授予对 Services 选项卡的访问权限

ENTERPRISE

授予对 Services 选项卡的访问权限

您可以授予用户访问Services选项卡的权限。新用户默认没有权限。

注意: 此过程可授予访问这个屏幕选项卡的全部用户权限。如果您正在以 strict 或 permissive 安全模式 运行并希望配置细粒度用户访问权限,请参阅 文档

使用 GUI 授予访问权限

先决条件:

  • 不具有 dcos:superuser 权限 的 DC/OS 用户账户。
  1. 以具有 dcos:superuser 权限的用户身份登录 DC/OS GUI。

登录

图 1. DC/OS Web 界面登录

  1. 选择 Organization 并选择 UsersGroups

  2. 选择要授予权限的用户名或组名。

添加 cory 权限

图 2. 选择要授予权限的用户或组

  1. Permissions 选项卡中,单击 ADD PERMISSION

  2. 单击 INSERT PERMISSION STRING 以切换对话框。

添加权限

图 3. 插入权限字符串

  1. Permissions Strings 字段中复制并粘贴权限。根据您的 安全模式 选择权限字符串,单击添加权限,然后单击关闭

禁用

服务选项卡

  1. dcos:adminrouter:service:marathon full

服务任务

  1. dcos:adminrouter:ops:mesos full

任务详情和日志

  1. dcos:adminrouter:ops:slave full

宽容

服务选项卡

  1. dcos:adminrouter:service:marathon full
  2. dcos:service:marathon:marathon:services:/ full

服务任务

  1. dcos:adminrouter:ops:mesos full

任务详情和日志

  1. dcos:adminrouter:ops:slave full

严格

服务选项卡

  1. dcos:adminrouter:service:marathon full
  2. dcos:service:marathon:marathon:services:/ full

服务任务

  1. dcos:adminrouter:ops:mesos full

任务详情和日志

  1. dcos:adminrouter:ops:slave full
  2. dcos:mesos:master:framework:role:slave_public read
  3. dcos:mesos:master:executor:app_id read
  4. dcos:mesos:master:task:app_id read
  5. dcos:mesos:agent:framework:role:slave_public read
  6. dcos:mesos:agent:executor:app_id read
  7. dcos:mesos:agent:task:app_id read
  8. dcos:mesos:agent:sandbox:app_id read

使用 API 授予访问权限

先决条件:

提示:

  • 服务资源通常包括 / 必须在 curl 请求中以 %252F 替换的字符,如下例所示。
  • 使用 API 管理权限时,您必须在授予之前先创建权限。如果权限已存在,API 将返回提示信息,您可以继续分配权限。

禁用

授权对 DC/OS Services 选项卡的访问权限

  1. 创建权限。

    1. curl -X PUT  \
    2. -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    3. -H 'Content-Type: application/json' \
    4. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon  \
    5. -d '{"description":"Grants access to the Services tab"}'

  2. 向用户授予以下权限 uid

    1. curl -X PUT  \
    2. -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    3. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon/users/<uid>/full

注意: 要向组而不是向用户授予权限,应替换 /users/ with /groups/.

授予对 DC/OS 服务任务详细信息和日志的访问权限

  1. 创建权限。

    1. curl -X PUT  \
    2. -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    3. -H 'Content-Type: application/json' \
    4. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos  \
    5. -d '{"description":"Grants access to the Mesos master API/UI and task details"}'
    6. curl -X PUT  \
    7. -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    8. -H 'Content-Type: application/json' \
    9. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave  \
    10. -d '{"description":"Grants access to the Mesos agent API/UI and task details such as logs"}'

  2. 向用户授予以下权限 uid

    1. curl -X PUT  \
    2. -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    3. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos/users/<uid>/full
    4. curl -X PUT  \
    5. -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    6. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave/users/<uid>/full

注意: 要向组而不是向用户授予权限,应替换 /users/ with /groups/.

宽容

授权对 DC/OS Services 选项卡的访问权限

  1. 创建权限。

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. -H 'Content-Type: application/json' \
    3. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon  \
    4. -d '{"description":"Grants access to the Services tab"}'

  2. 向用户授予以下权限 uid

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon/users/<uid>/full

注意: 要向组而不是向用户授予权限,应替换 /users/ with /groups/.

