From b133cfe175c51ff034e506c0c921ffed3194dacf Mon Sep 17 00:00:00 2001 From: Chuck Litzell Date: Thu, 21 Jun 2018 11:04:41 -0500 Subject: [PATCH] Feature/kerberos setup edit (#5159) * Edits to apply organizational improvements made in the HAWQ version, using consistent realm and domain names, and testing that procedures work. * Convert tasks to topics to fix formatting. Clean up pg_ident.conf topic. * Convert another task to topic * Remove extraneous tag * Formatting and minor edits * - added $ or # prompts for all code blocks - Reworked section "Mapping Kerberos Principals to Greenplum Database Roles" to describe, generally, a user's authentication process and to more clearly describe how principal name is mapped to gpdb name. * - add krb_realm auth param - add description of include_realm=1 for completeness --- .../dita/admin_guide/kerberos-lin-client.xml | 2 +- .../dita/admin_guide/kerberos-win-client.xml | 20 +- gpdb-doc/dita/admin_guide/kerberos.xml | 762 +++++++++--------- 3 files changed, 386 insertions(+), 398 deletions(-) diff --git a/gpdb-doc/dita/admin_guide/kerberos-lin-client.xml b/gpdb-doc/dita/admin_guide/kerberos-lin-client.xml index 9c8c74201a..9e84a52304 100644 --- a/gpdb-doc/dita/admin_guide/kerberos-lin-client.xml +++ b/gpdb-doc/dita/admin_guide/kerberos-lin-client.xml @@ -5,7 +5,7 @@ You can configure Linux client applications to connect to a Greenplum Database system that is configured to authenticate with Kerberos. -

If your JDBC application on RedHat Enterprise Linux uses Kerberos authentication when it +

If your JDBC application on Red Hat Enterprise Linux uses Kerberos authentication when it connects to your Greenplum Database, your client system must be configured to use Kerberos authentication. If you are not using Kerberos authentication to connect to a Greenplum Database, Kerberos is not needed on your client system.

diff --git a/gpdb-doc/dita/admin_guide/kerberos-win-client.xml b/gpdb-doc/dita/admin_guide/kerberos-win-client.xml index 28fe0e1c9f..0319bd38ca 100644 --- a/gpdb-doc/dita/admin_guide/kerberos-win-client.xml +++ b/gpdb-doc/dita/admin_guide/kerberos-win-client.xml @@ -14,13 +14,15 @@ href="kerberos.xml#topic1"/>.

- Configure Kerberos on Windows for Greenplum Database Clients + Configuring Kerberos on Windows for Greenplum Database + Clients -

When a Greenplum Database system is configured to authenticate with Kerberos, you can - configure Kerberos authentication for the Greenplum Database client utilities - gpload and psql on a Microsoft Windows system. The - Greenplum Database clients authenticate with Kerberos directly, not with Microsoft Active - Directory (AD).

+

When a Greenplum Database system is configured to authenticate with + Kerberos, you can configure Kerberos authentication for the Greenplum + Database client utilities gpload and + psql on a Microsoft Windows system. The Greenplum + Database clients authenticate with Kerberos directly, not with Microsoft + Active Directory (AD).

This section contains the following information.

- Active Directory Setup + Setting Up Active Directory

The AD naming convention should support multiple Greenplum Database systems. In this example, we create a new AD Managed Service Account svcPostresProd1 for our prod1 Greenplum Database system master host.

@@ -332,7 +334,7 @@ Service key for svcPostgresprod1 is saved in svcPostgresProd1.keytab Files for JDK/JRE from Oracle.

- Greenplum Database Setup for Active Directory + Setting Up Greenplum Database for Active Directory

These instructions assume that the Kerberos workstation utilities krb5-workstation are installed on the Greenplum Database master host.

diff --git a/gpdb-doc/dita/admin_guide/kerberos.xml b/gpdb-doc/dita/admin_guide/kerberos.xml index c3833eb53f..bbde2a51bc 100644 --- a/gpdb-doc/dita/admin_guide/kerberos.xml +++ b/gpdb-doc/dita/admin_guide/kerberos.xml @@ -5,12 +5,14 @@ Using Kerberos Authentication You can control access to Greenplum Database with a Kerberos authentication server. -

Greenplum Database supports the Generic Security Service Application Program Interface - (GSSAPI) with Kerberos authentication. GSSAPI provides automatic authentication (single - sign-on) for systems that support it. You specify the Greenplum Database users (roles) that - require Kerberos authentication in the Greenplum Database configuration file - pg_hba.conf. The login fails if Kerberos authentication is not - available when a role attempts to log in to Greenplum Database.

