You can authorize individual users, and grant access to users who are local or remote from your datacenter.
The DC/OS user database is persisted in ZooKeeper by running on the master nodes in znodes under the path
/dcos/users. Tokens that are sent to DC/OS in an HTTP Authorization header must be in this format:
token=<token>. In future versions
Bearer <token> will also be supported.
Users are granted access to DC/OS by another authorized user. A default user is automatically created by the first user that logs in to the DC/OS cluster.
To manage users:
Launch the DC/OS web interface and log in with your username (Google, GitHub, and Microsoft) and password.
Click on the Organization tab and choose your action.
From the Users tab, click the new user icon (+) and fill in the new user email address. New users are automatically sent an email notifying them of access to DC/OS.
Tip: Any user with access to DC/OS can invite more users. Each DC/OS user is an administrator, there is no explicit concept of privileges with DC/OS.
- From the Users tab, select the user name and click Delete.
- Click Delete to confirm the action.
To switch users, you must log out of the current user and then back in as the new user.
To log out of the DC/OS web interface, click on your username in the top left corner and select Sign Out.
You can now log in as another user.
To log out of the DC/OS CLI, enter this command:
dcos config unset core.dcos_acs_token Removed [core.dcos_acs_token]
You can now log in as another user.
Authentication is only supported for DC/OS CLI version 0.4.3 and above. See here for upgrade instructions.
The DC/OS CLI stores the token in a configuration file in the
.dcos directory under the home directory of the user running the CLI. This token can be used with the curl command to access DC/OS APIs, using curl or wget. For example,
curl -H 'Authorization: token=<token>' http://cluster.
From a terminal prompt, use the following command to authenticate to your cluster.
dcos auth login
Here is an example of the output:
Please go to the following link in your browser: https://<public-master-ip>/login?redirect_uri=urn:ietf:wg:oauth:2.0:oob Enter OpenID Connect ID Token:
Copy the URL in your terminal prompt and paste it into your browser.
Click the button that corresponds to your preferred identity provider.
Provide your credentials to the identity provider if prompted. If you have already authenticated to the identity provider during your current browser session, you won’t need to do so again.
Click Copy to Clipboard.
Return to your terminal prompt and paste the OpenID Connect ID token value in at the prompt.
You should receive the following message.
Logging out of the DC/OS CLI
To log out, run this command:
dcos auth logout
To debug authentication problems, check the Admin Router and dcos-oauth logs on the masters using the following commands.
sudo journalctl -u dcos-adminrouter.service sudo journalctl -u dcos-oauth.service
If you are doing an advanced installation, you can opt out of
Auth0-based authentication by adding this parameter to your configuration file (
genconf/config.yaml). For more information, see the configuration documentation.
If you are doing a cloud installation on AWS, you can set the
OAuthEnabled option to
false on the Specify Details step to disable authentication.
If you are doing a cloud installation on Azure, you currently cannot disable authentication. This will be added in a future release along with other options to customize authentication.
Note that if you’ve already installed your cluster and would like to disable this in-place, you can go through an upgrade with the same parameter set.
Ad Blockers and the DC/OS UI
During testing, we have observed issues with loading the DC/OS UI login page when certain ad blockers such as HTTP Switchboard or Privacy Badger are active. Other ad blockers like uBlock Origin are known to work.
We are looking forward to working with the DC/OS community on improving existing security features as well as on introducing new ones in the coming releases.