Using Kerberos authentication with OpsCenter

If a cluster uses Kerberos authentication, you need to create and configure the OpsCenter principles before adding the cluster to OpsCenter.

Procedure

  1. Create an opscenterd principal and register it with Cassandra/DataStax Enterprise. 
    $ cqlsh
cqlsh> create user ‘opscenterd/Kerberos host@Kerberos domain’;

    To view the users who are on the node, run the list users command in cqlsh.

    $ cqlsh
cqlsh> list users;
  2. Manually kinit the opscenterd user on the same account that runs the OpsCenter daemon.

    There is a limitation on the Kerberos drivers used by OpsCenter that prevents OpsCenter from using a keytab.

  3. Create service principals for the OpsCenter agent user running on each node and register them with Cassandra/DataStax Enterprise. The default user name is cassandra. 
    $ cqlsh
cqlsh> create user ‘cassandra/Kerberos host@Kerberos domain’;
    Note: If you require running the agent as a different user than cassandra, see setting permissions to run the agent as a different user.
  4. Create keytabs for the cassandra principals at /usr/share/datastax-agent/krb5.keytab on each node.
  5. Set the owner of these keytabs and the /usr/share/datastax-agent directory to the cassandra user. 
    $ sudo chown cassandra /usr/share/datastax-agent /usr/share/datastax-agent/krb5.keytab
  6. When adding the cluster as described in Adding an existing cluster, check DSE Security and enter the service principal name for DataStax Enterprise.