+

Greenplum Database supports the Generic Security Service Application + Program Interface (GSSAPI) with Kerberos authentication. GSSAPI provides + automatic authentication (single sign-on) for systems that support it. You + specify the Greenplum Database users (roles) that require Kerberos + authentication in the Greenplum Database configuration file + pg_hba.conf. The login fails if Kerberos + authentication is not available when a role attempts to log in to + Greenplum Database.

Kerberos provides a secure, encrypted authentication service. It does not encrypt data exchanged between the client and database and provides no authorization services. To encrypt data exchanged over the network, you must use an SSL connection. To manage authorization for @@ -21,90 +23,332 @@

For more information about Kerberos, see http://web.mit.edu/kerberos/.

- Requirements for Using Kerberos with Greenplum Database -

The following items are required for using Kerberos with Greenplum Database:

+ Prerequisites +

Before configuring Kerberos authentication for Greenplum Database, + ensure that:

    -
  • Kerberos Key Distribution Center (KDC) server using the - krb5-server library
    • -
  • Kerberos version 5 krb5-libs and - krb5-workstation packages installed on the Greenplum Database master - host
    • -
  • Greenplum Database version with support for Kerberos
    • -
  • System time on the Kerberos server and Greenplum Database master host must be - synchronized. (Install Linux ntp package on both servers.)
    • -
  • Network connectivity between the Kerberos server and the Greenplum - Database master
    • -
  • Java 1.7.0_17 or later is required to use Kerberos-authenticated JDBC on - Red Hat Enterprise Linux 6.x
    • -
+
  • You can identify the KDC server you use for Kerberos + authentication and the Kerberos realm for your Greenplum Database + system.
      +
    • If you plan to use an MIT Kerberos KDC server but have not yet + configured it, see + for example instructions.
      • +
    • If you are using an existing Active Directory KDC server, also + ensure that you have:
        +
      • Installed all Active Directory service roles on your AD KDC + server.
        • +
      • Enabled the LDAP service.
        • +
      • +
    • +
  • System time on the Kerberos Key Distribution Center (KDC) server and + Greenplum Database master is synchronized. (For example, install the + ntp package on both servers.)
    • +
  • Network connectivity exists between the KDC server and + the Greenplum Database master host.
    • +
  • Java 1.7.0_17 or later is installed on all Greenplum + Database hosts. Java 1.7.0_17 is required to use + Kerberos-authenticated JDBC on Red Hat Enterprise Linux 6.x or + 7.x.
    • +
    - Enabling Kerberos Authentication for Greenplum Database -

    Complete the following tasks to set up Kerberos authentication with Greenplum Database:

    -
      -
    1. Verify your system satisfies the prequisites for using Kerberos with Greenplum Database. - See .
      2. -
    2. Set up, or identify, a Kerberos Key Distribution Center (KDC) server to - use for authentication. See .
      3. -
    3. In a Kerberos database on the KDC server, set up a Kerberos realm and principals on the - server. For Greenplum Database, a principal is a Greenplum Database role that uses - Kerberos authentication. In the Kerberos database, a realm groups together Kerberos - principals that are Greenplum Database roles.
      4. -
    4. Create Kerberos keytab files for Greenplum Database. - To access Greenplum Database, you create a service key known only by Kerberos and - Greenplum Database. On the Kerberos server, the service key is stored in the Kerberos - database.

      On the Greenplum Database master, the service key is stored in key tables, - which are files known as keytabs. The service keys are usually stored in the keytab file - /etc/krb5.keytab. This service key is the equivalent of the service's - password, and must be kept secure. Data that is meant to be read-only by the service is - encrypted using this key.

      5. -
    5. Install the Kerberos client packages and the keytab file on Greenplum - Database master.
      6. -
    6. Create a Kerberos ticket for gpadmin on the Greenplum - Database master node using the keytab file. The ticket contains the Kerberos - authentication credentials that grant access to the Greenplum Database.
      7. -
    -

    With Kerberos authentication configured on the Greenplum Database, you can use Kerberos for - PSQL and JDBC.

