Security in Mesos: Framework Authorization

Security in Mesos: Framework Authorization

Andras Kerekes

October 6, 2015

Co-Authored by Andras Kerekes and Dharmit Shah

In this post we will take an initial look into authentication between frameworks and master nodes, as well as secure communication by setting up and verifying SSL.

Why Setup Framework Authorization?

As mentioned briefly on the Mesos blog, framework authorization allows only authenticated frameworks to register with Mesos and launch tasks. Authentication is important, as it prevents rogue frameworks from causing problems that may impact the usage of resources within a Mesos cluster.

What Packages Do I Need To Install?

Once you have a Mesos cluster setup as mentioned in the guidelines that can be found here, no additional packages are needed.

Configuration Note:

Please Note: The term 'slave' has been replaced by 'agent' in recent Mesos documents, the terms are synonymous.

The Mesos master and slave nodes accept a number of command line options when started on any node. In order to configure these, store them into a file under /etc/mesos-master and /etc/mesos-slave respectively.

For example, to start a Mesos master with the role prod, you need to have below file and contents:

     $ cat /etc/mesos-master/roles

     prod 

Mesos Master Setup:

     $ cat /etc/mesos-master/acls 

     file:///root/acls.json

     $ cat /etc/mesos-master/authenticate

     true

     $ cat /etc/mesos-master/credentials

     /home/isys/mesos

     $ cat /etc/mesos-master/roles

     somerole

To find what each of above specified configurations mean, refer the official Mesos Documentation.

As you can see, we have specified quite a few file locations in the above configuration files. Obviously the mention file locations need to have some relevant content. The content below needs to be added to files on the Mesos master nodes:

     $ sudo cat /root/acls.json

     {

         "register_frameworks":[

             {

                 "principals": {"values": ["chronos", "marathon"]},

                 "roles": {"values": ["somerole"]}

             }     

         ],

         "run_tasks": [

             {

                 "principals": {"values": ["chronos"]},

                 "users": {"values": ["root"]}

             }

         ]

     }

     $ cat /home/isys/mesos

     chronos secret

     marathon secret

Now, have the above configurations entered into the system on which you're trying to start a framework. For this example, I am using a Marathon framework.

Since I am running a Marathon framework on the same system as my Mesos master node, I need to have the configuration below in the same system. If you're running framework on a different system, incorporate the changes below into that system.

     $ cat /etc/marathon/conf/mesos_rolesomerole

     $ cat /etc/marathon/conf/mesos_authentication_principalmarathon
     $ cat /etc/marathon/conf/mesos_authentication_secret_file/home/isys/marathon
     $ cat /home/isys/marathonsecret

The file /home/isys/marathon stores information about authentication secret and should not have a trailing newline character. There was a bug, which caused authentication to fail because of this newline character. To make sure that there's no newline character, create the file with the following echo command:

     echo -n secret > /home/isys/marathon

That is it! The most important part in the configuration is the acls.json file for the Mesos master configuration. For more details about authorization, refer to this Mesos Documentation. Also, for reference take a look here at a Chronos project.

What’s Next?

The above steps setup a basic authentication between frameworks and master nodes. Besides what is above, we can configure the authorization so that a particular framework can register only as a specific role, or execute only a particular set of tasks, etc.

Besides framework authorization, one can also implement authorization for the Mesos slave nodes which enables only authorized slave nodes to register with the Mesos cluster. This will be covered in detail in a later blog post.

Loading tweets...