Enabling open-id connect authentication
Mesos/Marathon/Chronos do not support open-id connect authentication natively.
A very simple solution is to front the mesos cluster with an Apache server that itself is capable of negotiating authentication for users.
The following configuration can be used to setup a reverse proxy that uses the module mod_auth_openidc:
ServerName mesos.example.com
<VirtualHost *:443>
ServerName mesos.example.com
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
OIDCClaimPrefix "OIDC-"
OIDCResponseType "code"
OIDCScope "openid email profile"
OIDCProviderMetadataURL https://iam.deep-hybrid-datacloud.eu/.well-known/openid-configuration
OIDCClientID 332e618b-d3bf-440d-aea1-6da2823aaece # replace with your client ID
OIDCClientSecret **** # replace with your client secret
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCCryptoPassphrase **** # replace with your passphrase
OIDCRedirectURI https://mesos.example.com/mesos/redirect_uri
OIDCOAuthVerifyJwksUri "https://iam.deep-hybrid-datacloud.eu/jwk"
<Location /mesos>
AuthType openid-connect
Require valid-user
LogLevel debug
</Location>
<Location /marathon>
AuthType oauth20
Require valid-user
LogLevel debug
RequestHeader set Authorization "Basic YWRtaC46bTNzb3NNLjIwMTY="
</Location>
<Location /chronos>
AuthType oauth20
Require valid-user
LogLevel debug
RequestHeader set Authorization "Basic YWRtaZ46bTNzb3NDLjIwMTY="
</Location>
ProxyTimeout 1200
ProxyRequests Off
ProxyPreserveHost Off
ProxyPass /mesos/ http://172.20.30.40:5050/
ProxyPassReverse /mesos/ http://172.20.30.40:5050/
ProxyPass /marathon/ http://172.20.30.40:8080/
ProxyPassReverse /marathon/ http://172.20.30.40:8080/
ProxyPass /chronos/ http://172.20.30.40:4400/
ProxyPassReverse /chronos/ http://172.20.30.40:4400/
RemoteIPHeader X-Forwarded-For
## Logging
ErrorLog "/var/log/apache2/proxy_mesos_error_ssl.log"
ServerSignature Off
CustomLog "/var/log/apache2/proxy_mesos_access_ssl.log" combined
## SSL directives
SSLProxyEngine on
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/mesos.example.com/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/mesos.example.com/privkey.pem"
</VirtualHost>
Note that Line 30 is needed if you have enabled basic HTTP authentication to protect your endpoints (in the example above, username/password authentication has been enable for Marathon).
In this case you need to add the Authorization header in the request to the backend. The hash can be computed with the following python script:
import base64
hash = base64.b64encode(b'user:password')
Once the proxy is up and running you can contact the cluster API endpoints using the IAM (open-id connect) token:
Marathon API endpoint: https://mesos.example.com/marathon
Chronos API endpoint: https://mesos.example.com/chronos
For example:
curl -H "Authorization: bearer $IAM_ACCESS_TOKEN" -X GET https://mesos.example.com/marathon/v2/apps
If you want to allow users to access also the Web interfaces of Marathon and Chronos, then add the following configuration:
<Location /marathon-web>
AuthType openid-connect
Require valid-user
LogLevel debug
RequestHeader set Authorization "Basic YWRtaC46bTNzb3NNLjIwMTY="
</Location>
<Location /chronos-web>
AuthType openid-connect
Require valid-user
LogLevel debug
RequestHeader set Authorization "Basic YWRtaZ46bTNzb3NDLjIwMTY="
</Location>
ProxyPass /marathon-web/ http://172.20.30.40:8080/
ProxyPassReverse /marathon-web/ http://172.20.30.40:8080/
ProxyPass /chronos-web/ http://172.20.30.40:4400/
ProxyPassReverse /chronos-web/ http://172.20.30.40:4400/
The Web UIs will be accessible at the following urls:
Marathon Web UI: https://mesos.example.com/marathon-web/
Chronos Web UI: https://mesos.example.com/chronos-web/