      -
      • -
      • -

    -

    You can also configure external authentication for clients running on a Microsoft Windows - system.

      -
    • Configure Kerberos authentication for the Greenplum Database client utilities - gpload and psql on a Microsoft Windows system. See - .
      • -
    • Configure a Microsoft Windows user with a Microsoft Active Directory (AD) account for - single sign-on to a Greenplum Database system. See .
      • -

    + Procedure +

    Following are the tasks to complete to set up Kerberos authentication for + Greenplum Database.

    +
      +
      • +
      • +
      • +
      • +
      • +
      • +
      • +
    - - Install and Configure a Kerberos KDC Server - Steps to set up a Kerberos Key Distribution Center (KDC) server on a Red Hat - Enterprise Linux host for use with Greenplum Database. - - Follow these steps to install and configure a Kerberos Key Distribution Center (KDC) - server on a Red Hat Enterprise Linux host. - - - Install the Kerberos server packages: - - sudo yum install krb5-libs krb5-server krb5-workstation - - - - Edit the /etc/krb5.conf configuration file. The following - example shows a Kerberos server with a default KRB.GREENPLUM.COM realm. - + + Creating Greenplum Database Principals in the KDC Database + +

    Create a service principal for the Greenplum Database service and a + Kerberos admin principal that allows managing the KDC database as the + gpadmin user.

    +
      +
    1. Log in to the Kerberos KDC server as the root user. + $ ssh root@<kdc-server>
      2. +
    2. Create a principal for the Greenplum Database service. + # kadmin.local -q "addprinc -randkey postgres/mdw@GPDB.KRB"

      The + -randkey option prevents the command from + prompting for a password.

      The postgres part + of the principal names matches the value of the Greenplum Database + krb_srvname server configuration parameter, which + is postgres by default.

      The host name part of + the principal name must match the output of the + hostname command on the Greenplum Database master + host. If the hostname command shows the fully + qualified domain name (FQDN), use it in the principal name, for + example postgres/mdw.example.com@GPDB.KRB. +

      The GPDB.KRB part of the principal name is + the Kerberos realm name.

      3. +
    3. Create a principal for the gpadmin/admin role. + # kadmin.local -q "addprinc gpadmin/admin@GPDB.KRB"

      This + principal allows you to manage the KDC database when you are logged + in as gpadmin. Make sure that the Kerberos kadm.acl + configuration file contains an ACL to grant permissions to this + principal. For example, this ACL grants all permissions to any admin + user in the GPDB.KRB realm. + */admin@GPDB.KRB *

      4. +
    4. Create a keytab file with kadmin.local. The + following example creates a keytab file + gpdb-kerberos.keytab in the current directory with + authentication information for the Greenplum Database service + principal and the gpadmin/admin principal. + # kadmin.local -q "ktadd -k gpdb-kerberos.keytab postgres/mdw@GPDB.KRB gadmin/admin@GPDB.KRB"
      5. +
    5. Copy the keytab file to the master host. + # scp gpdb-kerberos.keytab gpadmin@mdw:~
      6. +
    + +     + + Installing the Kerberos Client on the Master + Host + +

    Install the Kerberos client utilities and libraries on the + Greenplum Database master.

    +
      +
    1. + Install the Kerberos packages on the Greenplum Database master. + $ sudo yum install krb5-libs krb5-workstation +
      2. +
    2. Copy the /etc/krb5.conf file from + the KDC server to /etc/krb5.conf on the Greenplum + Master host.
      3. +
    + +     + + Configuring Greenplum Database to use Kerberos + Authentication + +

    Configure Greenplum Database to use Kerberos.

