Kerberos authentication with OpsCenter
OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. Understanding Kerberos principal formatting is crucial for successfully configuring OpsCenter to use Kerberos authentication.
OpsCenter supports only one Kerberos configuration per cluster.
The Kerberos principal includes the host and IP address for the cluster.
For example, the IP address 192.168.1.102 might be mapped to the principal
This information is stored in a configuration file unique to the cluster.
For example, cluster_name.conf.
Each monitored cluster can have an associated cluster for storing metrics and other data. However, because OpsCenter supports only one Kerberos configuration per cluster, a separate Kerberos configuration cannot be specified for the storage cluster. Therefore, a single set of credentials cannot be used to authenticate to both the monitored cluster and the storage cluster.
A user in Kerberos is known as a principal, which is composed of three parts: primary, instance, and realm.
Realm is similar to a domain, and each principal is fully qualified with the name of the realm.
In the following examples, the realm is
The first part of the principal (primary) represents a specific identity within the realm, which is typically a user.
user123@EXAMPLE.COM represents a user named
user123 that belongs to a realm named
The instance is an optional component of the realm that users can specify to define a host where the service runs.
service456/server.example.com@EXAMPLE.COM indicates a principal for
service456, which runs on the
server.example.com host, in the