Using Kerberos authentication with OpsCenter

If your cluster uses Kerberos authentication, you need to create and configure the OpsCenter principles before adding the cluster to OpsCenter.

Procedure

  1. Create an opscenterd principal and register it with Cassandra/DSE.
    $ cqlsh
    cqlsh> create user ‘opscenterd/Kerberos host@Kerberos domain’;

    If you need to see what users are on the node, run the list users command in cqlsh.

    $ cqlsh
    cqlsh> list users;
  2. Manually kinit the opscenterd user on the same account that runs the OpsCenter daemon.

    There is a limitation on the Kerberos drivers used by OpsCenter that prevents OpsCenter from using a keytab.

  3. Create service principals for the OpsCenter agent user running on each node and register them with Cassandra/DSE. The default user name is opscenter-agent.
    $ cqlsh
    cqlsh> create user ‘opscenter-agent/Kerberos host@Kerberos domain’;
  4. Create keytabs for the opscenter-agent principals at /usr/share/datastax-agent/krb5.keytab on each node.
  5. Set the owner of these keytabs and the /usr/share/datastax-agent directory to the opscenter-agent user.
    $ sudo chown opscenter-agent /usr/share/datastax-agent /usr/share/datastax-agent/krb5.keytab
  6. When adding the cluster as described in Adding an existing cluster, check DSE Security and enter the service principal name for DSE.