    +
      +
    1. Log in to the Greenplum Database master host as the gpadmin user. + $ ssh gpadmin@<master> +$ source /usr/local/greenplum-db/greenplum_path.sh +
      2. +
    2. Set the ownership and permissions of the keytab file you copied + from the KDC server. + $ chown gpadmin:gpadmin /home/gpadmin/gpdb-kerberos.keytab +$ chmod 400 /home/gpadmin/gpdb-kerberos.keytab +
      3. +
    3. Configure the location of the keytab file by setting the + Greenplum Database krb_server_keyfile server + configuration parameter. This gpconfig command + specifies the folder /home/gpadmin as the + location of the keytab file + gpdb-kerberos.keytab. + $ gpconfig -c krb_server_keyfile -v '/home/gpadmin/gpdb-kerberos.keytab' +
      4. +
    4. Modify the Greenplum Database file pg_hba.conf + to enable Kerberos support. For example, adding the following line + to pg_hba.conf adds GSSAPI and Kerberos + authentication support for connection requests from all users and + hosts on the same network to all Greenplum Database databases. + host all all 0.0.0.0/0 gss include_realm=0 krb_realm=GPDB.KRB + +

      Setting the krb_realm option to a realm name + ensures that only users from that realm can successfully + authenticate with Kerberos. Setting the + include_realm option to 0 + excludes the realm name from the authenticated user name. For + information about the pg_hba.conf file, see The pg_hba.conf file in the + Postgres documentation.

      +
      5. +
    5. Restart Greenplum Database after updating the + krb_server_keyfile parameter and the + pg_hba.conf file. + $ gpstop -ar +
      6. +
    6. Create the gpadmin/admin Greenplum Database superuser role. + $ createuser gpadmin/admin +Shall the new role be a superuser? (y/n) y +

      The Kerberos keys for this database role are in the keyfile you + copied from the KDC server.

      +
      7. +
    7. Create a ticket using kinit and show the tickets + in the Kerberos ticket cache with klist. + $ LD_LIBRARY_PATH= kinit -k -t /home/gpadmin/gpdb-kerberos.keytab gpadmin/admin@GPDB.KRB +$ LD_LIBRARY_PATH= klist +Ticket cache: FILE:/tmp/krb5cc_1000 +Default principal: gpadmin/admin@GPDB.KRB + +Valid starting Expires Service principal +06/13/2018 17:37:35 06/14/2018 17:37:35 krbtgt/GPDB.KRB@GPDB.KRB + When you set up the Greenplum Database environment by sourcing + the greenplum-db_path.sh script, the + LD_LIBRARY_PATH environment variable is set to + include the Greenplum Database lib directory, + which includes Kerberos libraries. This may cause Kerberos utility + commands such as kinit and + klist to fail due to version conflicts. The + solution is to run Kerberos utilities before you source the + greenplum-db_path.sh file or temporarily unset + the LD_LIBRARY_PATH variable when you execute + Kerberos utilities, as shown in the example. +
      8. +
    8. As a test, log in to the postgres database with the + gpadmin/admin role: $ psql -U "gpadmin/admin" -h mdw postgres +psql (8.3.23) +Type "help" for help. + +postgres=# select current_user; + current_user +--------------- + gpadmin/admin +(1 row) + When you start psql on the master host, you + must include the -h <master-hostname> option to + force a TCP connection because Kerberos authentication does not work + with local connections. +
      9. +
    +

    If a Kerberos principal is not a Greenplum Database + user, a message similar to the following is displayed from the + psql command line when the user attempts to log in to + the database: + psql: krb5_sendauth: Bad response

    +

    The + principal must be added as a Greenplum Database user.

    + +     + + Mapping Kerberos Principals to Greenplum Database Roles + +

    To connect to a Greenplum Database system with Kerberos authentication + enabled, a user first requests a ticket-granting ticket from the KDC + server using the kinit utility with a password or a + keytab file provided by the Kerberos admin. When the user then connects + to the Kerberos-enabled Greenplum Database system, the user's Kerberos + principle name will be the Greenplum Database role name, subject to + transformations specified in the options field of the + gss entry in the Greenplum Database + pg_hba.conf file:

    +
      +
    • If the krb_realm=<realm> option is present, + Greenplum Database only accepts Kerberos principals who are members pf + the specified realm.
      • +
    • If the include_realm=0 option is specified, the + Greenplum Database role name is the Kerberos principal name without + the Kerberos realm. If the include_realm=1 option is + instead specified, the Kerberos realm is not stripped from the + Greenplum Database rolename. The role must have been created with the + Greenplum Database CREATE ROLE command.
      • +
    • If the map=<map-name> option is specified, the + Kerberos principal name is compared to entries labeled with the + specified <map-name> in the + $MASTER_DATA_DIRECTORY/pg_ident.conf file and + replaced with the Greenplum Database role name specified in the first + matching entry.
      • +
    +

    A user name map is defined in the + $MASTER_DATA_DIRECTORY/pg_ident.conf configuration + file. This example defines a map named mymap with two + entries.

