Dcos Monitoring DocumentationThe DC/OS Monitoring service is run on DC/OS clusters in either permissive or strict mode. DC/OS access controls must be used to restrict access to the DC/OS Monitoring service when running on strict mode clusters. Configure the DC/OS Monitoring service to authenticate itself using a certificate and to only grant permissions required by the service.
This page describes how to configure DC/OS access for DC/OS Monitoring Service. Depending on your security mode, DC/OS Monitoring Service requires service authentication for access to DC/OS.
| Security mode | Service Account |
|---|---|
| Disabled | Not available |
| Permissive | Optional |
| Strict | Required |
If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests from this service is made by an account with the superuser permission.
Prerequisites:
- DC/OS CLI installed and be logged in as a superuser.
- Enterprise DC/OS CLI 0.4.14 or later installed.
- If your security mode is
permissiveorstrict, you must get the root cert before issuing the curl commands in this section.
Create a Key Pair
In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.
Create a public-private key pair and save each value into a separate file within the current directory.
dcos security org service-accounts keypair <private-key>.pem <public-key>.pem
NOTE: You can use the [DC/OS Secret Store](/1.13/security/ent/secrets/) to secure the key pair.
Create a Service Account
From a terminal prompt, create a service account named dcos-monitoring-principal and store its private certificate in a secret named dcos-monitoring/service-private-key using the following CLI commands.
dcos security org service-accounts keypair dcos-monitoring-private-key.pem dcos-monitoring-public-key.pem
dcos security org service-accounts create -p dcos-monitoring-public-key.pem -d "dcos-monitoring service account" dcos-monitoring-principal
dcos security secrets create-sa-secret --strict dcos-monitoring-private-key.pem dcos-monitoring-principal dcos-monitoring/service-private-key
Assign service permissions
Grant dcos-monitoring-principal the permissions required to run the DC/OS Monitoring service using the following commands.
dcos security org users grant dcos-monitoring-principal dcos:adminrouter:ops:ca:rw full
dcos security org users grant dcos-monitoring-principal dcos:adminrouter:ops:ca:ro full
dcos security org users grant dcos-monitoring-principal dcos:mesos:agent:framework:role:slave_public read
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:framework:role:dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public read
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public/dcos-monitoring-role read
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public/dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:reservation:principal:dcos-monitoring-principal delete
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:reservation:role:dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:reservation:role:slave_public/dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:task:user:nobody create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:volume:principal:dcos-monitoring-principal delete
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:volume:role:dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:volume:role:slave_public/dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:secrets:default:/dcos-monitoring/\* full
dcos security org users grant dcos-monitoring-principal dcos:secrets:list:default:/dcos-monitoring read
IMPORTANT: Starting in DC/OS 2.0, when installing the service into a group/folder (e.g. `infra/`), the `role` permissions must be modified to use the group name (`infra`) instead of `dcos-monitoring-role`. See the [SDK v0.57.0 release notes](https://github.com/mesosphere/dcos-commons/releases/tag/0.57.0) for more information.
Create a Configuration file
Create a custom options file that is used to install DC/OS Monitoring service and save the file as (options.json).
{
"service": {
"service_account": "dcos-monitoring-principal",
"service_account_secret": "dcos-monitoring/service-private-key"
}
}
Install DC/OS Monitoring service
Now, install DC/OS Monitoring service using the following command.
dcos package install dcos-monitoring --options=options.json