|Security mode||Service Account|
If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests made by this service are made by an account with the superuser permission.
- DC/OS CLI installed and be logged in as a superuser.
- Enterprise DC/OS CLI 0.4.14 or later installed.
- If your security mode is
strict, you must get the root cert before issuing the curl commands in this section.
In this step, a 2048-bit RSA public-private key pair is created uses the Enterprise DC/OS CLI.
Create a public-private key pair and save each value into a separate file within the current directory.
dcos security org service-accounts keypair <private-key>.pem <public-key>.pem
From a terminal prompt, create a new service account (
<service-account-id>) containing the public key (
dcos security org service-accounts create -p <your-public-key>.pem -d "dcos_nifi" <service-name>
You can verify your new service account using the following command.
dcos security org service-accounts show <service-account-id>
Create a secret (
nifi/<secret-name>) with your service account (
<service-account-id>) and private key specified (
If you store your secret in a path that matches the service name (e.g. service name and secret path are
nifi), then only the service named
nifi can access it.
dcos security secrets create-sa-secret <private-key>.pem <service-name> <service name secret>
dcos security secrets create-sa-secret --strict <private-key>.pem <service-name> <service name secret>
You can list the secrets with the following command:
dcos security secrets list /
dcos security org users grant <service name> dcos:superuser full --description "grant permission to superuser"