Service Account

Setting up a service account

Provisioning a service account

This section describes how to configure DC/OS access for Percona XtraDB Cluster. Depending on your security mode, Percona XtraDB Cluster may require service authentication for access to DC/OS.

Security mode Service Account
Disabled Not available
Permissive Optional
Strict Required

If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests made by this service are made by an account with the superuser permission.

Prerequisites:

Create a Key Pair

In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.

Create a public-private key pair and save each value into a separate file within the current directory.

dcos security org service-accounts keypair <private-key>.pem <public-key>.pem

NOTE: You can use the DC/OS Secret Store to secure the key pair.

Create a Service Account

From a terminal prompt, create a new service account (e.g. percona-pxc-mysql) containing the public key (<your-public-key>.pem).

dcos security org service-accounts create -p <your-public-key>.pem -d "Percona XtraDB" percona-pxc-mysql

You can verify your new service account using the following command.

dcos security org service-accounts show percona-pxc-mysql

Create a Secret

Create a secret (percona-pxc-mysql/<secret-name>) with your service account (again e.g. percona-pxc-mysql) and private key specified (<private-key>.pem).

NOTE: If you store your secret in a path that matches the service name, for example, service name and secret path are both percona-pxc-mysql, then only the service named percona-pxc-mysql can access it.

Permissive

dcos security secrets create-sa-secret <private-key>.pem model.serviceName percona-pxc-mysql/<secret-name>

Strict

dcos security secrets create-sa-secret --strict <private-key>.pem percona-pxc-mysql percona-pxc-mysql/<secret-name>

You can list the secrets with this command:

dcos security secrets list /