A service like Percona XtraDB Cluster typically performs certain privileged actions on the cluster, which might require authenticating with the cluster. A service account associated with the service is used to authenticate with the DC/OS cluster. It is recommended to provisioning a separate service account for each service that would perform privileged operations. Service accounts authenticate using public-private keypair. The public key is used to create the service account in the cluster, while the corresponding private key is stored in the secret store. The service account and the service account secret are passed to the service as install time options.
|Security mode||Service Account|
If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests made by this service are made by an account with the superuser permission.
- DC/OS CLI installed and be logged in as a superuser.
- Enterprise DC/OS CLI 0.4.14 or later installed.
In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.
Create a public-private key pair and save each value into a separate file within the current directory.
dcos security org service-accounts keypair <private-key>.pem <public-key>.pem
From a terminal prompt, create a new service account (for example,
percona-pxc-mysql) containing the public key (
dcos security org service-accounts create -p <your-public-key>.pem -d <description> percona-pxc-mysql
You can verify your new service account using the following command.
dcos security org service-accounts show percona-pxc-mysql
Create a secret (
percona-pxc-mysql/<secret-name>) with your service account and private key specified (
dcos security secrets create-sa-secret <private-key>.pem <service-account-id> percona-pxc-mysql/<secret-name>
You can list the secrets with this command:
dcos security secrets list /