授予对 DC/OS 服务任务详细信息和日志的访问权限

  1. 创建权限。

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. -H 'Content-Type: application/json' \
    3. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos  \
    4. -d '{"description":"Grants access to the Mesos master API/UI and task details"}'
    5. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    6. -H 'Content-Type: application/json' \
    7. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave  \
    8. -d '{"description":"Grants access to the Mesos agent API/UI and task details such as logs"}'

  2. 向用户授予以下权限 uid

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos/users/<uid>/full
    3. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    4. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave/users/<uid>/full

注意: 要向组而不是向用户授予权限,应替换 /users/ with /groups/.

授予对 Services 选项卡中所有服务的访问权限

  1. 创建权限。

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. -H 'Content-Type: application/json' \
    3. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F  \
    4. -d '{"description":"Grants access to all services"}'

  2. 向用户授予以下权限 uid

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F/users/<uid>/full

注意: 要向组而不是向用户授予权限,应替换 /users/ with /groups/.

严格

授权对 DC/OS Services 选项卡的访问权限

  1. 创建权限。

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. -H 'Content-Type: application/json' \
    3. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon  \
    4. -d '{"description":"Grants access to the Services tab"}'

  2. 向用户授予以下权限 uid

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon/users/<uid>/full

注意: 要向组而不是向用户授予权限,应替换 /users/ with /groups/.

授予对 DC/OS 服务任务详细信息和日志的访问权限

  1. 创建权限。

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. -H 'Content-Type: application/json' \
    3. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos  \
    4. -d '{"description":"Grants access to the Mesos master API/UI and task details"}'
    5. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    6. -H 'Content-Type: application/json' \
    7. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave  \
    8. -d '{"description":"Grants access to the Mesos agent API/UI and task details such as logs"}'
    9. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    10. -H 'Content-Type: application/json' \
    11. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:framework:role:slave_public  \
    12. -d '{"description":"Grants access to register as or view Mesos master information about frameworks registered with the slave_public role"}'
    13. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    14. -H 'Content-Type: application/json' \
    15. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:executor:app_id  \
    16. -d '{"description":"Grants access to all executors on the Mesos master"}'
    17. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    18. -H 'Content-Type: application/json' \
    19. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:app_id  \
    20. -d '{"description":"Grants access to all tasks on the Mesos master"}'
    21. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    22. -H 'Content-Type: application/json' \
    23. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:framework:role:slave_public  \
    24. -d '{"description":"Grants access to view Mesos agent information about frameworks registered with the slave_public role"}'
    25. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    26. -H 'Content-Type: application/json' \
    27. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:executor:app_id  \
    28. -d '{"description":"Grants access to all executors running on the Mesos agent"}'
    29. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    30. -H 'Content-Type: application/json' \
    31. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:task:app_id  \
    32. -d '{"description":"Grants access to all tasks running on the Mesos agent"}'
    33. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    34. -H 'Content-Type: application/json' \
    35. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:sandbox:app_id  \
    36. -d '{"description":"Grants access to the sandboxes on the Mesos agent"}'

  2. 向用户授予以下权限 uid

    1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    2. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos/users/<uid>/full
    3. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    4. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave/users/<uid>/full
    5. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    6. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:framework:role:slave_public/users/<uid>/read
    7. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    8. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:executor:app_id/users/<uid>/read
    9. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    10. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:app_id/users/<uid>/read
    11. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    12. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:framework:role:slave_public/users/<uid>/read
    13. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    14. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:executor:app_id/users/<uid>/read
    15. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    16. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:task:app_id/users/<uid>/read
    17. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
    18. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:sandbox:app_id/users/<uid>/read

注意: 要向组而不是向用户授予权限,应替换 /users/ with /groups/.

授予对 Services 选项卡中所有服务的访问权限

  1. 创建权限。
  1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
  2. -H 'Content-Type: application/json' \
  3. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F  \
  4. -d '{"description":"Grants access to all services"}'
  1. 向用户授予以下权限 uid
  1. curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
  2. $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F/users/<uid>/full

注意: 要向组而不是向用户授予权限,应替换 /users/ with /groups/.