Kerberos authentication with OpsCenter

OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. Understanding Kerberos principal formatting is crucial for successfully configuring OpsCenter to use Kerberos authentication.

cluster_name.conf

The location of the cluster_name.conf file depends on the type of installation:
  • Package installations: /etc/opscenter/clusters/cluster_name.conf
  • Tarball installations: install_location/conf/clusters/cluster_name.conf

OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. Understanding Kerberos principal formatting is crucial for successfully configuring OpsCenter to use Kerberos authentication.

Important: OpsCenter supports only one Kerberos configuration per cluster.

The Kerberos principal includes the host and IP address for the cluster. For example, the IP address 192.168.1.102 might be mapped to the principal cassandra@EXAMPLE.COM. This information is stored in a configuration file unique to the cluster. For example, cluster_name.conf.

Each monitored cluster can have an associated cluster for storing metrics and other data. However, because OpsCenter supports only one Kerberos configuration per cluster, a separate Kerberos configuration cannot be specified for the storage cluster. Therefore, a single set of credentials cannot be used to authenticate to both the monitored cluster and the storage cluster.

Kerberos principal formatting

A user in Kerberos is known as a principal, which is composed of three parts: primary, instance, and realm. Realm is similar to a domain, and each principal is fully qualified with the name of the realm. In the following examples, the realm is EXAMPLE.COM.

The first part of the principal (primary) represents a specific identity within the realm, which is typically a user. For example, user123@EXAMPLE.COM represents a user named user123 that belongs to a realm named EXAMPLE.COM.

The instance is an optional component of the realm that users can specify to define a host where the service runs. For example, service456/server.example.com@EXAMPLE.COM indicates a principal for service456, which runs on the server.example.com host, in the EXAMPLE.COM realm.