Reputation: 58
How to set/delete quotas in mesos with activated acls?
I am strugling in how to get quotas in mesos with activted acls.
I am using Mesos version 0.27.2.
I have three Masters using follwing flags:
- --ip=some-ip \
- --logging_level=INFO \
- --advertise_ip=some-ip \
- --port=5050 \
- --advertise_port=5050 \
- --registry=replicated_log \
- --quorum=2 \
- --zk=some-zookepyer-url \
- --cluster=AlisterDevelopment \
- --log_dir=/var/log/mesos/master \
- --work_dir=/var/lib/mesos/master \
- --offer_timeout=1mins \
- --hostname=some-hostname \
- --credentials=file:///etc/mesos-master/passwords \
- --acls=file:///etc/mesos-master/acls \
- --authenticate_slaves
my acls look like this:
{
"permissive": false,
"run_tasks": [
{
"principals": { "values": ["ase", "core", "opss", "jenkins"] },
"users": { "values": ["jenkins"] }
}
],
"register_frameworks": [
{
"principals": { "values": ["ase"] },
"roles": { "values": ["ase"] }
},
{
"principals": { "values": ["opss"] },
"roles": { "values": ["opss"] }
},
{
"principals": { "values": ["core"] },
"roles": { "values": ["core"] }
},
{
"principals": { "values": ["jenkins"] },
"roles": { "values": ["jenkins"] }
}
],
"set_quotas": [
{
"principals": {
"values": ["ase", "core", "opss", "jenkins"]
},
"roles": {
"values": ["ase", "core", "opss", "jenkins"]
}
}
],
"remove_quotas": [
{
"principals": {
"values": ["ase", "core", "opss", "jenkins"]
},
"quota_principals": {
"values": ["ase", "core", "opss", "jenkins"]
}
}
]
}
for the principals ase,core and ops there are passwords in the credentials file, and registering frameworks with those credentials works fine, as does registering slaves.
However, when trying to add quotas with curl I get an 403 Forbidden as respons.
curl -u opss -v -d @ase-quota.json -X POST http://SERVER-IP:5050/quota --header "Content-Type: application/json"
Above command works fine whenn acls are not enabled.
As soon as enabled again, deleting the quota fails with 403 Forbidden again.
What I see in the mesos-master logs is:
I0414 10:59:39.396838 9 http.cpp:501] HTTP GET for /master/state.json from 192.168.7.14:35248 with User-Agent='Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0'
I0414 10:59:40.019409 8 http.cpp:501] HTTP POST for /master/quota from 192.168.7.14:35258 with User-Agent='curl/7.35.0'
I0414 10:59:40.031294 8 quota_handler.cpp:446] Authorizing principal 'ANY' to request quota for role 'ase'
for adding, and:
I0414 13:07:23.521467 9 http.cpp:501] HTTP DELETE for /master/quota/ase from 192.168.7.14:50685 with User-Agent='curl/7.35.0'
I0414 13:07:23.523748 9 quota_handler.cpp:472] Authorizing principal 'ANY' to remove quota set by 'ANY'
when trying to delete quotas.
The question is, how to I get curl or mesos to realize that I am working as principal opss in this case?
Upvotes: 2
Views: 181
Answers (1)
Reputation: 306
You dindn't set the parameter --authenticate_http=true in the mesos master config.
Upvotes: 1
Related Questions
- mesos master with single quorum
- How to understand CPU allocation in Mesos?
- How to recover Mesos executor after Mesos framework failure?
- mesos slaves are not connecting with mesos masters
- Setting up Mesos with Ansible on Ubuntu 14.04 on Digital Ocean
- Can Mesos slaves with two different configurations connected to the same Mesos master?
- Completely Delete orphan task Mesos
- How to monitor Apache Mesos?
- Mesos scheduling - how this works?