Using DSE Graph and Gremlin console with Kerberos

Configure Kerberos authentication in the Graph remote.yaml.

To run DataStax Enterprise (DSE) Graph in a secure environment with Kerberos authentication, configure Graph remote.yaml properties.
Note: For related details, see remote.yaml configuration file.

remote.yaml

The location of the remote.yaml file depends on the type of installation:
Package installations /etc/dse/graph/gremlin-console/conf/remote.yaml
Tarball installations installation_location/resources/graph/gremlin-console/conf/remote.yaml

dse.yaml

The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml
  1. Set the following Kerberos parameters in remote.yaml:
    hosts: [KMS_hostname]
                            username: null
                            password: null
                            jaasEntry: DseClient 
                            # protocol is the the same as the service_principal set in dse.yaml
                            protocol: kerberos_principal_name
    Note: Leave the username and password values for Kerberos unset (null). The connector ignores null username and password parameters.
  2. Create a JAAS configuration file for DseClient that defines whether to use a keytab or ticket cache.
    Note: The default JAAS config file and location is ~/.java.login.config.
    • Ticket cache
       DseClient {
                                          com.sun.security.auth.module.Krb5LoginModule required
                                          useTicketCache=true
                                          renewTGT=true;
                                          };
    • Keytab file
      DseClient
                                          {
                                          com.sun.security.auth.module.Krb5LoginModule required
                                          refreshKrb5Config=true
                                          useKeyTab=true
                                          keyTab="file_path"
                                          useTicketCache=false;
                                          };
  3. (Optional) To use an alternate file name or location for the JAAS configuration file, add it to the system properties using an environment variable before starting the Gremlin console:
    export JAVA_OPTIONS="$JAVA_OPTIONS -Djava.security.auth.login.config=path_to_file"
    Note: Required if the file is not in the default location, ~/.java.login.config.

For related information, see Defining a Kerberos scheme.

Other authentication options for Graph and Gremlin console

For information about other ways to secure Graph data or the Gremlin console: