为作业授予访问权限

ENTERPRISE

使用 CLI 或 Web 界面为作业授予访问权限

您可以使用 DC/OS Web 界面、CLI 或 API 来实现对作业的细粒度用户访问。Metronome 权限 让您在每项作业或每个作业组上限制用户对作业的访问。该部分为您介绍实现这一切的步骤。

先决条件:

通过 DC/OS Web 界面

  1. 以具有 superuser 权限的用户身份登录 DC/OS Web 界面。

    登录

    图 1. DC/OS Web 界面登录

  2. 选择 Organization 并选择 UsersGroups

  3. 选择要授予权限的用户名或组名。

    添加 cory 权限

    图 2. 选择要添加权限的用户或组

  4. Permissions 选项卡中,单击 ADD PERMISSION

  5. 单击 INSERT PERMISSION STRING 以切换对话框。

    添加权限

    图 3. 添加权限

  6. Permissions Strings 字段中复制并粘贴权限。根据您的安全模式选择权限字符串。

已禁用

  • DC/OS 作业访问权限:

    指定作业组 (<job-group>), 工作名称 (<job-name>), 和 行动 (<action>). 行动可以是 create, read, update, delete, 要么 full. 例如,要允许多个操作,请使用逗号分隔它们: dcos:service:metronome:metronome:jobs:<job-group>/<job-name> read,update

    dcos:adminrouter:service:metronome full
    dcos:service:metronome:metronome:jobs:<job-group>/<job-name> <action>
    
  • DC/OS 服务任务和日志:

    dcos:adminrouter:ops:mesos full
    dcos:adminrouter:ops:slave full
    

宽容

  • DC/OS 作业访问权限:

    指定作业组 (<job-group>), 工作名称 (<job-name>), 和 行动 (<action>). 行动可以是 create, read, update, delete, 要么 full. 例如,要允许多个操作,请使用逗号分隔它们: dcos:service:metronome:metronome:jobs:<job-group>/<job-name> read,update

    dcos:adminrouter:service:metronome full
    dcos:service:metronome:metronome:jobs:<job-group>/<job-name> <action>
    
  • DC/OS 服务任务和日志:

    dcos:adminrouter:ops:mesos full
    dcos:adminrouter:ops:slave full
    

严格

  • DC/OS 作业访问权限:

    指定作业组 (<job-group>), 工作名称 (<job-name>), 和 行动 (<action>). 行动可以是 create, read, update, delete, 要么 full. 例如,要允许多个操作,请使用逗号分隔它们: dcos:service:metronome:metronome:jobs:<job-group>/<job-name> read,update

    dcos:adminrouter:service:metronome full
    dcos:service:metronome:metronome:jobs:<job-group>/<job-name> <action>
    
  • DC/OS 服务任务和日志:

    dcos:adminrouter:ops:mesos full
    dcos:adminrouter:ops:slave full
    dcos:mesos:master:framework:role:* read
    dcos:mesos:master:executor:app_id:/<job-group>/<job-name> read
    dcos:mesos:master:task:app_id:/<job-group>/<job-name> read
    dcos:mesos:agent:framework:role:* read
    dcos:mesos:agent:executor:app_id:/<job-group>/<job-name> read
    dcos:mesos:agent:task:app_id:/<job-group>/<job-name> read
    dcos:mesos:agent:sandbox:app_id:/<job-group>/<job-name> read
    
  1. 单击 ADD PERMISSIONS,然后单击 Close

通过 CLI

先决条件:

提示:

  • 向组而不是用户授予权限,用‘组授予’ with替换‘用户授予’ `.

已禁用

此模式不提供细粒度控制。

宽容

  • DC/OS 作业访问权限:

    授予作业组的权限 (`<job-group>`) 和 工作名称 (`<job-name>`).
    
    dcos security org users grant <user-name> adminrouter:service:metronome full --description "Controls access to Metronome services"
    dcos security org users grant <user-name> service:metronome:metronome:jobs:<job-group>/<job-name> full --description "Controls access to <job-group>/<job-name>"
    
  • DC/OS 服务任务和日志:

    授予用户权限 (`<user-name>`).
    
    dcos security org users grant <user-name> adminrouter:ops:mesos full --description "Grants access to the Mesos master API/UI and task details"
    dcos security org users grant <user-name> adminrouter:ops:slave full --description "Grants access to the Mesos agent API/UI and task details such as logs"
    

严格

  • DC/OS 作业访问权限:
  1. 授予作业组的权限 (<job-group>) 和 工作名称 (<job-name>).

    dcos security org users grant <user-name> adminrouter:service:metronome full --description "Controls access to Metronome services"
    dcos security org users grant <user-name> service:metronome:metronome:jobs:<job-group>/<job-name> full --description "Controls access to <job-group>/<job-name>"
    
  • DC/OS 服务任务和日志:
  1. 授予用户权限 (<user-name>) 和 工作名称 (<job-group>).

    dcos security org users grant <user-name> adminrouter:ops:mesos full --description "Grants access to the Mesos master API/UI and task details"
    dcos security org users grant <user-name> adminrouter:ops:slave full --description "Grants access to the Mesos agent API/UI and task details such as logs"
    dcos security org users grant <user-name> mesos:master:framework:role:* read --description "Controls access to frameworks registered with the Mesos default role"
    dcos security org users grant <user-name> mesos:master:executor:app_id:/<job-group>/<job-name> read --description "Controls access to executors running inside <job-group>/<job-name>"
    dcos security org users grant <user-name> mesos:master:task:app_id:/<job-group>/<job-name> read --description "Controls access to tasks running inside <job-group>/<job-name>"
    dcos security org users grant <user-name> mesos:agent:framework:role:* read --description "Controls access to information about frameworks registered under the Mesos default role"
    dcos security org users grant <user-name> mesos:agent:executor:app_id:/<job-group>/<job-name> read --description "Controls access to executors running inside <job-group>/<job-name>"
    dcos security org users grant <user-name> mesos:agent:task:app_id:/<job-group>/<job-name> read --description "Controls access to tasks running inside <job-group>/<job-name>"
    dcos security org users grant <user-name> mesos:agent:sandbox:app_id:/<gid>/ read --description "Controls access to the sandboxes of <job-group>/<job-name>"