Configuring DC/OS access for Beta DC/OS Monitoring Service

Configuring DC/OS access for Beta DC/OS Monitoring Service

The Beta DC/OS Monitoring service is run on DC/OS clusters in either permissive or strict mode. DC/OS access controls must be used to restrict access to the Beta DC/OS Monitoring service when running on strict mode clusters. Configure the Beta DC/OS Monitoring service to authenticate itself using a certificate and to only grant permissions required by the service.

This page describes how to configure DC/OS access for Beta DC/OS Monitoring Service. Depending on your security mode, Beta DC/OS Monitoring Service requires service authentication for access to DC/OS.

Security mode Service Account
Disabled Not available
Permissive Optional
Strict Required

If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests from this service is made by an account with the superuser permission.

Prerequisites:

Create a Key Pair

In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.

Create a public-private key pair and save each value into a separate file within the current directory.

dcos security org service-accounts keypair <private-key>.pem <public-key>.pem

Tip: You can use the DC/OS Secret Store to secure the key pair.

Create a Service Account

From a terminal prompt, create a service account named beta-dcos-monitoring-principal and store its private certificate in a secret named beta-dcos-monitoring/service-private-key using the following CLI commands.

dcos security org service-accounts keypair beta-dcos-monitoring-private-key.pem beta-dcos-monitoring-public-key.pem
dcos security org service-accounts create -p beta-dcos-monitoring-public-key.pem -d "beta-dcos-monitoring service account" beta-dcos-monitoring-principal
dcos security secrets create-sa-secret --strict beta-dcos-monitoring-private-key.pem beta-dcos-monitoring-principal beta-dcos-monitoring/service-private-key

Assign service permissions

Grant beta-dcos-monitoring-principal the permissions required to run the Beta DC/OS Monitoring service using the following commands.

dcos security org users grant beta-dcos-monitoring-principal dcos:adminrouter:ops:ca:rw full
dcos security org users grant beta-dcos-monitoring-principal dcos:adminrouter:ops:ca:ro full
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:agent:framework:role:slave_public read
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:framework:role:beta-dcos-monitoring-role create
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public read
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public/beta-dcos-monitoring-role read
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public/beta-dcos-monitoring-role create
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:reservation:principal:beta-dcos-monitoring-principal delete
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:reservation:role:beta-dcos-monitoring-role create
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:reservation:role:slave_public/beta-dcos-monitoring-role create
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:task:user:nobody create
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:volume:principal:beta-dcos-monitoring-principal delete
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:volume:role:beta-dcos-monitoring-role create
dcos security org users grant beta-dcos-monitoring-principal dcos:mesos:master:volume:role:slave_public/beta-dcos-monitoring-role create
dcos security org users grant beta-dcos-monitoring-principal dcos:secrets:default:/beta-dcos-monitoring/\* full
dcos security org users grant beta-dcos-monitoring-principal dcos:secrets:list:default:/beta-dcos-monitoring read

Create a Configuration file

Create a custom options file that is used to install Beta DC/OS Monitoring service and save the file as (options.json).

{
  "service": {
    "service_account": "beta-dcos-monitoring-principal",
    "service_account_secret": "beta-dcos-monitoring/service-private-key"
  }
}

Install Beta DC/OS Monitoring service

Now, install Beta DC/OS Monitoring service using the following command.

dcos package install beta-dcos-monitoring --options=options.json