    +

    + +# MAPNAME   SYSTEM-USERNAME        GP-USERNAME +mymap /^admin@GPDB.KRB$ gpadmin +mymap       /^(.*)_gp)@GPDB.KRB$   \1 +

    +

    The map name is specified in the pg_hba.conf Kerberos + entry in the options field:

    +

    + host all all 0.0.0.0/0 gss include_realm=0 krb_realm=GPDB.KRB map=mymap +

    +

    The first map entry matches the Kerberos principal admin@GPDB.KRB and + replaces it with the Greenplum Database gpadmin role name. The second + entry uses a wildcard to match any Kerberos principal in the GPDB-KRB + realm with a name ending with the characters _gp and + replaces it with the initial portion of the principal name. Greenplum + Database applies the first matching map entry in the + pg_ident.conf file, so the order of entries is + significant.

    +

    For more information about using username maps see Username maps in the PostgreSQL + documentation.

    + +     + + Configuring JDBC Kerberos Authentication for Greenplum + Database + Enable Kerberos-authenticated JDBC access to Greenplum + Database. + +

    You can configure Greenplum Database to use Kerberos to run + user-defined Java functions.

    +
      +
    1. +

      Ensure that Kerberos is installed and configured on + the Greenplum Database master. See .

      +
      2. +
    2. +

      Create the file + .java.login.config in the folder + /home/gpadmin and add the following text to the + file:

      + pgjdbc { +  com.sun.security.auth.module.Krb5LoginModule required +  doNotPrompt=true +  useTicketCache=true +  debug=true +  client=true; +}; +
      3. +
    3. +

      Create a Java application that connects to Greenplum Database + using Kerberos authentication. The following example database + connection URL uses a PostgreSQL JDBC driver and specifies + parameters for Kerberos authentication:

      + jdbc:postgresql://mdw:5432/mytest?kerberosServerName=postgres +&jaasApplicationName=pgjdbc&user=gpadmin/gpdb-kdc +

      The parameter names and values specified depend on how the Java + application performs Kerberos authentication.

      +
      4. +
    4. +

      Test the Kerberos login by running a sample Java application from + Greenplum Database.

      +
      5. +
    + +     + + Installing and Configuring a Kerberos KDC Server + Steps to set up a Kerberos Key Distribution Center (KDC) server + on a Red Hat Enterprise Linux host for use with Greenplum + Database. + +

    If you do not already have a KDC, follow these steps to install + and configure a KDC server on a Red Hat Enterprise Linux host with a + GPDB.KRB realm. The host name of the KDC server in + this example is gpdb-kdc.

    +
      +
    1. Install the Kerberos server and client + packages:$ sudo yum install krb5-libs krb5-server krb5-workstation
      2. +
    2. Edit the /etc/krb5.conf configuration file. The + following example shows a Kerberos server configured with a default + GPDB.KRB realm. [logging]  default = FILE:/var/log/krb5libs.log  kdc = FILE:/var/log/krb5kdc.log  admin_server = FILE:/var/log/kadmind.log [libdefaults] - default_realm = KRB.GREENPLUM.COM + default_realm = GPDB.KRB  dns_lookup_realm = false  dns_lookup_kdc = false  ticket_lifetime = 24h @@ -115,15 +359,15 @@  permitted_enctypes = aes128-cts des3-hmac-sha1 des-cbc-crc des-cbc-md5 [realms] - KRB.GREENPLUM.COM = { -  kdc = kerberos-gpdb:88 -  admin_server = kerberos-gpdb:749 -  default_domain = kerberos-gpdb + GPDB.KRB = { +  kdc = gpdb-kdc:88 +  admin_server = gpdb-kdc:749 +  default_domain = gpdb.krb  } [domain_realm] - .kerberos-gpdb = KRB.GREENPLUM.COM - kerberos-gpdb = KRB.GREENPLUM.COM + .gpdb.krb = GPDB.KRB + gpdb.krb = GPDB.KRB [appdefaults]  pam = { @@ -133,307 +377,49 @@     forwardable = true     krb4_convert = false  } - - - -

      The kdc and admin_server keys in the - [realms] section specify the host (kerberos-gpdb) - and port where the Kerberos server is running. IP numbers can be used in place of host - names.

