Providing credentials for DSE Graph

To run DataStax Enterprise Graph with DSE Unified Authentication, configure a user name and password or Kerberos in the Graph remote.yaml.

To run DataStax Enterprise Graph with DSE Unified Authentication, configure a user name and password or Kerberos in the Graph remote.yaml.

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/dse/conf/dse.yaml

remote.yaml

The location of the remote.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/graph/gremlin-console/conf/remote.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/graph/gremlin-console/conf/remote.yaml

Procedure

  • Use Kerberos guidelines for DSE Graph in production.
    Authenticate DSE Graph users with Kerberos authentication using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). To use Kerberos authentication and SSL encryption with the Gremlin console, modify the remote.yaml to include the following:
    hosts: [hostname-because-it's-kerberos]
    username: null
    password: null
    jaasEntry: DseClient 
    # protocol is the the same as the service_principal set in dse.yaml
    protocol: your_dse_principal 
    connectionPool: {enableSsl: true}
    A password set to null is ignored in the remote.yaml.
  • To configure Graph for internal or LDAP authentication with DSE Unified Authentication:
    Enter credentials in the remote.yaml file to use Gremlin console. For instance, the following lines are added:
    username: realuser
    password: password
    connectionPool: {enableSsl: false}
    A password is required for internal or LDAP authorization.
    Note: DSE has a credential cache, and the setting for this cache can greatly affect the performance of graph queries. The credentials_validity_in_ms is the critical setting in the dse.yamlfile. Setting to 0 will cause DSE to re-authenticate the user on all operations requiring authentication. An additional setting search_validity_in_seconds will perform better if set to a higher value, such as 30 minutes.
  • Set an environment variable to pass the Jaas configuration file location to the gremlin console:
    export JAVA_OPTIONS=-Djava.security.auth.login.config=$HOME/jaas.config; dse gremlin-console
    Note: Required when the jaas.config file is not in the default location.