Using DSE Graph and Gremlin Console with Kerberos

To run DataStax Enterprise (DSE) Graph in a secure environment with Kerberos authentication, configure Graph remote.yaml properties.

For related details, see remote.yaml configuration file.

  1. Locate the dse.yaml and remote.yaml configuration files. The location of these file depend on the type of installation:

    Filename Location


    Package installations: /etc/dse/dse.yaml

    Tarball installations: <installation_location>/resources/dse/conf/dse.yaml


    Package installations: /etc/dse/graph/gremlin-console/conf/remote.yaml

    Tarball installations: <installation_location>/resources/graph/gremlin-console/conf/remote.yaml

  2. Set the following Kerberos parameters in remote.yaml:

    hosts: [<KMS_hostname>]
                            username: *null*
                            password: *null*
                            jaasEntry: DseClient
                            # protocol is the the same as the service_principal set in dse.yaml
                            protocol: <kerberos_principal_name>

    Leave the username and password values for Kerberos unset (null). The connector ignores null username and ` null password` parameters.

  3. Create a JAAS configuration file for DseClient that defines whether to use a keytab or ticket cache.

    The default JAAS config file and location is ~/.java.login.config.

    • Ticket cache

       DseClient {
    • Keytab file

  4. Optional: To use an alternate file name or location for the JAAS configuration file, add it to the system properties using an environment variable before starting the Gremlin console:

    export JAVA_OPTIONS="$JAVA_OPTIONS<path_to_file>"

    Required if the file is not in the default location, ~/.java.login.config.

    For related information, see Defining a Kerberos scheme.

Other authentication options for Graph and Gremlin console

For information about other ways to secure Graph data or the Gremlin console:

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,