You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@mesos.apache.org by Nikolay Borodachev <nb...@adobe.com> on 2015/04/10 01:17:45 UTC
Authentication and authorization in Mesos & Marathon UI
Hello All,
What are the best practices that people use for authentication & authorization in Mesos and Marathon Web UI and APIs?
The best I came up with so far is to put “–http-credentials <user>:<password>” in the Marathon command line and use SSL.
Mesos UI is wide open though and does not support these features.
Ideally, I’d like to place both Mesos and Marathon UIs behind a load balancer and use an external directory (LDAP or Okta) to authenticate users.
Marathon works with load balancers but Mesos does not.
Thank you
Nikolay
RE: Authentication and authorization in Mesos & Marathon UI
Posted by Nikolay Borodachev <nb...@adobe.com>.
Hi Alex,
Thank you for answering my questions. I am aware of slaves and framework authentication but that’s not what I am looking for.
Do you have any examples of setting up user authentication/authorization using existing Mesos features?
For example, how do I prevent user ‘A’ to change/remove apps created by user ‘B’?
Thank you
Nikolay
From: Alex Rukletsov [mailto:alex@mesosphere.com]
Sent: Friday, April 10, 2015 5:23 AM
To: user@mesos.apache.org
Subject: Re: Authentication and authorization in Mesos & Marathon UI
Nikolay,
the upcoming Mesos 0.23 release should include SSL support, see MESOS-910<https://issues.apache.org/jira/browse/MESOS-910>, which affects Mesos UI as well. You can authenticate slaves and frameworks via --authenticate_slaves and --authenticate_frameworks Mesos master flags and even implement your own authentication mechanism and load it as a Mesos module (see include/mesos/authentication/, --authenticators and --modules Master flags).
For authorization, ACLs are supported in Mesos, check --acls Mesos master flag.
Hope this helps!
On Fri, Apr 10, 2015 at 1:17 AM, Nikolay Borodachev <nb...@adobe.com>> wrote:
Hello All,
What are the best practices that people use for authentication & authorization in Mesos and Marathon Web UI and APIs?
The best I came up with so far is to put “–http-credentials <user>:<password>” in the Marathon command line and use SSL.
Mesos UI is wide open though and does not support these features.
Ideally, I’d like to place both Mesos and Marathon UIs behind a load balancer and use an external directory (LDAP or Okta) to authenticate users.
Marathon works with load balancers but Mesos does not.
Thank you
Nikolay
Re: Authentication and authorization in Mesos & Marathon UI
Posted by Alex Rukletsov <al...@mesosphere.com>.
Nikolay,
the upcoming Mesos 0.23 release should include SSL support, see MESOS-910
<https://issues.apache.org/jira/browse/MESOS-910>, which affects Mesos UI
as well. You can authenticate slaves and frameworks via
--authenticate_slaves and --authenticate_frameworks Mesos master flags and
even implement your own authentication mechanism and load it as a Mesos
module (see include/mesos/authentication/, --authenticators and --modules
Master flags).
For authorization, ACLs are supported in Mesos, check --acls Mesos master
flag.
Hope this helps!
On Fri, Apr 10, 2015 at 1:17 AM, Nikolay Borodachev <nb...@adobe.com>
wrote:
> Hello All,
>
>
>
> What are the best practices that people use for authentication &
> authorization in Mesos and Marathon Web UI and APIs?
>
>
>
> The best I came up with so far is to put “–http-credentials
> <user>:<password>” in the Marathon command line and use SSL.
>
> Mesos UI is wide open though and does not support these features.
>
>
>
> Ideally, I’d like to place both Mesos and Marathon UIs behind a load
> balancer and use an external directory (LDAP or Okta) to authenticate users.
>
> Marathon works with load balancers but Mesos does not.
>
>
>
> Thank you
>
> Nikolay
>