Using DSE Graph and Gremlin Console with Kerberos

To run DataStax Enterprise (DSE) Graph in a secure environment with Kerberos authentication, configure Graph remote.yaml properties.

For related details, see remote.yaml configuration file.

Locate the dse.yaml and remote.yaml configuration files. The location of these file depend on the type of installation:

Filename Location

Filename	Location
`dse.yaml`	Package installations: `/etc/dse/dse.yaml` Tarball installations: `<installation_location>/resources/dse/conf/dse.yaml`
`remote.yaml`	Package installations: `/etc/dse/graph/gremlin-console/conf/remote.yaml` Tarball installations: `<installation_location>/resources/graph/gremlin-console/conf/remote.yaml`

dse.yaml

Package installations: /etc/dse/dse.yaml

Tarball installations: <installation_location>/resources/dse/conf/dse.yaml

remote.yaml

Package installations: /etc/dse/graph/gremlin-console/conf/remote.yaml

Tarball installations: <installation_location>/resources/graph/gremlin-console/conf/remote.yaml

Set the following Kerberos parameters in remote.yaml:

hosts: [<KMS_hostname>]
                        username: *null*
                        password: *null*
                        jaasEntry: DseClient
                        # protocol is the the same as the service_principal set in dse.yaml
                        protocol: <kerberos_principal_name>

Leave the username and password values for Kerberos unset (null). The connector ignores null username and ` null password` parameters.

Create a JAAS configuration file for DseClient that defines whether to use a keytab or ticket cache.

The default JAAS config file and location is ~/.java.login.config.

Ticket cache

 DseClient {
                                    com.sun.security.auth.module.Krb5LoginModule required
                                    useTicketCache=true
                                    renewTGT=true;
                                    };

Keytab file

DseClient
                                    {
                                    com.sun.security.auth.module.Krb5LoginModule required
                                    refreshKrb5Config=true
                                    useKeyTab=true
                                    keyTab="<file_path>"
                                    useTicketCache=false;
                                    };

Optional: To use an alternate file name or location for the JAAS configuration file, add it to the system properties using an environment variable before starting the Gremlin console:
```
export JAVA_OPTIONS="$JAVA_OPTIONS -Djava.security.auth.login.config=<path_to_file>"
```
Required if the file is not in the default location, ~/.java.login.config.

For related information, see Defining a Kerberos scheme.

Other authentication options for Graph and Gremlin console

For information about other ways to secure Graph data or the Gremlin console:

Internal auth: see Setting up logins and users.
LDAP: see Defining an LDAP scheme and the ldap_options key in dse.yaml. Also refer to Adding roles for LDAP groups.
Roles: see Controlling access to DataStax Graph keyspaces to control access to DSE Graph keyspaces and tables.
Encryption:
- TDE: see encrypt data in DSE Graph index tables using Transparent Data Encryption (TDE).
- SSL: see Configuring SSL for client-to-node connections to encrypt database connections for inflight DSE Graph data.
JMX: see Configuring JMX authentication and Configuring JMX on the server side.

Using DSE Graph and Gremlin Console with Kerberos

Other authentication options for Graph and Gremlin console

Was this helpful?

Give Feedback