Using Kerberos authentication with OpsCenter
If your cluster uses Kerberos authentication, you need to create and configure the OpsCenter principles before adding the cluster to OpsCenter.
Procedure
-
Create an
opscenterd
principal and register it with Cassandra/DSE.$ cqlsh cqlsh> create user ‘opscenterd/Kerberos host@Kerberos domain’;
If you need to see what users are on the node, run the
list users
command in cqlsh.$ cqlsh cqlsh> list users;
-
Manually
kinit
theopscenterd
user on the same account that runs the OpsCenter daemon.There is a limitation on the Kerberos drivers used by OpsCenter that prevents OpsCenter from using a keytab.
-
Create service principals for the OpsCenter agent user running on each node and
register them with Cassandra/DSE. The default user name is
opscenter-agent
.$ cqlsh cqlsh> create user ‘opscenter-agent/Kerberos host@Kerberos domain’;
-
Create keytabs for the
opscenter-agent
principals at /usr/share/datastax-agent/krb5.keytab on each node. -
Set the owner of these keytabs and the
/usr/share/datastax-agent directory to the
opscenter-agent
user.$ sudo chown opscenter-agent /usr/share/datastax-agent /usr/share/datastax-agent/krb5.keytab
- When adding the cluster as described in Adding an existing cluster, check DSE Security and enter the service principal name for DSE.