Using Kerberos authentication with OpsCenter
If a cluster uses Kerberos authentication, you need to create and configure the OpsCenter principles before adding the cluster to OpsCenter.
Procedure
-
Create an
opscenterd
principal and register it with Cassandra/DataStax Enterprise.$ cqlsh cqlsh> create user ‘opscenterd/Kerberos host@Kerberos domain’;
To view the users who are on the node, run the
list users
command in cqlsh.$ cqlsh cqlsh> list users;
-
Manually
kinit
theopscenterd
user on the same account that runs the OpsCenter daemon.There is a limitation on the Kerberos drivers used by OpsCenter that prevents OpsCenter from using a keytab.
-
Create service principals for the OpsCenter agent user running on each node and
register them with Cassandra/DataStax Enterprise. The default user name is
cassandra
.$ cqlsh cqlsh> create user ‘cassandra/Kerberos host@Kerberos domain’;
Note: If you require running the agent as a different user than cassandra, see setting permissions to run the agent as a different user. -
Create keytabs for the
cassandra
principals at /usr/share/datastax-agent/krb5.keytab on each node. -
Set the owner of these keytabs and the
/usr/share/datastax-agent directory to the
cassandra
user.$ sudo chown cassandra /usr/share/datastax-agent /usr/share/datastax-agent/krb5.keytab
- When adding the cluster as described in Adding an existing cluster, check DSE Security and enter the service principal name for DataStax Enterprise.