With DC/OS, login is the process of exchanging user credentials for a DC/OS Authentication token.
Users must obtain a DC/OS Authentication to use a DC/OS cluster. In DC/OS the lifetime of an Authentication token is limited to five days. Once the Authentication token expires, the user must log in again.
Different login methods exist for different user types, but each one yields a DC/OS authentication token:
- External user login: External user accounts can only log in via single sign-on through Auth0 (using their Google, GitHub, or Microsoft credentials).
- Local user login: A local user logs in by entering a password which is compared to the password hash stored inside DC/OS.
- Service login: A service logs in by entering a short-lived “service login token”, whose signature is verified using the service account public key stored inside DC/OS.
Users cannot be actively logged out of DC/OS. As long as an issued DC/OS Authentication token exists and is valid, the user that it was issued for can operate the DC/OS cluster. However, a user can decide to delete any valid DC/OS Authentication token in their possession. The DC/OS CLI auth logout command does exactly that.