Kerberos authentication with OpsCenter
OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. Understanding Kerberos principal formatting is crucial for successfully configuring OpsCenter to use Kerberos authentication.
|
OpsCenter supports only one Kerberos configuration per cluster. |
The Kerberos principal includes the host and IP address for the cluster.
For example, the IP address 192.168.1.102 might be mapped to the principal cassandra@EXAMPLE.COM.
This information is stored in a configuration file unique to the cluster.
For example, cluster_name.conf.
Each monitored cluster can have an associated cluster for storing metrics and other data. However, because OpsCenter supports only one Kerberos configuration per cluster, a separate Kerberos configuration cannot be specified for the storage cluster. Therefore, a single set of credentials cannot be used to authenticate to both the monitored cluster and the storage cluster.
Kerberos principal formatting
A user in Kerberos is known as a principal, which is composed of three parts: primary, instance, and realm.
Realm is similar to a domain, and each principal is fully qualified with the name of the realm.
In the following examples, the realm is EXAMPLE.COM.
The first part of the principal (primary) represents a specific identity within the realm, which is typically a user.
For example, user123@EXAMPLE.COM represents a user named user123 that belongs to a realm named EXAMPLE.COM.
The instance is an optional component of the realm that users can specify to define a host where the service runs.
For example, service456/server.example.com@EXAMPLE.COM indicates a principal for service456, which runs on the server.example.com host, in the EXAMPLE.COM realm.
