Skip to content

Authentication in Scale

Jump to bottom Edit New page
Jonathan Meyer edited this page Apr 26, 2019 · 2 revisions

Authentication in Scale

Scale has primarily been deployed behind a firewall or only available from behind the DCOS Admin UI. This limits the utility of Scale and so with version 6.0, we are enforcing authentication to all API endpoints. There are 2 levels of access that are recognized by Scale: Authenticated and Staff.

Supported Authentication

Scale is built using Django and the Django Rest Framework. This allows for nearly limitless authentication mechanisms to be employed. Based on our current requirements, we've implemented support for the below listed options.

Username / password

The default deployment of Scale creates a single superuser account admin. The password is autogenerated and written to the Scale scheduler container on first launch. It is intended that it be set for a production deploy through the use of the ADMIN_PASSWORD environment variable. This variable may be populated using a DCOS Secret to protect the value.

The admin user can be used to bootstrap additional users by way of POST to /accounts/users/ endpoint. Users can also be added using the Django admin UI at /admin/ Setting the is_staff field to true or false determines their level of privilege.

GEOAxIS

Enabling GEOAxIS may be done by setting the required environment variables: GEOAXIS_KEY and GEOAXIS_SECRET. Once these are set the /api/login/ will be updated to include the ability to use GEOAxIS login.

Token

For API clients, it is likely that they will prefer to issue a long-lived token as opposed to utilizing cookies set after a login event. An API token may be issued through either a username / password or PKI certificate.

The following example demonstrates issuing a token for subsequent API calls:

curl -X POST https://scale.example.com/api/api-token-auth/ -F username=admin -F password=password
Add a custom footer
Clone this wiki locally