OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. If a
DataStax Enterprise cluster uses Kerberos authentication, you need to create and configure
the OpsCenter principals before adding the cluster to OpsCenter.
OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. If a
DataStax Enterprise cluster uses Kerberos authentication, you need to create and
configure the OpsCenter principals before adding the cluster to
OpsCenter.
address.yaml
The location of the address.yaml
file depends on the type of installation:
- Package installations:
/var/lib/datastax-agent/conf/address.yaml
- Tarball installations:
install_location/conf/address.yaml
cluster_name.conf
The location of the cluster_name.conf file depends on the type of installation:
- Package installations:
/etc/opscenter/clusters/cluster_name.conf
- Tarball installations:
install_location/conf/clusters/cluster_name.conf
Procedure
-
Create an
opscenterd
principal and register it with DataStax
Enterprise.
$ cqlsh
cqlsh> create user ‘opscenterd/Kerberos host@Kerberos domain’;
To view the users who are on the node, run the list users
command in cqlsh.
$ cqlsh
cqlsh> list users;
-
Create service principals for the OpsCenter agent user running on each node and
register them with DataStax Enterprise. The default user name is
cassandra
.
$ cqlsh
cqlsh> create user ‘cassandra/Kerberos host@Kerberos domain’;
Note: If you require running the agent as a different user than cassandra, see
setting permissions to run the
agent as a different user.
-
Create keytabs for the
cassandra
principals and move them to the location of the
datastax-agent directory on each node.
-
Change the owner of the keytabs and the /datastax-agent
directory to the
cassandra
user.
The following example changes ownership of the
/datastax-agent directory and keytabs for the default
location in a package installation. Replace the paths below with your configured
keytab location as appropriate for your installation
type.
$ sudo chown cassandra /usr/share/datastax-agent /usr/share/datastax-agent/krb5.keytab
-
When adding the cluster as described in adding an existing
cluster, select DSE security (kerberos) is enabled on my
cluster.
The Kerberos fields expand.
-
Enter the information as applicable to your environment.
-
Enter the service name. For example, if the
server principal on your nodes is
dse/nodeX.example.com@EXAMPLE.COM
, this field
should be dse
.
-
Enter the client principal for the OpsCenter
process/machine to use. Example: opscenterd@YOUR_REALM.
-
Enter the location of the keytab OpsCenter
machine, which contains credentials for the
opscenter_client_principal.
-
Enter the client principal for the DataStax Agent process/machine to
use. Example: agent@YOUR_REALM.
-
Enter the location of the keytab on the DataStax
Agent machines, which contains credentials for the
agent_client_principal
. Example:
/path/to/keytab.keytab.