def _create_service_accounts(service_name, security=None): if security == DCOS_SECURITY.strict: try: start = time.time() log.info("Creating service accounts for '{}'".format(service_name)) sanitized_service_name = service_name.strip("/").replace("/", "__") sa_name = "{}-principal".format(sanitized_service_name) sa_secret = "jenkins-{}-secret".format(sanitized_service_name) sdk_security.create_service_account( sa_name, sa_secret, sanitized_service_name ) sdk_security.grant_permissions("root", "*", sa_name) sdk_security.grant_permissions("root", SHARED_ROLE, sa_name) end = time.time() ACCOUNTS[service_name] = {} ACCOUNTS[service_name]["sa_name"] = sa_name ACCOUNTS[service_name]["sa_secret"] = sa_secret TIMINGS["serviceaccounts"][sanitized_service_name] = end - start except Exception as e: log.warning( "Error encountered while creating service account: {}".format(e) ) raise e
def setup_security(): LOGGER.info('Setting up strict-mode security for Spark') sdk_security.create_service_account(service_account_name=service_account, service_account_secret=secret) sdk_security.grant_permissions( linux_user=user, role_name=role, service_account_name=service_account ) grant_driver_permission(service_account, SPARK_APP_NAME) grant_driver_permission(service_account, FOLDERED_SPARK_APP_NAME) LOGGER.info('Finished setting up strict-mode security for Spark')
def revoke_user_permissions(user, role="*", service_account=SPARK_SERVICE_ACCOUNT): log.info(f"Revoking user permissions for Marathon. User: {user}") sdk_security.grant_permissions(linux_user=user, role_name="slave_public", service_account_name="dcos_marathon") log.info( f"Revoking user permissions for {service_account}. User: {user}, role: {role}" ) sdk_security.revoke_permissions(linux_user=user, role_name=role, service_account_name=service_account)
def setup_spark_security(service_name: str, drivers_role: str, executors_role: str, service_account_info: typing.Dict): """ In strict mode, additional permissions are required for Spark. Add the permissions for the specified service account. """ if not sdk_utils.is_strict_mode(): return log.info("Adding spark specific permissions") linux_user = service_account_info.get("linux_user", "nobody") service_account = service_account_info["name"] for role_name in [drivers_role, executors_role]: sdk_security.grant_permissions( linux_user=linux_user, role_name=role_name, service_account_name=service_account, ) # TODO: Is this required? app_id = "/{}".format(service_name) app_id = urllib.parse.quote( urllib.parse.quote(app_id, safe=''), safe='' ) sdk_security._grant(service_account_info["name"], "dcos:mesos:master:task:app_id:{}".format(app_id), description="Spark drivers may execute Mesos tasks", action="create") if linux_user == "root": log.info("Marathon must be able to launch tasks as root") sdk_security._grant("dcos_marathon", "dcos:mesos:master:task:user:root", description="Root Marathon may launch tasks as root", action="create") return