Service accounts are used in conjunction with public-private key pairs, secrets, permissions, and authentication tokens to provide access for DC/OS services to DC/OS. Service accounts control the communications and DC/OS API actions that the services are permitted to make.
DC/OS services require authentication depending on your security mode.
|Security mode||Intracluster communication||External cluster communication|
Service Authentication Components
To authenticate a service, you will need:
- Public-private key pair
- Service account
- Secret for service account
- Permissions for service account
- Service login token
JSON Web Tokens (JWT)
Service authentication involves two JSON Web Tokens (JWT) for service authentication.
Service Login token To log in to DC/OS, a service login token is required. It’s a JWT signed with the service’s private key and conceptually serves as a one-time password. A service login token should be generated for one-time usage (e.g. for a single service login procedure) and should include an expiration.
Authentication token After a service connects to DC/OS with the service login token, Bouncer creates an authentication token which the service can then use to authenticate its outgoing requests to DC/OS. An authentication token can be used for long-term access.
Mesos Authentication Principal
DC/OS services supply a principal when they register with the Mesos masters. In strict security mode, the service account name must match the name specified in the
principal. For more information about principals, see the Mesos documentation.
The following diagram illustrates this sequence.
Authenticating DC/OS Services
This topic details how to configure authentication for custom apps and pods launched on DC/OS.…Read More
Managing JSON Web Tokens
Services can use a variety of means to refresh their tokens. Ideally, a service should calculate the length of time until the token expires, which is embedded within the token itself, and request a new one before it expires. However, a service can also wait until it receives a 401 to request a new token.…Read More