我对如何在激活的acls中获得配额的方法很感兴趣。
我正在使用Mesos版本0.27.2。
我有三个使用以下标志的大师:
我的acls看起来像这样:
{
"permissive": false,
"run_tasks": [
{
"principals": { "values": ["ase", "core", "opss", "jenkins"] },
"users": { "values": ["jenkins"] }
}
],
"register_frameworks": [
{
"principals": { "values": ["ase"] },
"roles": { "values": ["ase"] }
},
{
"principals": { "values": ["opss"] },
"roles": { "values": ["opss"] }
},
{
"principals": { "values": ["core"] },
"roles": { "values": ["core"] }
},
{
"principals": { "values": ["jenkins"] },
"roles": { "values": ["jenkins"] }
}
],
"set_quotas": [
{
"principals": {
"values": ["ase", "core", "opss", "jenkins"]
},
"roles": {
"values": ["ase", "core", "opss", "jenkins"]
}
}
],
"remove_quotas": [
{
"principals": {
"values": ["ase", "core", "opss", "jenkins"]
},
"quota_principals": {
"values": ["ase", "core", "opss", "jenkins"]
}
}
]
}
对于主体ase,core和ops,凭证文件中有密码,使用这些凭证注册框架的工作正常,注册从属也是如此。
但是,当尝试使用curl添加配额时,我会收到403 Forbidden作为响应。
curl -u opss -v -d @ase-quota.json -X POST http://SERVER-IP:5050/quota --header "Content-Type: application/json"
当没有启用acl时,上面的命令工作正常。
一旦再次启用,删除配额将失败,并再次显示403 Forbidden。
我在mesos-master日志中看到的是:
I0414 10:59:39.396838 9 http.cpp:501] HTTP GET for /master/state.json from 192.168.7.14:35248 with User-Agent='Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0'
I0414 10:59:40.019409 8 http.cpp:501] HTTP POST for /master/quota from 192.168.7.14:35258 with User-Agent='curl/7.35.0'
I0414 10:59:40.031294 8 quota_handler.cpp:446] Authorizing principal 'ANY' to request quota for role 'ase'
用于添加,并且:
I0414 13:07:23.521467 9 http.cpp:501] HTTP DELETE for /master/quota/ase from 192.168.7.14:50685 with User-Agent='curl/7.35.0'
I0414 13:07:23.523748 9 quota_handler.cpp:472] Authorizing principal 'ANY' to remove quota set by 'ANY'
尝试删除配额时。
问题是,在这种情况下,如何让curl或mesos意识到我是主要的opss?
答案 0 :(得分:1)
你没有在mesos主配置中设置参数--authenticate_http = true。