Service Authentication

ENTERPRISE

Authenticating service accounts

Service accounts are used in conjunction with public-private key pairs, secrets, permissions, and authentication tokens to provide access for DC/OS services to DC/OS. Service accounts control the communications and DC/OS API actions that the services are permitted to make.

DC/OS services require authentication depending on your security mode.

Security modeIntracluster communicationExternal cluster communication
PermissiveOptionalRequired
StrictRequiredRequired

Service Authentication Components

To authenticate a service, you will need:

  • Public-private key pair
  • Service account
  • Secret for service account
  • Permissions for service account
  • Service login token

JSON Web Tokens (JWT)

Service authentication involves two JSON Web Tokens (JWT) for service authentication.

  • Service Login token To log in to DC/OS, a service login token is required. This is a JWT signed with the service’s private key, and serves as a one-time password. A service login token should be generated for one-time usage (for example, for a single service login procedure) and should include an expiration.

  • Authentication token After a service connects to DC/OS with the service login token, the IAM service creates an authentication token which the service can then use to authenticate its outgoing requests to DC/OS. An authentication token can be used for long-term access.

Mesos Authentication Principal

DC/OS services supply a principal when they register with the Mesos masters. In strict security modeMesos documentation.

The following diagram illustrates this sequence.

Service authentication

Figure 1. Service authentication

Authenticating DC/OS Services

ENTERPRISE

Configuring authentication for custom apps and pods

Managing JSON Web Tokens

ENTERPRISE

Managing JSON web tokens