Configuring OpsCenter for Kerberos authentication

OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. If a DataStax Enterprise cluster uses Kerberos authentication, you need to create and configure the OpsCenter principals before adding the cluster to OpsCenter.

OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. If a DataStax Enterprise cluster uses Kerberos authentication, you need to create and configure the OpsCenter principals before adding the cluster to OpsCenter.

Prerequisites

Configure DSE for Kerberos. For more information, see Authenticating a cluster with Kerberos in the DataStax Enterprise Documentation and review the Kerberos tutorial.

address.yaml 

The location of the address.yaml file depends on the type of installation:

  • Package installations: /var/lib/datastax-agent/conf/address.yaml
  • Tarball installations: install_location/conf/address.yaml

cluster_name.conf 

The location of the cluster_name.conf file depends on the type of installation:

  • Package installations: /etc/opscenter/clusters/cluster_name.conf
  • Tarball installations: install_location/conf/clusters/cluster_name.conf

Procedure

  1. Create an opscenterd principal and register it with DataStax Enterprise.
    $ cqlsh
    cqlsh> create user ‘opscenterd/Kerberos host@Kerberos domain’;

    To view the users who are on the node, run the list users command in cqlsh.

    $ cqlsh
    cqlsh> list users;
  2. Create service principals for the OpsCenter agent user running on each node and register them with DataStax Enterprise. The default user name is cassandra.
    $ cqlsh
    cqlsh> create user ‘cassandra/Kerberos host@Kerberos domain’;
    Note: If you require running the agent as a different user than cassandra, see setting permissions to run the agent as a different user.
  3. Create keytabs for the cassandra principals and move them to the location of the datastax-agent directory on each node.
    Place the keytabs in the location configured for your environment. The default location is /usr/share/datastax-agent/krb5.keytab for package installations, or install_location/datastax-agent/krb5.keytab for tarball installations. The path to the keytabs is configurable using either the [kerberos] opscenterd_keytab_location in cluster_name.conf, or the DataStax Agent configuration options (address.yaml) in address.yaml.
  4. Change the owner of the keytabs and the /datastax-agent directory to the cassandra user.
    The following example changes ownership of the /datastax-agent directory and keytabs for the default location in a package installation. Replace the paths below with your configured keytab location as appropriate for your installation type.
    $ sudo chown cassandra /usr/share/datastax-agent /usr/share/datastax-agent/krb5.keytab
  5. When adding the cluster as described in adding an existing cluster, select DSE security (kerberos) is enabled on my cluster.

    The Kerberos fields expand.

    Kerberos settings in the OpsCenter user interface

  6. Enter the information as applicable to your environment.
    1. Enter the service name. For example, if the server principal on your nodes is dse/nodeX.example.com@EXAMPLE.COM, this field should be dse.
    2. Enter the client principal for the OpsCenter process/machine to use. Example: opscenterd@YOUR_REALM.
    3. Enter the location of the keytab OpsCenter machine, which contains credentials for the opscenter_client_principal.
    4. Enter the client principal for the DataStax Agent process/machine to use. Example: agent@YOUR_REALM.
    5. Enter the location of the keytab on the DataStax Agent machines, which contains credentials for the agent_client_principal. Example: /path/to/keytab.keytab.