Using DSE Graph and Gremlin console with Kerberos

Configure a user name and password for authentication, Kerberos, and SSL in the Graph remote.yaml.

To run DataStax Enterprise Graph in security enabled environment, configure settings in the Graph remote.yaml:
  • DSE Unified Authentication - set a user name and password or Kerberos principal name
  • SSL encryption - enable and set the path to keystore

remote.yaml

The location of the remote.yaml file depends on the type of installation:
Package installations /etc/dse/graph/gremlin-console/conf/remote.yaml
Tarball installations installation_location/resources/graph/gremlin-console/conf/remote.yaml

Procedure

Configure authentication for Gremlin Console connection :
  • Kerberos configuration
    1. Set the following Kerberos parameters in the remote.yaml:
      hosts: [KMS_hostname]
      username: null
      password: null
      jaasEntry: DseClient 
      # protocol is the the same as the service_principal set in dse.yaml
      protocol: kerberos_principal_name
      Note: Leave the username and password for Kerberos unset (null). The connector ignores null username and password parameters.
    2. Create a JAAS configuration file for DseClient that defines whether to use a keytab or ticket cache.
      Note: The default JAAS config file and location is ~/.java.login.config.
      • Ticket cache
         DseClient {
           com.sun.security.auth.module.Krb5LoginModule required
             useTicketCache=true
             renewTGT=true;
         };
      • Keytab file
        DseClient
        {
                com.sun.security.auth.module.Krb5LoginModule required
                refreshKrb5Config=true
                useKeyTab=true
                keyTab="file_path"
                useTicketCache=false;
        };
    3. (Optional) To use an alternate file name or location for the JAAS configuration file, add it to the system properties using an environment variable before starting the Gremlin console:
      export JAVA_OPTIONS="$JAVA_OPTIONS -Djava.security.auth.login.config=path_to_file"
      Note: Required if the file is not in the default location, ~/.java.login.config.
  • Internal or LDAP authentication - set the username and password parameters:
    username: database_user
    password: password
    Note: Set search_validity_in_seconds to a higher value, such as 30 minutes, for better performance.