Skip to content

G
Gpdb

Greenplum / Gpdb

通知 7
Star 1
Fork 0
G
Gpdb

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
kerberos-lin-client.xml 8.5 KB
Newer Older
D
Removing docs for unix/windows connectivity packages, which are no longer provided (#2312)  
David Yozie 已提交
1 2 3 4 5 6 7 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
<topic id="topic_j1d_4qz_rz">
  <title>Configuring Kerberos for Linux Clients</title>
  <shortdesc>You can configure Linux client applications to connect to a Greenplum Database system
    that is configured to authenticate with Kerberos.</shortdesc>
  <body>
C
Feature/kerberos setup edit (#5159)  
Chuck Litzell 已提交
8 
    <p>If your JDBC application on Red Hat Enterprise Linux uses Kerberos authentication when it
D
Removing docs for unix/windows connectivity packages, which are no longer provided (#2312)  
David Yozie 已提交
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 
      connects to your Greenplum Database, your client system must be configured to use Kerberos
      authentication. If you are not using Kerberos authentication to connect to a Greenplum
      Database, Kerberos is not needed on your client system.</p>
    <ul id="ul_nmz_1rz_rz">
      <li id="kd158375">
        <xref href="#topic13" type="topic" format="dita"/>
      </li>
      <li id="kd158379">
        <xref href="#topic17" type="topic" format="dita"/>
      </li>
      <li id="kd158383">
        <xref href="#topic18" type="topic" format="dita"/>
      </li>
    </ul>
    <p>For information about enabling Kerberos authentication with Greenplum Database, see the
      chapter "Setting Up Kerberos Authentication" in the <i>Greenplum Database Administrator
        Guide</i>. </p>
  </body>
  <topic id="topic13" xml:lang="en">
    <title id="kd158392">Requirements</title>
    <body>
      <p>The following are requirements to connect to a Greenplum Database that is enabled with
        Kerberos authentication from a client system with a JDBC application.</p>
      <ul id="ul_hrb_crz_rz">
        <li id="kd158400">
          <xref href="#topic14" type="topic" format="dita"/>
        </li>
        <li id="kd158404">
          <xref href="#topic15" type="topic" format="dita"/>
        </li>
      </ul>
    </body>
    <topic id="topic14" xml:lang="en">
      <title id="kd158410">Prerequisites</title>
      <body>
        <ul id="ul_irb_crz_rz">
          <li id="kd158414">Kerberos must be installed and configured on the Greenplum Database
            master host. <note type="important">Greenplum Database must be configured so that a
              remote user can connect to Greenplum Database with Kerberos authentication.
              Authorization to access Greenplum Database is controlled by the
                <codeph>pg_hba.conf</codeph> file. For details, see "Editing the pg_hba.conf File"
              in the <i>Greenplum Database Administration Guide</i>, and also see the <i>Greenplum
                Database Security Configuration Guide</i>.</note></li>
          <li id="kd158429">The client system requires the Kerberos configuration file
              <codeph>krb5.conf</codeph> from the Greenplum Database master. </li>
          <li id="kd158433">The client system requires a Kerberos keytab file that contains the
            authentication credentials for the Greenplum Database user that is used to log into the
            database. </li>
          <li id="kd158440">The client machine must be able to connect to Greenplum Database master
            host. <p>If necessary, add the Greenplum Database master host name and IP address to the
              system <codeph>hosts</codeph> file. On Linux systems, the <codeph>hosts</codeph> file
              is in <codeph>/etc</codeph>.</p></li>
        </ul>
      </body>
    </topic>
    <topic id="topic15" xml:lang="en">
      <title id="kd158447">Required Software on the Client Machine</title>
      <body>
        <ul id="ul_jrb_crz_rz">
          <li id="kd158448">The Kerberos <codeph>kinit</codeph> utility is required on the client
            machine. The <codeph>kinit</codeph> utility is available when you install the Kerberos
            packages: <p>
              <ul id="ul_qkg_zhr_l4">
                <li>krb5-libs</li>
                <li>krb5-workstation</li>
              </ul>
              <note>When you install the Kerberos packages, you can use other Kerberos utilities
                such as <codeph>klist</codeph> to display Kerberos ticket information. </note>
            </p></li>
        </ul>
D
Docs - removing client & loader docs (#2656)  
David Yozie 已提交
79 80 
        <p>Java applications require this additional software:<ul id="ul_w5p_pxj_h1b">
            <li id="kd158450">Java JDK <p>Java JDK 1.7.0_17 is supported on Red Hat Enterprise Linux
D
DOCS: removing DDBoost from OSS build (#2677)  
David Yozie 已提交
81 
                6.x. </p></li>
