Since 1.8+ we no longer allow users to communicate directly to http://marathon.mesos:8080 without auth token since Marathon has the security plugin so it will enforce any ACL that exist. Here is what you should have in your header --header "Authorization:curl token=<your_JTW_token>"
in order to by pass your HTTP/1.1 401 Unauthorized
block.
For an example, here is how we generate an JWT token to generate diagnostic bundles:
# Log into one of your master nodes; retrieve your token so you can make API calls
$ curl -v -X POST localhost:8101/acs/api/v1/auth/login -d '{"uid": "bootstrapuser", "password": "deleteme"}' -H 'Content-Type: application/json'
# Set your token to use in your environment variables
$ token=<YOUR_TOKEN>
# Start the bundle generate
$ curl -k -X POST http://leader.mesos/system/health/v1/report/diagnostics/create -H "Authorization: token=$token" -H "Content-Type: application/json" -d '{"nodes": ["all"]}'
# Check and wait for your bundle to be finish
$ curl -k http://leader.mesos/system/health/v1/report/diagnostics/status/all -H "Authorization: token=$token" -H "Content-Type: application/json" | jq .
# Download the bundle
$ curl -Ok http://leader.mesos/system/health/v1/report/diagnostics/serve/<bundle-file-name> -H "Authorization: token=$token"
Regarding security, more information here on these docs below.
https://docs.mesosphere.com/1.8/administration/id-and-access-mgt/iam-api/
https://docs.mesosphere.com/1.8/administration/id-and-access-mgt/service-auth/custom-service-auth/
Comments