Permalink
Switch branches/tags
ad/bump-ammonite-1.5.0 ad/bump-dcos-test-utils ad/bump-mom-ee-v1.7.181_1.12.1 ad/bump-sbt-to-1.2.7 ad/docs/application-groups ad/docs/deployments ad/elk-add-15-grok-filters ad/expunge-scheduled-instance ad/lean-logging ad/one-million-apps-challenge ad/optimize-fetch-deployments ad/performance-meter ad/proper-kill-tasks-in-uit ad/pull-up-curator ad/remove-kamon ad/si/add-jenkins-timeouts ad/si/fix-geting-dcos-ca-crt ad/si/fix-import-typo ad/si/install-ee-cli-package ad/si/make-tests-independent ad/si/remove-disabled-mom-ee-tests ad/si/use-hashed-dcos-launch ad/simple-framework ad/stub-app-start-actor ad/task-overdue-actor ad/teardown-it ad/template-repository ad/use-one-curator-instance alan/MARATHON-3216 av/BetterPatternMatcher av/NetworkNameUnderscore av/NetworkUnderscoreTest av/NoKillPods av/add-metronome-si av/autobump av/better-validation av/check-finished-context av/cleanup-logs av/cluster-cleanup av/collect-more-logs av/dcos-bump-16 av/default-on-PUT av/delay-log-fix av/disable-delete av/dont-lock-kill av/enable-it av/expunge-scheduled av/flake8 av/flakytests av/goal-change-rename av/group-repo-ids av/improve-logging av/last-state-fix av/launchscript av/marathon-scheduler-revived av/mesosVersion av/metronome-same-pr av/new-upgrade-test av/no-reconciliation-created av/poc-reconciliation av/possibleNewState av/postflight-log av/pretty-print av/prettyprint av/provision-race av/provisioned-only-scheduled av/provisioned-running av/readiness-15 av/readiness-16 av/readiness-ssl-test av/readiness-ssl av/remove-resident av/removeLaunchEphemeral av/rename-migration av/resident-terminal av/separatePRs av/stable-instance-ids av/state-directory-drop av/synchronizedLaunchQ av/taskWithIncarnation av/ui-1.4 av/ui-1.5 av/ui-1.6 av/unreachable-default-15 av/unreachable-default-16 av/unreachable-validation av/use-leader-ip change-max-backoff dateTimeSerialization docs-makeover executor-perf-test fb/templates gh-pages host-networking-bugfix-7969 ic/feat/perf-tests-local ic/fix/missing-billy ic/fix/system-tests-typo ic/jepsen-jenkins ic/new-type-generator ic/perf-ref/v1.5.8 ic/perf-ref/v1.5.9 ic/perf/bump-mesos ic/performance-tests-v1.3.13 ic/performance-tests-v1.4.5 ic/performance-tests-v1.4.8 ic/tests/hybrid-cloud ic/type-generator/import joerg84-patch-1 joerg84-patch-2 ju/fix-neo4j-si ju/lalates2 ju/no-revive-anymore ju/retry-app-mock ju/unreachabletimeout karsten/docs/events karsten/filter-reservations karsten/fix-datadog-client karsten/jackson-prototype karsten/remove-spinner karsten/scheduler-interface karsten/speedup-tests karsten/test-reserved-upgrade ken/dcos-packages ken/docker-test ken/flake8-compliant-backport ken/hc-mesos-marathon-combo ken/java9-compat-1.6 ken/java9-compat-bp ken/release ken/security-fixes-gh ken/test ken/universe-config-update ken/xss ken/24hr kjju/appmocklog kschwalb/actions-concept master me/MARATHON-1686 me/instance-goal-state me/kill-instances-via-goal nm/articles/create-tasks.md nm/backports/1.5/secrets-validation-fix nm/backports/1.6/secrets-validator-fix nm/backports/1.6/wipe=true-pods-flag nm/backports/1.7/secrets-validator-fix nm/backpressure-adhoc nm/bp/1.5/6632 nm/bp/1.7/6632 nm/changelog-update-1.7.xxx nm/created-condition-removed nm/docs-autogen-warning nm/election-service-fix nm/fix-jdk9-deps nm/launch-queue-purge-replace nm/overdue-tasks-reconciliation nm/patch-mode-docs nm/pod-failure-reasons nm/restrict-pathid-content nm/rolling-back-deployments-allows-duplicate-service-ports nm/templates-resource nm/test_pod_with_container_bridge_network-fix nm/wipe-instances-pods nm/wipe-true-for-pods-unreachable-case-8326 nm/1.5.10-changelog-update ph/fix/typo-in-launch-cluster ph/update-marathon-ui-1.3.1 porridge-patch-1 releases/0.13 releases/0.14 releases/1.1 releases/1.2 releases/1.3 releases/1.4 releases/1.5 releases/1.6 releases/1.7 tga/marathon-task-delay tharper/kill-instances-via-goal tharper/poc-scheduler-loop tharper/wip-data-tool tharper/1.5-backport-MARATHON-8493 tharper/1.6-backport-MARATHON-8493 tharper/1.7-backport-MARATHON-8493 tharper/1.7-exceptions-to-rejections tharper/1.8-instance-change-with-initial-snapshot tharper/1.8-remove-secrets-feature-flag
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
138 lines (110 sloc) 5.6 KB
title
SSL and Basic Access Authentication

SSL and Basic Access Authentication

Marathon enables you to secure its API endpoints via SSL and limit access to them with HTTP basic access authentication. If you plan to use basic authentication, we suggest enabling SSL as well. Otherwise the username and password will be transmitted unencrypted and easily read by unintended parties.

