
            "executable": false,
            "cache": false
          }
        ],
        "backoffSeconds": 1,
        "backoffFactor": 1.15,
        "maxLaunchDelaySeconds": 3600,
        "container": {
          "type": "DOCKER",
          "docker": {
            "image": "nginx:1.8.1",
            "network": "BRIDGE",
            "portMappings": [
              {
                "hostPort": 0,
                "containerPort": 80,
                "protocol": "tcp",
                "servicePort": 10000
              },
              {
                "hostPort": 0,
                "containerPort": 443,
                "protocol": "tcp",
                "servicePort": 10001
              }
            ],
            "privileged": false,
            "forcePullImage": false
          }
        },
        "healthChecks": [
          {
            "gracePeriodSeconds": 300,
            "intervalSeconds": 60,
            "timeoutSeconds": 20,
            "maxConsecutiveFailures": 3,
            "protocol": "COMMAND",
            "command": {
              "value": "service nginx status | grep -q 'nginx is running.'"
            }
          }
        ],
        "upgradeStrategy": {
          "minimumHealthCapacity": 1,
          "maximumOverCapacity": 1
        },
        "unreachableStrategy": {
          "inactiveAfterSeconds": 900,
          "expungeAfterSeconds": 604800
        },
        "killSelection": "youngest_first",
        "acceptedResourceRoles": [
          "*"
        ],
        "requirePorts": false,
        "labels": {
          "DCOS_PACKAGE_RELEASE": "1",
          "DCOS_SERVICE_SCHEME": "http",
          "DCOS_PACKAGE_SOURCE": "https://universe.mesosphere.com/repo",
          "DCOS_PACKAGE_METADATA": "eyJwYWNrYWdpbmdWZXJzaW9uIjoiMi4wIiwibmFtZSI6Im5naW54IiwidmVyc2lvbiI6IjEuOC4xIiwibWFpbnRhaW5lciI6InN1cHBvcnRAbmdpbnguY29tIiwiZGVzY3JpcHRpb24iOiJOZ2lueCBwYWNrYWdlIiwidGFncyI6WyJwcm94eSIsIndlYi1zZXJ2ZXIiLCJjYWNoZSJdLCJzY20iOiJodHRwOi8vaGcubmdpbngub3JnL25naW54LyIsInByZUluc3RhbGxOb3RlcyI6IlByZXBhcmluZyB0byBpbnN0YWxsIG5naW54LiIsInBvc3RJbnN0YWxsTm90ZXMiOiJOZ2lueCBoYXMgYmVlbiBpbnN0YWxsZWQuIiwicG9zdFVuaW5zdGFsbE5vdGVzIjoiTmdpbnggd2FzIHVuaW5zdGFsbGVkIHN1Y2Nlc3NmdWxseS4iLCJsaWNlbnNlcyI6W3sibmFtZSI6IkJTRCBsaWtlIiwidXJsIjoiaHR0cDovL25naW54Lm9yZy9MSUNFTlNFIn1dLCJpbWFnZXMiOnsiaWNvbi1zbWFsbCI6Imh0dHBzOi8vcGJzLnR3aW1nLmNvbS9wcm9maWxlX2ltYWdlcy81Njc3NzQ4NDQzMjI3MTM2MDAvdFlvVmp1MzEucG5nIiwiaWNvbi1tZWRpdW0iOiJodHRwczovL3Bicy50d2ltZy5jb20vcHJvZmlsZV9pbWFnZXMvNTY3Nzc0ODQ0MzIyNzEzNjAwL3RZb1ZqdTMxLnBuZyIsImljb24tbGFyZ2UiOiJodHRwczovL3Bicy50d2ltZy5jb20vcHJvZmlsZV9pbWFnZXMvNTY3Nzc0ODQ0MzIyNzEzNjAwL3RZb1ZqdTMxLnBuZyJ9fQ==",
          "DCOS_PACKAGE_REGISTRY_VERSION": "2.0",
          "DCOS_SERVICE_NAME": "nginx",
          "DCOS_SERVICE_PORT_INDEX": "0",
          "DCOS_PACKAGE_VERSION": "1.8.1",
          "DCOS_PACKAGE_NAME": "nginx",
          "DCOS_PACKAGE_IS_FRAMEWORK": "false"
        }
      }
      

    2. Click REVIEW & RUN and then RUN SERVICE.

  3. Repeat the previous steps for Nick. Be sure to specify "id": "/prod-b/nginx", for example:

    {
      "id": "/prod-b/nginx",
      "cmd": "rm -rf /usr/share/nginx/html && ln -s /mnt/mesos/sandbox/hello-nginx-master/ /usr/share/nginx/html && nginx -g 'daemon off;'",
      "instances": 1,
      "cpus": 1,
      "mem": 1024,
      "disk": 0,
      "gpus": 0,
      "fetch": [
      ...
    
  4. While logged in as Cory or Nick, click on the NGINX launch icon to view the success message.

Now let’s look at the Services tab from the superuser view.

Monitor user accounts in the DC/OS web interface as superuser

  1. Log out of the current user and then back in as a user with superuser permission. You will see that both services are running in the prod-a and prod-b-groups.