默认情况下,不会为mesos API启用身份验证。安装dcos后,我需要对其进行config mesos api验证。我将为mesosapi设置身份验证,比如:注册框架、运行任务,。。。
问题是在我的配置之后,dcos gui和marathon没有正常工作。
我将DCO配置如下:
mesos环境变量config:path:/opt/mesosphere/etc/mesos master
# Authentication part
MESOS_LOG_DIR=/var/log/mesos
# Framework authentication
MESOS_AUTHENTICATORS="crammd5"
MESOS_AUTHENTICATE_FRAMEWORKS=true
MESOS_AUTHENTICATE_HTTP_FRAMEWORKS=true
MESOS_HTTP_FRAMEWORK_AUTHENTICATORS="basic"
MESOS_ACLS=/opt/mesosphere/etc/acls
MESOS_AUTHENTICATE=true
MESOS_CREDENTIALS=/opt/mesosphere/etc/mesos_credentials_auth.json
MESOS_ROLE=foomarathon环境变量config:path:/opt/mesosphere/marathon
# authentication section
MARATHON_MESOS_AUTHENTICATION=enabled
# MARATHON_HTTP_CREDENTIALS=marathon:123456
MARATHON_MESOS_AUTHENTICATION_PRINCIPAL=marathon
MARATHON_MESOS_ROLE=foo
MARATHON_MESOS_AUTHENTICATION_SECRET_file=/opt/mesosphere/etc/marathon.secretmarathon环境变量config:path:/opt/mesosphere/metronome
METRONOME_MESOS_AUTHENTICATION_ENABLED=true
METRONOME_MESOS_AUTHENTICATION_PRINCIPAL=metronome
METRONOME_MESOS_ROLE=foo
METRONOME_MESOS_AUTHENTICATION_SECRET_FILE= /opt/mesosphere/etc/metronome.secret/opt/mesosphere/etc/metronome.secret(包含metronome secret,无新行)
123456/opt/mesosphere/etc/marathon.secret(包含marathon secret而不换行)
123456/opt/中层/etc/acls
{
"run_tasks": [
{
"principals": {
"type": "ANY"
},
"users": {
"type": "ANY"
}
}
],
"register_frameworks": [
{
"principals": {
"type": "ANY"
},
"roles": {
"type": "ANY"
}
}
]}
/opt/mesosphere/etc/mesos\u凭证\u auth.json
{
"credentials" : [
{
"principal": "principal1",
"secret": "secret1"
},
{
"principal": "principal2",
"secret": "secret2"
},
{
"principal": "marathon",
"secret": "123456"
},
{
"principal": "metronome",
"secret": "123456"
}
]
}当我启用此配置并停止和启动dcos mesos master时:
systemctl stop dcos-mesos-master.service
systemctl start dcos-mesos-master.service
systemctl stop dcos-marathon.service
systemctl start dcos-marathon.service
systemctl stop dcos-metronome.service
systemctl start dcos-metronome.servicehttp://ip/services dcos中的页面无效。我认为它的马拉松认证设置不正确。bcs此地址在启用身份验证配置后工作:
http://ip/service/marathon/v2/deployments?_timestamp=1560449507192
在启用节拍器身份验证后,我在mesos日志中发现以下错误:
I0613 17:35:12.176092 305 authenticator.cpp:98] Creating new server
SASL connection
I0613 17:35:12.177258 304 master.cpp:10255] Re-authenticating
scheduler-aca98ea7-be34-49d1-9200-5ef8c15da153@172.17.0.2:15201;
discarding outstanding authentication
I0613 17:35:12.177523 304 master.cpp:10285] Ignoring stale
authentication result of scheduler-aca98ea7-be34-49d1-9200-
5ef8c15da153@172.17.0.2:15201
I0613 17:35:12.177582 304 authenticator.cpp:98] Creating new server
SASL connection
I0613 17:35:12.178586 302 master.cpp:10255] Re-authenticating
scheduler-aca98ea7-be34-49d1-9200-5ef8c15da153@172.17.0.2:15201;
discarding outstanding authentication
I0613 17:35:12.178850 302 master.cpp:10285] Ignoring stale
authentication result of scheduler-aca98ea7-be34-49d1-9200-
5ef8c15da153@172.17.0.2:15201
1条答案
按热度按时间m3eecexj1#
经过搜索,我终于得到了答案:
这些安全特性只在“dc/os mesosphere enterprise”上可用,您不能在开源版本中配置它。
此外,我还打开了github问题并提供了更多细节:(我希望它会有用)
https://github.com/mesosphere/marathon/issues/6942