      -

      If your Kerberos server manages authentication for other realms, you would instead - add the KRB.GREENPLUM.COM realm in the [realms] and - [domain_realm] section of the kdc.conf file. See - the Kerberos documentation for information about the - kdc.conf file.

      -       - - - To create a Kerberos KDC database, run the kdb5_util. - - kdb5_util create -s - - The kdb5_util - option creates the database to store keys for the Kerberos - realms that are managed by this KDC server. The option creates a - stash file. Without the stash file, every time the KDC server starts it requests a - password. - - - Add an administrative user to the KDC database with the kadmin.local - utility. Because it does not itself depend on Kerberos authentication, the - kadmin.local utility allows you to add an initial administrative user - to the local Kerberos server. To add the user gpadmin as an - administrative user to the KDC database, run the following command: - - kadmin.local -q "addprinc gpadmin/admin" - - Most users do not need administrative access to the Kerberos server. They can use - kadmin to manage their own principals (for example, to change their - own password). For information about kadmin, see the Kerberos documentation. - - - If needed, edit the /var/kerberos/krb5kdc/kadm5.acl file to - grant the appropriate permissions to gpadmin. - - - Start the Kerberos daemons: - - /sbin/service krb5kdc start -/sbin/service kadmin start - - - - To start Kerberos automatically upon restart: - - /sbin/chkconfig krb5kdc on -/sbin/chkconfig kadmin on - - - - - - - Create Greenplum Database Roles in the KDC Database - Add principals to the Kerberos realm for Greenplum Database. - - Start kadmin.local in interactive mode, then add two principals to - the Greenplum Database Realm. - - - Start kadmin.local in interactive mode: - - kadmin.local - - - - Add principals: - - 
      kadmin.local: addprinc gpadmin/kerberos-gpdb@KRB.EXAMPLE.COM
-kadmin.local: addprinc postgres/master.test.com@KRB.EXAMPLE.COM
      -       - The adprinc commands prompt for passwords for each principal. The - first addprinc creates a Greenplum Database user as a principal, - gpadmin/kerberos-gpdb. The second addprinc command - creates the postgres process on the Greenplum Database master host as a - principal in the Kerberos KDC. This principal is required when using Kerberos - authentication with Greenplum Database. -       - - Create a Kerberos keytab file with kadmin.local. The following - example creates a keytab file gpdb-kerberos.keytab in the current - directory with authentication information for the two principals. - - kadmin.local: xst -k gpdb-kerberos.keytab - gpadmin/kerberos-gpdb@KRB.EXAMPLE.COM - postgres/master.test.com@KRB.EXAMPLE.COM - - You will copy this file to the Greenplum Database master host. - - - Exit kadmin.local interactive mode with the quit - command: - - kadmin.local: quit - - -       -       -       - - Install and Configure the Kerberos Client - Steps to install the Kerberos client on the Greenplum Database master - host. - - Install the Kerberos client libraries on the Greenplum Database master and configure - the Kerberos client. - - - Install the Kerberos packages on the Greenplum Database master. - - sudo yum install krb5-libs krb5-workstation - - - - Ensure that the /etc/krb5.conf file is the same as the one that is - on the Kerberos server. - - - Copy the gpdb-kerberos.keytab file that was generated on the - Kerberos server to the Greenplum Database master host. - - - Remove any existing tickets with the Kerberos utility kdestroy. Run - the utility as root. - - sudo kdestroy - - - - Use the Kerberos utility kinit to request a ticket using the keytab - file on the Greenplum Database master for - gpadmin/kerberos-gpdb@KRB.EXAMPLE.COM. The option - specifies the keytab file on the Greenplum Database master. - - # kinit -k -t gpdb-kerberos.keytab gpadmin/kerberos-gpdb@KRB.EXAMPLE.COM - - - - Use the Kerberos utility klist to display the contents of the - Kerberos ticket cache on the Greenplum Database master. The following is an - example: - - # klist -Ticket cache: FILE:/tmp/krb5cc_108061 -Default principal: gpadmin/kerberos-gpdb@KRB.EXAMPLE.COM -Valid starting     Expires            Service principal -03/28/13 14:50:26  03/29/13 14:50:26  krbtgt/KRB.GREENPLUM.COM     @KRB.EXAMPLE.COM -    renew until 03/28/13 14:50:26 - - - - - - Set up Greenplum Database with Kerberos for PSQL - Configure a Greenplum Database to use Kerberos. - - After you have set up Kerberos on the Greenplum Database master, you can configure - Greenplum Database to use Kerberos. For information on setting up the Greenplum Database - master, see . - - - Create a Greenplum Database administrator role in the database - postgres for the Kerberos principal that is used as the database - administrator. The following example uses gpamin/kerberos-gpdb. - - psql postgres -c 'create role "gpadmin/kerberos-gpdb" login superuser;' - - - The role you create in the database postgres will be available - in any new Greenplum Database that you create. - - - Modify postgresql.conf to specify the location of the keytab file. - For example, adding this line to the postgresql.conf specifies the - folder /home/gpadmin as the location of the keytab file - gpdb-kerberos.keytab. - - krb_server_keyfile = '/home/gpadmin/gpdb-kerberos.keytab' - - - - - Modify the Greenplum Database file pg_hba.conf to enable Kerberos - support. Then restart Greenplum Database (gpstop -ar). For example, - adding the following line to pg_hba.conf adds GSSAPI and Kerberos - support. The value for krb_realm is the Kerberos realm that is used - for authentication to Greenplum Database. - - host all all 0.0.0.0/0 gss include_realm=0 krb_realm=KRB.GREENPLUM.COM - - For information about the pg_hba.conf file, see The pg_hba.conf file in the Postgres - documentation. - - - Create a ticket using kinit and show the tickets in the Kerberos - ticket cache with klist. - - - As a test, log in to the database as the gpadmin role with the - Kerberos credentials gpadmin/kerberos-gpdb: - - psql -U "gpadmin/kerberos-gpdb" -h master.test postgres - - - -

