The DC/OS user database is persisted in ZooKeeper by running on the master nodes in znodes under the path
/dcos/users. Tokens that are sent to DC/OS in an HTTP Authorization header must be in this format:
token=<token>. In future versions
Bearer <token> will also be supported.
DC/OS Open Source provides security management via CLI commands; see the CLI Command Reference. From the CLI, you can authenticate to your cluster or even opt out of Auth0-based authentication.
Authentication is only supported for DC/OS CLI version 0.4.3 and later. See here for upgrade instructions.
The DC/OS CLI stores the token in a configuration file in the
.dcos directory under the home directory of the user running the CLI. This token can be used with the
curl command to access DC/OS APIs, using
wget. For example,
curl -H 'Authorization: token=<token>' http://cluster.
From a terminal prompt, use the following command to authenticate to your cluster.
dcos auth login
Here is an example of the output:
Please go to the following link in your browser: https://<public-master-ip>/login?redirect_uri=urn:ietf:wg:oauth:2.0:oob Enter OpenID Connect ID Token:
Copy the URL in your terminal prompt and paste it into your browser.
Click the button that corresponds to your preferred identity provider.
Figure 1. Choose an identity provider
Provide your credentials to the identity provider if prompted. If you have already authenticated to the identity provider during your current browser session, you won’t need to do so again.
Figure 2. Auth login token
Click Copy to Clipboard.
Return to your terminal prompt and paste the OpenID Connect ID token value in at the prompt.
You should receive the following message.
To log out, run this command:
dcos auth logout
If you are doing an advanced installation, you can opt out of Auth0-based authentication by adding this parameter to your configuration file (
For more information, see the configuration documentation.
If you are doing a cloud installation on AWS, you can set the
OAuthEnabled option to
false on the Specify Details step to disable authentication.
If you are doing a cloud installation on Azure, you cannot disable authentication. This option will be added in a future releasealong with other options to customize authentication.
Note that if you have already installed your cluster and would like to disable this in-place, you can go through an upgrade with the same parameter set.
We are looking forward to working with the DC/OS community on improving existing security features as well as on introducing new ones in the coming releases.