Kerberos authentication with OpsCenter
OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. Understanding Kerberos principal formatting is crucial for successfully configuring OpsCenter to use Kerberos authentication.
OpsCenter can use Kerberos to authenticate to DataStax Enterprise clusters. Understanding Kerberos principal formatting is crucial for successfully configuring OpsCenter to use Kerberos authentication.
The
Kerberos principal includes the host and IP address for the cluster. For example, the IP
address 192.168.1.102 might be mapped to the principal cassandra@EXAMPLE.COM
.
This information is stored in a configuration file unique to the cluster. For example,
cluster_name.conf.
Each monitored cluster can have an associated cluster for storing metrics and other data. However, because OpsCenter supports only one Kerberos configuration per cluster, a separate Kerberos configuration cannot be specified for the storage cluster. Therefore, a single set of credentials cannot be used to authenticate to both the monitored cluster and the storage cluster.
Kerberos principal formatting
A user in Kerberos is known as a principal, which is composed of three parts:
primary, instance, and realm. Realm is similar to a domain, and each principal is fully
qualified with the name of the realm. In the following examples, the realm is
EXAMPLE.COM
.
The first part of the principal (primary) represents a specific identity within the realm,
which is typically a user. For example, user123@EXAMPLE.COM
represents a user
named user123
that belongs to a realm named EXAMPLE.COM
.
The instance is an optional component of the realm that users can specify to define a host
where the service runs. For example, service456/server.example.com@EXAMPLE.COM
indicates a principal for service456
, which runs on the
server.example.com
host, in the EXAMPLE.COM
realm.