授予对作业的访问权限

ENTERPRISE

使用 CLI 或 UI 授予对作业的访问权限

您可以使用 DC/OS UI、CLI 或 [API] 来实现对作业的细粒度用户访问。(/mesosphere/dcos/cn/2.1/security/ent/iam-api/). Metronome 权限 允许您在每项作业或每个作业组上限制用户对作业的访问。该部分为您介绍实现这一切的步骤。

前提条件:

通过 DC/OS UI

  1. 以具有 superuser 权限的用户身份登录 DC/OS UI。

    登录

    图 1. DC/OS UI 登录

  2. 选择组织,然后选择用户

  3. 选择要授予权限的用户名或组名。

    添加 cory 权限

    图 2. 选择要添加权限的用户或组

  4. 权限选项卡上,单击添加权限

  5. 单击插入权限字符串以切换对话框。

    添加权限

    图 3. 添加权限

  6. 权限字符串字段中复制并粘贴权限。根据您的[安全模式]选择权限字符串。(/mesosphere/dcos/cn/2.1/security/ent/#security-modes).

    宽容

    • DC/OS 作业访问权限:

      指定您的作业组 (<job-group>)、作业名称 (<job-name>) 和操作 (<action>). 操作可以是 createreadupdatedeletefull. 若要允许多个操作,请使用逗号分隔它们,例如: dcos:service:metronome:metronome:jobs:<job-group>/<job-name> read,update.

      1. dcos:adminrouter:service:metronome full
      2. dcos:service:metronome:metronome:jobs:<job-group>/<job-name> <action>

    • DC/OS 服务任务和日志:

      1. dcos:adminrouter:ops:mesos full
      2. dcos:adminrouter:ops:slave full
  1. ### 严格
  3. -   **DC/OS 作业访问权限:**
  5.     指定您的作业组 (`<job-group>`)、作业名称 (`<job-name>`) 和操作 (`<action>`). 操作可以是 `create` `read` `update``delete`  `full`. 若要允许多个操作,请使用逗号分隔它们,例如: `dcos:service:metronome:metronome:jobs:<job-group>/<job-name> read,update`.
  7.     ```
  8.     dcos:adminrouter:service:metronome full
  9.     dcos:service:metronome:metronome:jobs:<job-group>/<job-name> <action>
  10.     ```
  12. -   **DC/OS 服务任务和日志:**
  14.     ```
  15.     dcos:adminrouter:ops:mesos full
  16.     dcos:adminrouter:ops:slave full
  17.     dcos:mesos:master:framework:role:* read
  18.     dcos:mesos:master:executor:app_id:/<job-group>/<job-name> read
  19.     dcos:mesos:master:task:app_id:/<job-group>/<job-name> read
  20.     dcos:mesos:agent:framework:role:* read
  21.     dcos:mesos:agent:executor:app_id:/<job-group>/<job-name> read
  22.     dcos:mesos:agent:task:app_id:/<job-group>/<job-name> read
  23.     dcos:mesos:agent:sandbox:app_id:/<job-group>/<job-name> read
  24.     ```
  1. 单击 ADD PERMISSIONS,然后单击 Close

通过 CLI

前提条件:

提示:

  • 向组而不是用户授予权限,将 users grant <user-name> 替换为 groups grant <gid>.

宽容

  • DC/OS 作业访问权限:

    1. 授予作业组(<job-group>)和作业名称(<job-name>).)的权限。

      1. dcos security org users grant <user-name> adminrouter:service:metronome full --description "Controls access to Metronome services"
      2. dcos security org users grant <user-name> service:metronome:metronome:jobs:<job-group>/<job-name> full --description "Controls access to <job-group>/<job-name>"

  • DC/OS 服务任务和日志:

    1. 授予用户权限 (<user-name>).

      1. dcos security org users grant <user-name> adminrouter:ops:mesos full --description "Grants access to the Mesos master API/UI and task details"
      2. dcos security org users grant <user-name> adminrouter:ops:slave full --description "Grants access to the Mesos agent API/UI and task details such as logs"

严格

  • DC/OS 作业访问权限:

    1. 授予作业组(<job-group>)和作业名称(<job-name>).)的权限。

      1. dcos security org users grant <user-name> adminrouter:service:metronome full --description "Controls access to Metronome services"
      2. dcos security org users grant <user-name> service:metronome:metronome:jobs:<job-group>/<job-name> full --description "Controls access to <job-group>/<job-name>"

  • DC/OS 服务任务和日志:

    1. 向用户 (<user-name>) 和 (<job-group>).) 授予权限。

      1. dcos security org users grant <user-name> adminrouter:ops:mesos full --description "Grants access to the Mesos master API/UI and task details"
      2. dcos security org users grant <user-name> adminrouter:ops:slave full --description "Grants access to the Mesos agent API/UI and task details such as logs"
      3. dcos security org users grant <user-name> mesos:master:framework:role:* read --description "Controls access to frameworks registered with the Mesos default role"
      4. dcos security org users grant <user-name> mesos:master:executor:app_id:/<job-group>/<job-name> read --description "Controls access to executors running inside <job-group>/<job-name>"
      5. dcos security org users grant <user-name> mesos:master:task:app_id:/<job-group>/<job-name> read --description "Controls access to tasks running inside <job-group>/<job-name>"
      6. dcos security org users grant <user-name> mesos:agent:framework:role:* read --description "Controls access to information about frameworks registered under the Mesos default role"
      7. dcos security org users grant <user-name> mesos:agent:executor:app_id:/<job-group>/<job-name> read --description "Controls access to executors running inside <job-group>/<job-name>"
      8. dcos security org users grant <user-name> mesos:agent:task:app_id:/<job-group>/<job-name> read --description "Controls access to tasks running inside <job-group>/<job-name>"
      9. dcos security org users grant <user-name> mesos:agent:sandbox:app_id:/<gid>/ read --description "Controls access to the sandboxes of <job-group>/<job-name>"