def _create_service_accounts(service_name, security=None):
if security == DCOS_SECURITY.strict:
try:
start = time.time()
log.info("Creating service accounts for '{}'".format(service_name))
sanitized_service_name = service_name.strip("/").replace("/", "__")
sa_name = "{}-principal".format(sanitized_service_name)
sa_secret = "jenkins-{}-secret".format(sanitized_service_name)
sdk_security.create_service_account(
sa_name, sa_secret, sanitized_service_name
)
sdk_security.grant_permissions("root", "*", sa_name)
sdk_security.grant_permissions("root", SHARED_ROLE, sa_name)
end = time.time()
ACCOUNTS[service_name] = {}
ACCOUNTS[service_name]["sa_name"] = sa_name
ACCOUNTS[service_name]["sa_secret"] = sa_secret
TIMINGS["serviceaccounts"][sanitized_service_name] = end - start
except Exception as e:
log.warning(
"Error encountered while creating service account: {}".format(e)
)
raise e
def setup_security():
LOGGER.info('Setting up strict-mode security for Spark')
sdk_security.create_service_account(service_account_name=service_account, service_account_secret=secret)
sdk_security.grant_permissions(
linux_user=user,
role_name=role,
service_account_name=service_account
)
grant_driver_permission(service_account, SPARK_APP_NAME)
grant_driver_permission(service_account, FOLDERED_SPARK_APP_NAME)
LOGGER.info('Finished setting up strict-mode security for Spark')
def revoke_user_permissions(user,
role="*",
service_account=SPARK_SERVICE_ACCOUNT):
log.info(f"Revoking user permissions for Marathon. User: {user}")
sdk_security.grant_permissions(linux_user=user,
role_name="slave_public",
service_account_name="dcos_marathon")
log.info(
f"Revoking user permissions for {service_account}. User: {user}, role: {role}"
)
sdk_security.revoke_permissions(linux_user=user,
role_name=role,
service_account_name=service_account)
def setup_spark_security(service_name: str,
drivers_role: str,
executors_role: str,
service_account_info: typing.Dict):
"""
In strict mode, additional permissions are required for Spark.
Add the permissions for the specified service account.
"""
if not sdk_utils.is_strict_mode():
return
log.info("Adding spark specific permissions")
linux_user = service_account_info.get("linux_user", "nobody")
service_account = service_account_info["name"]
for role_name in [drivers_role, executors_role]:
sdk_security.grant_permissions(
linux_user=linux_user,
role_name=role_name,
service_account_name=service_account,
)
# TODO: Is this required?
app_id = "/{}".format(service_name)
app_id = urllib.parse.quote(
urllib.parse.quote(app_id, safe=''),
safe=''
)
sdk_security._grant(service_account_info["name"],
"dcos:mesos:master:task:app_id:{}".format(app_id),
description="Spark drivers may execute Mesos tasks",
action="create")
if linux_user == "root":
log.info("Marathon must be able to launch tasks as root")
sdk_security._grant("dcos_marathon",
"dcos:mesos:master:task:user:root",
description="Root Marathon may launch tasks as root",
action="create")
return