The DC/OS Monitoring service is run on DC/OS clusters in either permissive or strict mode. DC/OS access controls must be used to restrict access to the DC/OS Monitoring service when running on strict mode clusters. Configure the DC/OS Monitoring service to authenticate itself using a certificate and to only grant permissions required by the service.

This page describes how to configure DC/OS access for DC/OS Monitoring Service. Depending on your security mode, DC/OS Monitoring Service requires service authentication for access to DC/OS.

Security mode	Service Account
Disabled	Not available
Permissive	Optional
Strict	Required

If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests from this service is made by an account with the superuser permission.

Prerequisites:

DC/OS CLI installed and be logged in as a superuser.
Enterprise DC/OS CLI 0.4.14 or later installed.
If your security mode is permissive or strict, you must get the root cert before issuing the curl commands in this section.

Create a Key Pair

In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.

Create a public-private key pair and save each value into a separate file within the current directory.

dcos security org service-accounts keypair <private-key>.pem <public-key>.pem

NOTE: You can use the [DC/OS Secret Store](/1.13/security/ent/secrets/) to secure the key pair.

Create a Service Account

From a terminal prompt, create a service account named dcos-monitoring-principal and store its private certificate in a secret named dcos-monitoring/service-private-key using the following CLI commands.

dcos security org service-accounts keypair dcos-monitoring-private-key.pem dcos-monitoring-public-key.pem
dcos security org service-accounts create -p dcos-monitoring-public-key.pem -d "dcos-monitoring service account" dcos-monitoring-principal
dcos security secrets create-sa-secret --strict dcos-monitoring-private-key.pem dcos-monitoring-principal dcos-monitoring/service-private-key

Assign service permissions

Grant dcos-monitoring-principal the permissions required to run the DC/OS Monitoring service using the following commands.

dcos security org users grant dcos-monitoring-principal dcos:adminrouter:ops:ca:rw full
dcos security org users grant dcos-monitoring-principal dcos:adminrouter:ops:ca:ro full
dcos security org users grant dcos-monitoring-principal dcos:mesos:agent:framework:role:slave_public read
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:framework:role:dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public read
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public/dcos-monitoring-role read
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:framework:role:slave_public/dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:reservation:principal:dcos-monitoring-principal delete
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:reservation:role:dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:reservation:role:slave_public/dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:task:user:nobody create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:volume:principal:dcos-monitoring-principal delete
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:volume:role:dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:mesos:master:volume:role:slave_public/dcos-monitoring-role create
dcos security org users grant dcos-monitoring-principal dcos:secrets:default:/dcos-monitoring/\* full
dcos security org users grant dcos-monitoring-principal dcos:secrets:list:default:/dcos-monitoring read

IMPORTANT: Starting in DC/OS 2.0, when installing the service into a group/folder (e.g. `infra/`), the `role` permissions must be modified to use the group name (`infra`) instead of `dcos-monitoring-role`. See the [SDK v0.57.0 release notes](https://github.com/mesosphere/dcos-commons/releases/tag/0.57.0) for more information.

Create a Configuration file

Create a custom options file that is used to install DC/OS Monitoring service and save the file as (options.json).

{
  "service": {
    "service_account": "dcos-monitoring-principal",
    "service_account_secret": "dcos-monitoring/service-private-key"
  }
}

Install DC/OS Monitoring service

Now, install DC/OS Monitoring service using the following command.