Authenticating users against DC/OS

Authentication in DC/OS

In DC/OS, user authentication is required by default. Every user who wants to perform an operation on a DC/OS cluster (other than logging in) must first be authenticated.

DC/OS handles user authentication decentralized by using authentication tokens. Authentication tokens are distributed by the Identity and Access Manager (IAM) on a per user basis. The tokens can are verified out-of-band by any third-party entity. Allowing token verification to happen independent of the IAM makes this approach highly scalable in comparison to centralized session state keeping. Furthermore, with tokens user authentication state cannot be easily revoked.

Upon login to DC/OS users receive a DC/OS Authentication token. The DC/OS Authentication token can be used for authenticating subsequent requests to the API; see Pass an authentication token to the API.

A DC/OS Authentication token is also used internally by the DC/OS CLI for authenticating subsequent CLI commands. Authentication is only supported for DC/OS CLI version 0.4.3 and later.

In DC/OS the only authenticator in the system is Admin Router. It enforces DC/OS Authentication token verification based on information from the Identity and Access Manager (IAM).

Third-party entities can be enabled to become authenticators for DC/OS Authentication tokens by using out-of-band verficiation via public key cryptography; see Out-of-band token verification for instructions.

NOTE: In DC/OS Open Source authentication equals authorization. Therefore, any entity that obtains a valid DC/OS Authentication token has full access to the cluster.

Disabling authentication

You can disable authentication using one of the following ways:

  1. Disable authentication using advanced installation: You can disable authentication by adding this parameter to your configuration file (genconf/config.yaml).

    oauth_enabled: 'false'

    For more information, see the configuration documentation.

  2. Disable authentication using cloud installation on AWS: You can set the OAuthEnabled option to false on the Specify Details step to disable authentication.

WARNING: You cannot disable authentication using cloud installation on Azure.

NOTE: If you have already installed your cluster and would like to disable this in-place, you can go through an upgrade with the configuration parameter set.