Defining a Kerberos scheme

Configure DataStax Enterprise nodes to use Kerberos authentication.

1. On each node, edit the cassandra.yaml file to set the authenticator to the DSE Authenticator.

   authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator

2. Set the rpc_address and listen_address to the IP address. Do not use localhost or the hostname.

   rpc_address: 100.200.182.1
   listen_address: 100.200.182.1

3. On each node, edit the dse.yaml file:
   1. Set Kerberos as default or other scheme in the authentication options:

      authentication_options:
          enabled: false
          default_scheme: kerberos
          other_schemes:
              - internal
          scheme_permissions: true
          allow_digest_with_kerberos: true
          plain_text_without_ssl: warn
          transitional_mode: disabled

      Note: When initially enabling authentication, specify the internal scheme as the default or other. After restarting DSE, to establish roles requires using the internal default cassandara account.

      Table 1. authentication_options

      Option	Description
      /en/dse/5.1/dse-admin/datastax_enterprise/config/configDseYaml.html#configDseYaml__auth_enabled	Turns on authentication using the default scheme.
      default_scheme	Specifies the authentication scheme when not defined in the connection: internal - Plain text authentication using internal login role with password, supply the role name and password as credentials. No additional configuration required. ldap - Plain text authentication using pass-through LDAP authentication. See Defining an LDAP scheme. kerberos - GSSAPI authentication using the Kerberos authenticator. See Defining a Kerberos scheme.
      other_schemes	other_schemes Important: You cannot use other_schemes with DSE components that use Thrift, such as CFS and the CassandraHiveMetastore in Analytics datacenters. Only the default_scheme is used when using components that use Thrift drivers.
      scheme_permissions	Validate that the role mapped to user matches the authentication scheme. Grant the role permission to the scheme.
      allow_digest_with_kerberos	Allow Kerberos digest-md5 authentication.
      plain_text_without_ssl	Handling of plain text connection requests: block - Block the request with an authentication error. warn - Log a warning about the request but allow it to continue. Default. allow - Allow the request without any warning.
      transitional_mode	Sets the behavior when authentication fails and credentials are missing: permissive - Allow all connections that provide credentials. Maps authenticated superusers to their role AND maps all other users to anonymous. normal - Allow all connections that provide credentials. Maps all authenticated users to their role AND maps all other connections to anonymous. strict - Allow only authenticated connections that map to a login enabled role OR connections that provide a blank username and password as anonymous.

   2. Configure the Kerberos options.

      The options are located in the kerberos_options section.

      Example:

      kerberos_options:
         keytab: /etc/dse/dse.keytab 
         service_principal: dse/_HOST@REALM
         http_principal: HTTP/_HOST@REALM
         qop: auth

      Table 2. kerberos_options

      Option	Description
      keytab	The keytab file must contain the credentials for both of the fully resolved principal names, which replace _HOST with the FQDN of the host in the service_principal and http_principal settings. The UNIX user running DataStax Enterprise must also have read permissions on the keytab.
      service_principal	Sets the principals name for the DSE database and DSE Search (Solr) processes. Use the form dse/_HOST@REALM, where dse is the service name. Leave _HOST as is. This variable is used in dse.yaml. DataStax Enterprise automatically substitutes the FQDN of the host where it runs. Credentials must exist for this principal in the keytab file and readable by the user that Cassandra runs as, usually cassandra. The service_principal must be consistent everywhere: dse.yaml file keytab cqlshrc file (where it is separated into the service/hostname)
      http_principal	The http_principal is used by the Tomcat application container to run DSE Search. The Tomcat web server uses GSS-API mechanism (SPNEGO) to negotiate the GSSAPI security mechanism (Kerberos). Set REALM to the name of your Kerberos realm. In the Kerberos principal, REALM must be uppercase.
      qop	A comma-delimited list of Quality of Protection (QOP) values that clients and servers can use for each connection. The client can have multiple QOP values, while the server can have only a single QOP value. The valid values are: auth - Default: Authentication only. auth-int - Authentication plus integrity protection for all transmitted data. auth-conf - Authentication plus integrity protection and encryption of all transmitted data. Encryption using auth-conf is separate and independent of whether encryption is done using SSL. If both auth-conf and SSL are enabled, the transmitted data is encrypted twice. DataStax recommends choosing only one method and using it for both encryption and authentication.

      cassandra.yaml

      The location of the cassandra.yaml file depends on the type of installation:

      Package installations Installer-Services installations	/etc/dse/cassandra/cassandra.yaml
      Tarball installations Installer-No Services installations	installation_location/resources/cassandra/conf/cassandra.yaml

      dse.yaml

      The location of the dse.yaml file depends on the type of installation:

      Package installations Installer-Services installations	/etc/dse/dse.yaml
      Tarball installations Installer-No Services installations	installation_location/resources/dse/conf/dse.yaml

4. When adding a Kerberos scheme to an authentication enabled cluster, configure Kerberos roles before restarting DSE, see Managing roles.