Authentication Management

Managing authentication in the DC/OS CLI

The DC/OS user database is persisted in ZooKeeper by running on the master nodes in znodes under the path /dcos/users. Tokens that are sent to DC/OS in an HTTP Authorization header must be in this format: token=<token>. In future versions Bearer <token> will also be supported.

DC/OS Open Source provides security management via CLI commands; see the CLI Command Reference. From the CLI, you can authenticate to your cluster or even opt out of Auth0-based authentication.

Authenticating through DC/OS CLI

Authentication is only supported for DC/OS CLI version 0.4.3 and later. See here for upgrade instructions.

The DC/OS CLI stores the token in a configuration file in the .dcos directory under the home directory of the user running the CLI. This token can be used with the curl command to access DC/OS APIs, using curl or wget. For example, curl -H 'Authorization: token=<token>' http://cluster.

  1. From a terminal prompt, use the following command to authenticate to your cluster.

    dcos auth login
    

    Here is an example of the output:

    Please go to the following link in your browser:
    
        https://<public-master-ip>/login?redirect_uri=urn:ietf:wg:oauth:2.0:oob
    
    Enter OpenID Connect ID Token:
    
  2. Copy the URL in your terminal prompt and paste it into your browser.

  3. Click the button that corresponds to your preferred identity provider.

    id provider list

    Figure 1. Choose an identity provider

  4. Provide your credentials to the identity provider if prompted. If you have already authenticated to the identity provider during your current browser session, you won’t need to do so again.

    auth login token

    Figure 2. Auth login token

  5. Click Copy to Clipboard.

  6. Return to your terminal prompt and paste the OpenID Connect ID token value in at the prompt.

  7. You should receive the following message.

    Login successful!
    
  8. To log out, run this command:

dcos auth logout

Authentication opt-out

If you are doing an advanced installation, you can opt out of Auth0-based authentication by adding this parameter to your configuration file (genconf/config.yaml).

oauth_enabled: 'false'

For more information, see the configuration documentation.

If you are doing a cloud installation on AWS, you can set the OAuthEnabled option to false on the Specify Details step to disable authentication.

If you are doing a cloud installation on Azure, you cannot disable authentication. This option will be added in a future releasealong with other options to customize authentication.

Note that if you have already installed your cluster and would like to disable this in-place, you can go through an upgrade with the same parameter set.

Further reading

Future work

We are looking forward to working with the DC/OS community on improving existing security features as well as on introducing new ones in the coming releases.

Next Steps