Authentication in DC/OS
In DC/OS, user authentication is required by default. Every user who wants to perform an operation on a DC/OS cluster (other than logging in) must first be authenticated.
DC/OS handles user authentication decentralized by using authentication tokens. Authentication tokens are distributed by the Identity and Access Manager (IAM) on a per user basis. The tokens can are verified out-of-band by any third-party entity. Allowing token verification to happen independent of the IAM makes this approach highly scalable in comparison to centralized session state keeping. Furthermore, with tokens user authentication state cannot be easily revoked.
Upon login to DC/OS users receive a DC/OS Authentication token. The DC/OS Authentication token can be used for authenticating subsequent requests to the API; see Pass an authentication token to the API.
A DC/OS Authentication token is also used internally by the DC/OS CLI for authenticating subsequent CLI commands. Authentication is only supported for DC/OS CLI version 0.4.3 and later. See here for upgrade instructions.
In DC/OS the only authenticator in the system is Admin Router. It enforces DC/OS Authentication token verification based on information from the Identity and Access Manager (IAM).
Third-party entities can be enabled to become authenticators for DC/OS Authentication tokens by using out-of-band verficiation via public key cryptography; see Out-of-band token verification for instructions.
Disabling authentication
You can disable authentication using one of the following ways:
-
Disable authentication using advanced installation: You can disable authentication by adding this parameter to your configuration file (
genconf/config.yaml
).oauth_enabled: 'false'
For more information, see the configuration documentation.
-
Disable authentication using cloud installation on AWS: You can set the
OAuthEnabled
option tofalse
on the Specify Details step to disable authentication.