Enabling SSL

If you already have a Java keystore, pass it to Marathon along with the keystore's password:

$ cd /path/to/marathon
$ ./bin/start --master zk://localhost:2181/mesos \
                  --zk zk://localhost:2181/marathon \
       --ssl_keystore_path marathon.jks \
   --ssl_keystore_password $MARATHON_JKS_PASSWORD

By default, Marathon serves SSL requests on port 8443 (this port can be changed with the --https_port [command line flag]({{ site.baseurl }}/docs/command-line-flags.html)). Once Marathon is running, access its API and UI via its HTTPS port:

$ curl https://localhost:8443/v2/apps

Note that by default when a request is proxied to the leading Marathon instance, the hostname of the leader is checked against the certificate. If you don't provide proper CN values in the certificates, proxying will fail. In this case, you can skip the hostname check by passing --leader_proxy_ssl_ignore_hostname to Marathon.

Generating a keystore with an SSL key and certificate

If you do not already have a Java keystore, follow the steps below to create one.

Careful: Modern browsers and most tools will give users a warning and make it difficult to access the Marathon API and UI unless the SSL certificate in your keystore is signed by a trusted certificate authority. Either purchase an SSL certificate from a trusted authority or distribute your company's root certificate to users of the Marathon API and UI.
  1. Generate an RSA private key with OpenSSL.

    # Set key password to env variable `MARATHON_KEY_PASSWORD`
    $ openssl genrsa -des3 -out marathon.key -passout "env:MARATHON_KEY_PASSWORD"
  2. Acquire a certificate for the key by one of the following methods:

  • (Recommended) Purchase a certificate from a trusted certificate authority. This ensures that users of the API and UI of your Marathon instances will already trust the SSL certificate, preventing extra steps for them.

  • (Untrusted) Generate a certificate for the key. The following command prompts for information to secure the keystore. The "Common Name" must be the fully-qualified hostname of where you intend to use the certificate.

    ```sh
    # Read key password from env env variable `MARATHON_KEY_PASSWORD`
    $ openssl req -new -x509 -key marathon.key \
                          -passin "env:MARATHON_KEY_PASSWORD" \
                             -out self-signed-marathon.pem
    ```
    
  1. Combine the key and certificate files into a PKCS12 format file, the format used by the Java keystore. If the certificate you received is not in the .pem format, see the Jetty SSL configuration docs to learn how to convert it.

    # Read key password from env variable `MARATHON_KEY_PASSWORD`
    # Set PKCS password to env variable `MARATHON_PKCS_PASSWORD`
    $ openssl pkcs12 -inkey marathon.key \
                    -passin "env:MARATHON_KEY_PASSWORD" \
                      -name marathon \
                        -in trusted.pem \
                  -password "env:MARATHON_PKCS_PASSWORD" \
             -chain -CAfile "trustedCA.crt" \
               -export -out marathon.pkcs12
  2. Import the keystore.

    # Read PKCS password from env variable `MARATHON_PKCS_PASSWORD`
    # Set JKS password to env variable `MARATHON_JKS_PASSWORD`
    $ keytool -importkeystore -srckeystore marathon.pkcs12 \
                                 -srcalias marathon \
                             -srcstorepass $MARATHON_PKCS_PASSWORD \
                             -srcstoretype PKCS12 \
                             -destkeystore marathon.jks \
                            -deststorepass $MARATHON_JKS_PASSWORD
  3. Start Marathon with the keystore and the password you chose when creating the keystore.

    # Read JKS password from env variable `MARATHON_JKS_PASSWORD`
    $ ./bin/start --master zk://localhost:2181/mesos \
                      --zk zk://localhost:2181/marathon \
           --ssl_keystore_path marathon.jks \
       --ssl_keystore_password $MARATHON_JKS_PASSWORD
  4. Access the Marathon API and UI via its HTTPS port (default 8443).

    https://<MARATHON_HOST>:8443

Enabling Basic Access Authentication

Note: It's highly recommended to enable SSL if you plan to use basic authentication. If SSL is not enabled, the username and password for your Marathon instances will be transmitted unencrypted and can easily be read by unintended parties.

Enable basic authentication by passing the username and password separated by a colon (:) to the --http_credentials command line flag. Note: The username cannot contain a colon.

$ cd /path/to/marathon
$ ./bin/start --master zk://localhost:2181/mesos \
                  --zk zk://localhost:2181/marathon \
        --http_credentials 'cptPicard:topSecretPa$$word' \
       --ssl_keystore_path /path/to/marathon.jks \
   --ssl_keystore_password $MARATHON_JKS_PASSWORD