}}

Service Accounts

Enterprise DC/OS Updated: April 18, 2017

About service accounts

The need to provision a service with a service account varies according to your security mode and the origin of the service’s requests. The following table details the circumstances under which a service requires an account.

Requests originate from Service account required Service account optional
Outside of the cluster All security modes N/A
Inside the cluster strict permissive

About custom services

For detailed instructions on how to set up a custom service or script with a service account, refer to Provisioning custom services with service accounts.

About services in the default Universe

Not all services in the default Universe can be provisioned with a service account. If a service requires a service account and cannot be provisioned with one, you won’t be able to deploy the service. This requirement varies according to your security mode.

The following table lists the Universe services that can be provisioned with service accounts. It also identifies when a service account is optional or required.

Service disabled permissive strict
Cassandra Not possible Optional Required
Confluent Not possible Optional N/A*
HDFS Not possible Optional Required
Kafka Not possible Optional Required
Marathon-LB Optional Optional Required
Spark Not possible Optional Required

* These services cannot be deployed in strict mode at this time.

If the service supports authentication in permissive, we encourage you to provision it with a service account. Otherwise, the service will default to running with the superuser permission. This will also make it easier to upgrade to strict mode in the future.

You may also want to provision Marathon-LB with a service account in disabled mode to make it easier to upgrade to permissive or strict.

Refer to the following sections for more details about how and when to provision each service with a service account.

Provisioning custom services

This section details how to configure a custom service that requires authentication with a service account and how to request and refresh its token.