在mesosphere/dcos中启用authenticate mesos API时出现问题

blpfk2vs  于 2021-06-26  发布在  Mesos
关注(0)|答案(1)|浏览(428)

默认情况下,不会为mesos API启用身份验证。安装dcos后,我需要对其进行config mesos api验证。我将为mesosapi设置身份验证,比如:注册框架、运行任务,。。。
问题是在我的配置之后,dcos gui和marathon没有正常工作。
我将DCO配置如下:
mesos环境变量config:path:/opt/mesosphere/etc/mesos master


# Authentication part

MESOS_LOG_DIR=/var/log/mesos

# Framework authentication

MESOS_AUTHENTICATORS="crammd5"
MESOS_AUTHENTICATE_FRAMEWORKS=true
MESOS_AUTHENTICATE_HTTP_FRAMEWORKS=true
MESOS_HTTP_FRAMEWORK_AUTHENTICATORS="basic"
MESOS_ACLS=/opt/mesosphere/etc/acls

MESOS_AUTHENTICATE=true
MESOS_CREDENTIALS=/opt/mesosphere/etc/mesos_credentials_auth.json
MESOS_ROLE=foo

marathon环境变量config:path:/opt/mesosphere/marathon


# authentication section

MARATHON_MESOS_AUTHENTICATION=enabled

# MARATHON_HTTP_CREDENTIALS=marathon:123456

MARATHON_MESOS_AUTHENTICATION_PRINCIPAL=marathon
MARATHON_MESOS_ROLE=foo
MARATHON_MESOS_AUTHENTICATION_SECRET_file=/opt/mesosphere/etc/marathon.secret

marathon环境变量config:path:/opt/mesosphere/metronome

METRONOME_MESOS_AUTHENTICATION_ENABLED=true
METRONOME_MESOS_AUTHENTICATION_PRINCIPAL=metronome
METRONOME_MESOS_ROLE=foo
METRONOME_MESOS_AUTHENTICATION_SECRET_FILE= /opt/mesosphere/etc/metronome.secret

/opt/mesosphere/etc/metronome.secret(包含metronome secret,无新行)

123456

/opt/mesosphere/etc/marathon.secret(包含marathon secret而不换行)

123456

/opt/中层/etc/acls

{
"run_tasks": [
    {
        "principals": {
            "type": "ANY"
        },
        "users": {
            "type": "ANY"
        }
}
],
"register_frameworks": [
    {
        "principals": {
            "type": "ANY"
        },
        "roles": {
            "type": "ANY"
        }
}
]

}
/opt/mesosphere/etc/mesos\u凭证\u auth.json

{
 "credentials" : [
 {
   "principal": "principal1",
   "secret": "secret1"
 },
 {
   "principal": "principal2",
   "secret": "secret2"
 },
 {
     "principal": "marathon",
     "secret": "123456"
     },
 {
     "principal": "metronome",
     "secret": "123456"
     }
  ]
  }

当我启用此配置并停止和启动dcos mesos master时:

systemctl stop dcos-mesos-master.service    
systemctl start dcos-mesos-master.service

systemctl stop dcos-marathon.service
systemctl start dcos-marathon.service

systemctl stop dcos-metronome.service
systemctl start dcos-metronome.service

http://ip/services dcos中的页面无效。我认为它的马拉松认证设置不正确。bcs此地址在启用身份验证配置后工作:
http://ip/service/marathon/v2/deployments?_timestamp=1560449507192
在启用节拍器身份验证后,我在mesos日志中发现以下错误:

I0613 17:35:12.176092   305 authenticator.cpp:98] Creating new server 
SASL connection
I0613 17:35:12.177258   304 master.cpp:10255] Re-authenticating 
scheduler-aca98ea7-be34-49d1-9200-5ef8c15da153@172.17.0.2:15201; 
discarding outstanding authentication
I0613 17:35:12.177523   304 master.cpp:10285] Ignoring stale 
authentication result of scheduler-aca98ea7-be34-49d1-9200- 
5ef8c15da153@172.17.0.2:15201
I0613 17:35:12.177582   304 authenticator.cpp:98] Creating new server 
SASL connection
I0613 17:35:12.178586   302 master.cpp:10255] Re-authenticating 
scheduler-aca98ea7-be34-49d1-9200-5ef8c15da153@172.17.0.2:15201; 
discarding outstanding authentication
I0613 17:35:12.178850   302 master.cpp:10285] Ignoring stale 
authentication result of scheduler-aca98ea7-be34-49d1-9200- 
5ef8c15da153@172.17.0.2:15201
m3eecexj

m3eecexj1#

经过搜索,我终于得到了答案:
这些安全特性只在“dc/os mesosphere enterprise”上可用,您不能在开源版本中配置它。
此外,我还打开了github问题并提供了更多细节:(我希望它会有用)
https://github.com/mesosphere/marathon/issues/6942

相关问题