User Identity and Access Management
Managing access to services is a basic requirement in any enterprise-grade setup. DC/OS provides you with flexible user identity management combined with fine-grained access control. The overall approach to user identity management and access control in DC/OS looks as follows:
- When one of your users attempts to access a service the request is first routed through a system component called Admin Router.
- The Admin Router coordinates with the Identity and Access Management (IAM) system component to verify if a certain user can access the targeted service. The IAM system component uses a highly available, replicated data store to keep track of user identities. The access verification process comprises:
- Authentication: in the first step the user identity is verified; the user identity can be verified locally (DC/OS cluster-internal) or against external sources using protocols like LDAP, SAML, or OpenID Connect (OIDC).
- Access control: if the user identity has been confirmed, the permissions of the respective users are checked against the resource in question (here:
DC/OS Enterprise user authentication is performed in the Admin security zone and any communication to DC/OS Admin Router from an external client is over an SSL Channel. DC/OS Admin Router presents an SSL certificate issued by the DC/OS certificate authority (CA) to external clients. Clients can then validate all requests originating from DC/OS Admin Router to have come from a valid server by validating the server’s certificate with the DC/OS certificate authority.
Below is an example of a complete end to end sequence diagram of all the steps in authenticating any user request.
Besides adding a user locally you can use either of the following two mechanisms to authenticate users via an external source: directory-based (using LDAP, for example, Active Directory) as well as identity provider-based (SAML and OIDC).
During installation, DC/OS creates an initial user account with
superuser privileges. The person installing DC/OS sets the name and password of this account. As a
superuser you can manage DC/OS users, groups, permissions, and LDAP configurations either via the DC/OS web interface or the IAM API. At least one account with
superuser privileges is required at all times.
See also the managing users and groups section for more details on this topic.
In strict security mode, each service must authenticate against the Mesos master before it can register. Learn more about service authentication in the Service Authentication section, including the Secrets API and service-specific ACLs (such as for Apache Spark). In the default permissive mode, service authentication is optional.
Permissions define what actions a user, group, or service account may perform on an object. For Marathon services and service groups, you can specify create, read, update, or delete permissions. Mesos provides control over who can view tasks and their sandboxes, as well as which services can register with particular Mesos roles, run tasks as particular Linux users, and create reservations/volumes.
Learn more about permission handling in the Permissions section.
Learn more about how to programmatically interact with:
Managing users and groups
DC/OS Enterprise can manage two types of users:…Read More
The permissions of DC/OS Enterprise allow you to control access by resource and sometimes by operation (create, read, update, delete). The number of permissions enforced increases as you move from disabled to permissive and from permissive to strict security modes. permissive security mode provides finer-grained controls and strict security mode provides the finest-grained controls. See the following table for details.…Read More
Directory-based authentication via LDAP
If your organization has user records stored in a directory server supporting LDAP, you can configure DC/OS Enterprise to check user credentials against it. This allows you to avoid having to recreate your user accounts within DC/OS.…Read More
Identity provider-based authentication
DC/OS Enterprise uses public-private key cryptography and JSON web tokens (JWT) to authenticate services. Services required to authenticate must create a public-private key pair and then create a service account with their public key. The service will then generate a JWT signed with their private key and pass this to DC/OS. DC/OS uses the public key in the service account to verify the service’s signature, then returns a DC/OS authentication token signed by the Identity and Access Management Service. The service can use the DC/OS authentication token to gain access to the necessary resources.…Read More
Identity and Access Management API
The Identity and Access Management API allows you to manage users, user groups, permissions, and LDAP configuration settings through a RESTful interface. It offers more functionality as the DC/OS web interface.…Read More
Tutorial – Restricting Access to DC/OS Service Groups
Demonstrates how to use the DC/OS web interface to achieve multi-tenancy in permissive mode. …Read More