You can restrict user access to system and component logs.
Here is the permission that is required to view the system and component logs:
Permission string | full | C | R | U | D |
---|---|---|---|---|---|
dcos:adminrouter:ops:system-logs Controls access to System logs API. |
x |
Prerequisites:
- DC/OS and DC/OS CLI are installed and you are logged in as a superuser.
Via the DC/OS web interface
Create the users and grant permissions
-
Select Organization and choose Users. Select an existing or create a new user.
Figure 1. New user screen
-
From the Permissions tab, select ADD PERMISSION.
Figure 2. Add Permission button
-
Click INSERT PERMISSION STRING to toggle the dialog and paste in the following permissions and click ADD PERMISSIONS.
dcos:adminrouter:ops:system-logs full
Figure 3. Permission string dialog
The Permissions tab should now look like this:
Figure 4. Permissions have been added
Log in to the CLI as user
-
Log in to the DC/OS CLI as the user.
dcos auth login
-
Run this command to access the system and component logs.
dcos node log --leader --component=dcos-mesos-master
You should see the logs from the Mesos master.
If you do not have the correct permissions, you will see this output:
You are not authorized to perform this operation
Via the IAM API
Prerequisite: You must get the root cert before issuing the curl commands in this section.
Tips
- Service resources often include
/
characters that must be replaced with%252F
in curl requests, as shown in the examples below. - When using the API to manage permissions, you must create the permission before granting it. If the permission already exists, the API will return an informative message and you can continue to assign the permission.
Create and grant the permissions
-
Grant the permission to the user (
<username>
).dcos security org users grant <username> dcos:adminrouter:ops:system-logs full --description "Grants access to system and component logs."
Log in to the CLI as user
-
Log in to the DC/OS CLI as the user.
dcos auth login
-
Run this command to access the system and component logs.
dcos node log --leader --component=dcos-mesos-master
You should see the logs from the Mesos master.
If you do not have the correct permissions, you will see this output:
You are not authorized to perform this operation