Using DSE Graph and Gremlin console with Kerberos

Configure Kerberos authentication in the Graph remote.yaml.

To run DataStax Enterprise (DSE) Graph in a secure environment with Kerberos authentication, configure Graph remote.yaml properties.
Note: For related details, see remote.yaml configuration file.

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/dse/conf/dse.yaml

remote.yaml

The location of the remote.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/graph/gremlin-console/conf/remote.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/graph/gremlin-console/conf/remote.yaml
  1. Set the following Kerberos parameters in remote.yaml:
    hosts: [KMS_hostname]
                            username: null
                            password: null
                            jaasEntry: DseClient 
                            # protocol is the the same as the service_principal set in dse.yaml
                            protocol: kerberos_principal_name
    Note: Leave the username and password values for Kerberos unset (null). The connector ignores null username and password parameters.
  2. Create a JAAS configuration file for DseClient that defines whether to use a keytab or ticket cache.
    Note: The default JAAS config file and location is ~/.java.login.config.
    • Ticket cache
      DseClient {
        com.sun.security.auth.module.Krb5LoginModule required
          useTicketCache=true
          renewTGT=true;
       };
    • Keytab file
      DseClient {
        com.sun.security.auth.module.Krb5LoginModule required
          refreshKrb5Config=true
          useKeyTab=true
          keyTab="file_path"
          useTicketCache=false;
      };
  3. (Optional) To use an alternate file name or location for the JAAS configuration file, add it to the system properties using an environment variable before starting the Gremlin console:
    export JAVA_OPTIONS="$JAVA_OPTIONS -Djava.security.auth.login.config=path_to_file"
    Note: Required if the file is not in the default location, ~/.java.login.config.

For related information, see Defining a Kerberos scheme.

Other authentication options for Graph and Gremlin console

For information about other ways to secure Graph data or the Gremlin console: