New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP authentication #1847
Comments
It's duplicate of #128 |
It's not. I'm not asking for multi tenancy at all. Just authentication and restriction to r/o mode for some users. |
while this is not a solution, i run nginx on the mesos-master which also runs marathon. nginx has the ldap-module enabled which should be able to scope pretty well what you need. If you only allow GET to marathon via nginx you should be able to get what you want. That said id still like to see granular permissions with Marathon :) |
I'm doing the same thing with apache, because nginx-ldap does not support STARTTLS. Anyway, I don't like the idea to run a webserver next to marathon (or chronos) in a single docker container just to do LDAP authentication. |
True. The permissions model on containers could generally improve to allow those use cases but thats more in dockers realm. The problem though is not just with marathon but a lot of other tools with poir or no ldap support. Actually dockers registry 2.0 does bundle nginx internally for ssl termination iirc. I would generally love to see more integrations with oauth similar to what rancher does with github. |
We currently run one marathon for each team. There is an LDAP group for each team, one for ops/admin and one for read only/monitoring users. The team and ops are allowed to do any requests. Read only is allowed to do GET requests only. |
I created PoC for this feature. Please tell mi if this is right approach. I used shiro to provide user authentication. It works with AD and basic shiro auth. It supports read and write permissions. |
It would be great to have it 0.11 :) |
PoC with Shiro works fine for me.
Are there any other requirements? |
That would do the trick :) never worked with shiro but as long as it supports ldap/ad/basic auth its a great start :) |
@janisz That all sounds entirely reasonable. Did you make a PR for this? |
For any non-dcos users, this ldap plugin seems to be targeted at the new marathon plugin api. |
Closed as there is now a plugin |
I'd like to see LDAP authentication for marathon. The implementation should support r/w and r/o groups. You still need /ping be accessible w/o authentication for different kinds of health checks.
I'd be glad to get rid of my current workaround deploying marathon with an apache reverse proxy in the same docker container.
The text was updated successfully, but these errors were encountered: