}}

Service Authentication

Enterprise DC/OS Updated: June 13, 2017

Service accounts are used in conjunction with public-private key pairs, secrets, permissions, and authentication tokens to provide access for DC/OS services to DC/OS. Service accounts control the communications and DC/OS API actions that the services are permitted to make.

DC/OS services require authentication depending on your security mode.

Security mode Intracluster communication External cluster communication
Disabled Optional Required
Permissive Optional Required
Strict Required Required

Service Authentication Components

To authenticate a service, you will need:

  • Public-private key pair
  • Service account
  • Secret for service account
  • Permissions for service account
  • Service login token

JSON Web Tokens (JWT)

Service authentication involves two JSON Web Tokens (JWT) for service authentication.

  • Service Login token To log in to DC/OS, a service login token is required. It’s a JWT signed with the service’s private key and conceptually serves as a one-time password. A service login token should be generated for one-time usage (e.g. for a single service login procedure) and should include an expiration.

  • Authentication token After a service connects to DC/OS with the service login token, Bouncer creates an authentication token which the service can then use to authenticate its outgoing requests to DC/OS. An authentication token can be used for long-term access.

Mesos Authentication Principal

DC/OS services supply a principal when they register with the Mesos masters. In strict security mode, the service account name must match the name specified in the principal. For more information about principals, see the Mesos documentation.

The following diagram illustrates this sequence.

Authenticating DC/OS Services

This topic details how to configure authentication for custom apps and pods launched on DC/OS. Prerequisites: DC/OS CLI installed and be logged in as a superuser. Enterprise DC/OS ...

Managing JSON Web Tokens

Refreshing Tokens Services can use a variety of means to refresh their tokens. Ideally, a service should calculate the length of time until the token expires, which is embedded wit...