janisz
commented
9 years ago It's duplicate of https://github.com/mesosphere/marathon/issues/128
Closed felixb closed 8 years ago
janisz
commented
9 years ago It's duplicate of https://github.com/mesosphere/marathon/issues/128
felixb
commented
9 years ago It's not. I'm not asking for multi tenancy at all. Just authentication and restriction to r/o mode for some users.
sepiroth887
commented
9 years ago while this is not a solution, i run nginx on the mesos-master which also runs marathon. nginx has the ldap-module enabled which should be able to scope pretty well what you need. If you only allow GET to marathon via nginx you should be able to get what you want.
That said id still like to see granular permissions with Marathon :)
felixb
commented
9 years ago I'm doing the same thing with apache, because nginx-ldap does not support STARTTLS.
Anyway, I don't like the idea to run a webserver next to marathon (or chronos) in a single docker container just to do LDAP authentication. Using marathons groups to marathon/chronos and apache as single containers isn't a solution either. The marathon/chronos instance would be accessible from outside if you know where it's running.
sepiroth887
commented
9 years ago True. The permissions model on containers could generally improve to allow those use cases but thats more in dockers realm.
The problem though is not just with marathon but a lot of other tools with poir or no ldap support. Actually dockers registry 2.0 does bundle nginx internally for ssl termination iirc.
I would generally love to see more integrations with oauth similar to what rancher does with github. This gives a lot of flexibility and granularity for ACLs
air
commented
9 years ago Hey @felixb - thanks for the issue! We definitely want to improve Marathon access control.
We're working on adding hooks for this in Marathon, as well as some commercial add-ons as part of DCOS.
Could you give a quick example of r/w, r/o users/groups and how it might work for your use case?
felixb
commented
9 years ago We currently run one marathon for each team. There is an LDAP group for each team, one for ops/admin and one for read only/monitoring users. The team and ops are allowed to do any requests. Read only is allowed to do GET requests only. Access one of the css files is granted without login. This is just for the health checks. I'm quite fine with the current situation. But I'd rather remove the proxy in front of marathon.
janisz
commented
9 years ago I created PoC for this feature. Please tell mi if this is right approach. I used shiro to provide user authentication. It works with AD and basic shiro auth. It supports read and write permissions.
kamilchm
commented
9 years ago It would be great to have it 0.11 :) @aquamatthias is it possible? We want to use it internally and @janisz can work on it more to done it right after your feedback.
janisz
commented
9 years ago PoC with Shiro works fine for me. What do you think about following requirements for this feature
/ping) is avaliable without authenticationdatetime method URL whoAre there any other requirements?
sepiroth887
commented
9 years ago That would do the trick :) never worked with shiro but as long as it supports ldap/ad/basic auth its a great start :)
SEJeff
commented
9 years ago @janisz That all sounds entirely reasonable. Did you make a PR for this?
janisz
commented
9 years ago janisz
commented
9 years ago SEJeff
commented
8 years ago For any non-dcos users, this ldap plugin seems to be targeted at the new marathon plugin api.
jasongilanfarr
commented
8 years ago Closed as there is now a plugin
I'd like to see LDAP authentication for marathon. The implementation should support r/w and r/o groups. You still need /ping be accessible w/o authentication for different kinds of health checks.
I'd be glad to get rid of my current workaround deploying marathon with an apache reverse proxy in the same docker container.