Using DSE Graph and Gremlin console with Kerberos
Configure Kerberos authentication in the Graph remote.yaml.
To run DataStax Enterprise (DSE) Graph in a secure environment with Kerberos
authentication, configure Graph remote.yaml properties.
Note: For related details,
see .
remote.yaml
The location of the remote.yaml file depends on the type of installation:Package installations | /etc/dse/graph/gremlin-console/conf/remote.yaml |
Tarball installations | installation_location/resources/graph/gremlin-console/conf/remote.yaml |
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
- Set the following Kerberos parameters in
remote.yaml:
hosts: [KMS_hostname] username: null password: null jaasEntry: DseClient # protocol is the the same as the service_principal set in dse.yaml protocol: kerberos_principal_name
Note: Leave theusername
andpassword
values for Kerberos unset (null). The connector ignores nullusername
andpassword
parameters. - Create a JAAS configuration file for
DseClient
that defines whether to use a keytab or ticket cache.Note: The default JAAS config file and location is ~/.java.login.config.- Ticket
cache
DseClient { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true renewTGT=true; };
- Keytab
file
DseClient { com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true keyTab="file_path" useTicketCache=false; };
- Ticket
cache
- (Optional) To use an alternate file name or location for the JAAS configuration
file, add it to the system properties using an environment variable before
starting the Gremlin console:
export JAVA_OPTIONS="$JAVA_OPTIONS -Djava.security.auth.login.config=path_to_file"
Note: Required if the file is not in the default location, ~/.java.login.config.
For related information, see Defining a Kerberos scheme.
Other authentication options for Graph and Gremlin console
For information about other ways to secure Graph data or the Gremlin console:
- Internal auth: see Setting up logins and users.
- LDAP: see Defining an LDAP scheme and the ldap_options key in dse.yaml. Also refer to Adding roles for LDAP groups.
- Roles: see Controlling access to Graph keyspaces to control access to DSE Graph keyspaces and tables.
- Encryption:
- TDE: see encrypt data in DSE Graph index tables using Transparent Data Encryption (TDE).
- SSL: see Configuring SSL for client-to-node connections to encrypt database connections for inflight DSE Graph data.
- JMX: see Configuring JMX authentication and Configuring JMX on the server side.