D
Docs - removing client & loader docs (#2656)  
David Yozie 已提交
82 83 84 
            <li id="kd158455">Ensure that JAVA_HOME is set to the installation directory of the
              supported Java JDK. </li>
          </ul></p>
D
Removing docs for unix/windows connectivity packages, which are no longer provided (#2312)  
David Yozie 已提交
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 
      </body>
    </topic>
  </topic>
  <topic id="topic17" xml:lang="en">
    <title id="kd158460">Setting Up Client System with Kerberos Authentication</title>
    <body>
      <p>To connect to Greenplum Database with Kerberos authentication requires a Kerberos ticket.
        On client systems, tickets are generated from Kerberos keytab files with the
          <codeph>kinit</codeph> utility and are stored in a cache file.</p>
      <ol id="ol_lrb_crz_rz">
        <li id="kd158467">Install a copy of the Kerberos configuration file
            <codeph>krb5.conf</codeph> from the Greenplum Database master. The file is used by the
          Greenplum Database client software and the Kerberos utilities. <p>Install
              <codeph>krb5.conf</codeph> in the directory <codeph>/etc</codeph>. </p><p>If needed,
            add the parameter <codeph>default_ccache_name</codeph> to the
              <codeph>[libdefaults]</codeph> section of the <codeph>krb5.ini</codeph> file and
            specify location of the Kerberos ticket cache file on the client system. </p></li>
        <li id="kd158474">Obtain a Kerberos keytab file that contains the authentication credentials
          for the Greenplum Database user. </li>
        <li id="kd158478">Run <codeph>kinit</codeph> specifying the keytab file to create a ticket
          on the client machine. For this example, the keytab file
            <codeph>gpdb-kerberos.keytab</codeph> is in the the current directory. The ticket cache
          file is in the <codeph>gpadmin</codeph> user home directory.
          <codeblock>&gt; kinit -k -t gpdb-kerberos.keytab -c /home/gpadmin/cache.txt 
   gpadmin/kerberos-gpdb@KRB.EXAMPLE.COM</codeblock></li>
      </ol>
    </body>
  </topic>
D
Docs - removing client & loader docs (#2656)  
David Yozie 已提交
113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 
  <topic id="topic12" xml:lang="en">
    <title id="mh151086">Running psql </title>
    <body>
      <p>From a remote system, you can access a Greenplum Database that has Kerberos authentication
        enabled. </p>
      <section id="mh151095">
        <title>To connect to Greenplum Database with psql</title>
        <ol id="ol_xzc_lxj_h1b">
          <li id="mh151096">As the gpadmin user, open a command window. </li>
          <li id="mh151099">Start <codeph>psql</codeph> from the command window and specify a
            connection to the Greenplum Database specifying the user that is configured with
            Kerberos authentication.<p>The following example logs into the Greenplum Database on the
              machine <codeph>kerberos-gpdb</codeph> as the <codeph>gpadmin</codeph> user with the
              Kerberos credentials
            <codeph>gpadmin/kerberos-gpdb</codeph>:</p><codeblock>$ psql -U "gpadmin/kerberos-gpdb" -h kerberos-gpdb postgres</codeblock></li>
        </ol>
      </section>
    </body>
  </topic>
D
Removing docs for unix/windows connectivity packages, which are no longer provided (#2312)  
David Yozie 已提交
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 
  <topic id="topic18" xml:lang="en">
    <title id="kd158481">Running a Java Application </title>
    <body>
      <p>Accessing Greenplum Database from a Java application with Kerberos authentication uses the
        Java Authentication and Authorization Service (JAAS) </p>
      <ol id="ol_mrb_crz_rz">
        <li id="kd158486">Create the file <codeph>.java.login.config</codeph> in the user home
          folder. <p>For example, on a Linux system, the home folder is similar to
              <codeph>/home/gpadmin</codeph>. </p><p>Add the following text to the
          file:</p><codeblock>pgjdbc {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  useTicketCache=true
  ticketCache = "/home/gpadmin/cache.txt"
  debug=true
  client=true;
};</codeblock></li>
        <li id="kd158493">Create a Java application that connects to Greenplum Database using
          Kerberos authentication and run the application as the user. </li>
      </ol>
      <p>This example database connection URL uses a PostgreSQL JDBC driver and specifies parameters
        for Kerberos authentication.</p>
      <codeblock>jdbc:postgresql://kerberos-gpdb:5432/mytest? 
  kerberosServerName=postgres&amp;jaasApplicationName=pgjdbc&amp; 
  user=gpadmin/kerberos-gpdb</codeblock>
      <p>The parameter names and values specified depend on how the Java application performs
        Kerberos authentication.</p>
    </body>
  </topic>
</topic>