With DC/OS, login is the process of exchanging user credentials for a DC/OS Authentication token.
Users must obtain a DC/OS Authentication to use a DC/OS cluster. In DC/OS the lifetime of an Authentication token is limited to five days. Once the Authentication token expires, the user must log in again.
DC/OS handles multiple user types. User accounts can be managed via the IAM API; see User Management.
Different login methods exist for different user types, but each one yields a DC/OS authentication token:
- External user login: External user accounts can only log in via single sign-on through Auth0 (using their Google, GitHub, or Microsoft credentials).
- Local user login: A local user logs in by entering a password which is compared to the password hash stored inside DC/OS.
- Service login: A service logs in by entering a short-lived “service login token”, whose signature is verified using the service account public key stored inside DC/OS.
Users cannot be actively logged out of DC/OS. As long as an issued DC/OS Authentication token exists and is valid, the user that it was issued for can operate the DC/OS cluster. However, a user can decide to delete any valid DC/OS Authentication token in their possession. The DC/OS CLI auth logout command does exactly that.