DC/OS DocumentationYou can grant users access to the Jobs screen. By default, new users have no permissions.
NOTE: This procedure grants full user access to the Jobs screen and all the jobs inside of it. If you want to configure fine-grained user access, see the documentation.
Granting Access using the web interface
Prerequisites:
- A DC/OS user account without the
dcos:superuserpermission.
-
Log in to the DC/OS web interface as a user with the
superuserpermission.
Figure 1. Log in to web interface
-
Select Organization and choose Users or Groups.
-
Select the name of the user or group to grant the permission to.
Figure 2. Select user or group to grant permissions to
-
From the Permissions screen, click ADD PERMISSION.
-
Click INSERT PERMISSION STRING to toggle the dialog.
Figure 3. Add permission
-
Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode and click ADD PERMISSIONS and then Close.
Permissive
DC/OS Jobs screen
```
dcos:adminrouter:service:metronome full
dcos:service:metronome:metronome:jobs full
```
DC/OS jobs task and details
```
dcos:adminrouter:ops:mesos full
dcos:adminrouter:ops:slave full
```
Strict
DC/OS Jobs screen
```
dcos:adminrouter:service:metronome full
dcos:service:metronome:metronome:jobs full
```
DC/OS jobs task and details
```
dcos:adminrouter:ops:mesos full
dcos:adminrouter:ops:slave full
dcos:mesos:master:framework:role:* read
dcos:mesos:master:executor:app_id read
dcos:mesos:master:task:app_id read
dcos:mesos:agent:framework:role:* read
dcos:mesos:agent:executor:app_id read
dcos:mesos:agent:task:app_id read
dcos:mesos:agent:sandbox:app_id read
```
Granting Acess using the API
Prerequisites:
- You must have the DC/OS CLI installed and be logged in as a superuser.
- You must get the root cert before issuing the curl commands in this section.
Notes
- Service resources often include
/characters that must be replaced with%252Fin curl requests, as shown in the examples below. - When using the API to manage permissions, you must create the permission before granting it. If the permission already exists, the API will return an informative message and you can continue to assign the permission.
Permissive
DC/OS Jobs screen
- Create the permission.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:metronome \
-d '{"description":"Grants access to the Jobs screen"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:metronome:metronome:jobs \
-d '{"description":"Grants access to all jobs"}'
- Grant the following privileges to the user
uid.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:metronome/users/<uid>/full
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:metronome:metronome:jobs/users/<uid>/full
<p class="message--note"><strong>NOTE: </strong>To grant this permission to a group instead of a user, replace <code>/users/"uid"</code> with <code>/groups/"gid"</code>.</p>
DC/OS jobs task and details
- Create the permission.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos \
-d '{"description":"Grants access to the Mesos master API/UI and task details"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave \
-d '{"description":"Grants access to the Mesos agent API/UI and task details such as logs"}'
- Grant the following privileges to the user
uid.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos/users/<uid>/full
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave/users/<uid>/full
<p class="message--note"><strong>NOTE: </strong>To grant this permission to a group instead of a user, replace <code>/users/"uid"</code> with <code>/groups/"gid"</code>.</p>
Strict
DC/OS Jobs screen
- Create the permission.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:metronome \
-d '{"description":"Grants access to the Jobs screen"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:metronome:metronome:jobs \
-d '{"description":"Grants access to all jobs"}'
- Grant the following privileges to the user
uid.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:metronome/users/<uid>/full
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:metronome:metronome:jobs/users/<uid>/full
<p class="message--note"><strong>NOTE: </strong>To grant this permission to a group instead of a user, replace <code>/users/"uid"</code> with <code>/groups/"gid"</code>.</p>
DC/OS jobs task and details
- Create the permission.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos \
-d '{"description":"Grants access to the Mesos master API/UI and task details"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave \
-d '{"description":"Grants access to the Mesos agent API/UI and task details such as logs"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:framework:role:* \
-d '{"description":"Grants access to register as or view Mesos master information about frameworks registered with the Mesos default role"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:executor:app_id \
-d '{"description":"Grants access to all executors on the Mesos master"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:app_id \
-d '{"description":"Grants access to all tasks on the Mesos master"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:framework:role:* \
-d '{"description":"Grants access to view Mesos agent information about frameworks registered with the Mesos default role"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:executor:app_id \
-d '{"description":"Grants access to all executors running on the Mesos agent"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:task:app_id \
-d '{"description":"Grants access to all tasks running on the Mesos agent"}'
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:sandbox:app_id \
-d '{"description":"Grants access to the sandboxes on the Mesos agent"}'
- Grant the following privileges to the user
uid.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:mesos/users/<uid>/full
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:ops:slave/users/<uid>/full
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:framework:role:*/users/<uid>/read
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:executor:app_id/users/<uid>/read
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:app_id/users/<uid>/read
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:framework:role:*/users/<uid>/read
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:executor:app_id/users/<uid>/read
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:task:app_id/users/<uid>/read
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:agent:sandbox:app_id/users/<uid>/read
NOTE: To grant this permission to a group instead of a user, replace /users/"uid" with /groups/"gid".