LDAP authentication

[felixb]

I'd like to see LDAP authentication for marathon. The implementation should support r/w and r/o groups. You still need /ping be accessible w/o authentication for different kinds of health checks.

I'd be glad to get rid of my current workaround deploying marathon with an apache reverse proxy in the same docker container.

[janisz]

It's duplicate of #128

[felixb]

It's not. I'm not asking for multi tenancy at all. Just authentication and restriction to r/o mode for some users.

[sepiroth887]

while this is not a solution, i run nginx on the mesos-master which also runs marathon. nginx has the ldap-module enabled which should be able to scope pretty well what you need. If you only allow GET to marathon via nginx you should be able to get what you want.

That said id still like to see granular permissions with Marathon :)

[felixb]

I'm doing the same thing with apache, because nginx-ldap does not support STARTTLS.

Anyway, I don't like the idea to run a webserver next to marathon (or chronos) in a single docker container just to do LDAP authentication.
Using marathons groups to marathon/chronos and apache as single containers isn't a solution either. The marathon/chronos instance would be accessible from outside if you know where it's running.

[sepiroth887]

True. The permissions model on containers could generally improve to allow those use cases but thats more in dockers realm.

The problem though is not just with marathon but a lot of other tools with poir or no ldap support. Actually dockers registry 2.0 does bundle nginx internally for ssl termination iirc.

I would generally love to see more integrations with oauth similar to what rancher does with github.
This gives a lot of flexibility and granularity for ACLs

[air]

Hey @felixb - thanks for the issue! We definitely want to improve Marathon access control.

We're working on adding hooks for this in Marathon, as well as some commercial add-ons as part of DCOS.

Could you give a quick example of r/w, r/o users/groups and how it might work for your use case?

[felixb]

We currently run one marathon for each team. There is an LDAP group for each team, one for ops/admin and one for read only/monitoring users. The team and ops are allowed to do any requests. Read only is allowed to do GET requests only.
Access one of the css files is granted without login. This is just for the health checks.
I'm quite fine with the current situation. But I'd rather remove the proxy in front of marathon.

[janisz]

I created PoC for this feature. Please tell mi if this is right approach. I used shiro to provide user authentication. It works with AD and basic shiro auth. It supports read and write permissions.

[kamilchm]

It would be great to have it 0.11 :)
@aquamatthias is it possible?
We want to use it internally and @janisz can work on it more to done it right after your feedback.

[janisz]

PoC with Shiro works fine for me.
What do you think about following requirements for this feature

1. Health check (/ping) is avaliable without authentication
2. Authentication is enabled when user provides path to shiro config
3. There is auditlog with information datetime method URL who

Are there any other requirements?

[sepiroth887]

That would do the trick :) never worked with shiro but as long as it supports ldap/ad/basic auth its a great start :)

[SEJeff]

@janisz That all sounds entirely reasonable. Did you make a PR for this?

[janisz]

PR is here but in next Marathon release plugin interface will be available. I started working on authentication plugin here but it's not finished. I hope I'll fix it next week.

[janisz]

@SEJeff I just created PR for authentication plugin that is based on Shiro it will work with Marathon 0.12. Right now it supports only authenctication, so if you log in you can do anything. I need to think how to combine actions on different paths and shiro roles.

[SEJeff]

For any non-dcos users, this ldap plugin seems to be targeted at the new marathon plugin api.

[jasongilanfarr]

Closed as there is now a plugin