      A username map can be defined in the pg_ident.conf file and - specified in the pg_hba.conf file to simplify logging into - Greenplum Database. For example, this psql command logs into the - default Greenplum Database on mdw.proddb as the Kerberos principal - adminuser/mdw.proddb: - $ psql -U "adminuser/mdw.proddb" -h mdw.proddb -

      -

      If the default user is adminuser, the - pg_ident.conf file and the pg_hba.conf - file can be configured so that the adminuser can log in to the - database as the Kerberos principal adminuser/mdw.proddb without - specifying the -U option: - $ psql -h mdw.proddb -

      -

      The following username map is defined in the Greenplum Database file - $MASTER_DATA_DIRECTORY/pg_ident.conf:

      -

      - # MAPNAME   SYSTEM-USERNAME        GP-USERNAME -mymap       /^(.*)mdw\.proddb$     adminuser -

      -

      The map can be specified in the pg_hba.conf file as part of the - line that enables Kerberos support:

      -

      - host all all 0.0.0.0/0 krb5 include_realm=0 krb_realm=proddb map=mymap -

      -

      For more information about specifying username maps see Username maps in the Postgres - documentation.

      -       -       - - If a Kerberos principal is not a Greenplum Database user, a message similar to the - following is displayed from the psql command line when the user - attempts to log in to the database: - - psql: krb5_sendauth: Bad response - - The principal must be added as a Greenplum Database user. - -       -       -       - - Set up Greenplum Database with Kerberos for JDBC - Enable Kerberos-authenticated JDBC access to Greenplum Database. - - You can configure Greenplum Database to use Kerberos to run user-defined Java - functions. - - - Ensure that Kerberos is installed and configured on the Greenplum - Database master. See . - - - Create the file .java.login.config in the folder - /home/gpadmin and add the following text to the file: - - pgjdbc { -  com.sun.security.auth.module.Krb5LoginModule required -  doNotPrompt=true -  useTicketCache=true -  debug=true -  client=true; -}; - - - - Create a Java application that connects to Greenplum Database using Kerberos - authentication. The following example database connection URL uses a PostgreSQL JDBC - driver and specifies parameters for Kerberos authentication: - - jdbc:postgresql://mdw:5432/mytest?kerberosServerName=postgres -&jaasApplicationName=pgjdbc&user=gpadmin/kerberos-gpdb - - The parameter names and values specified depend on how the Java application - performs Kerberos authentication. - - - Test the Kerberos login by running a sample Java application from Greenplum - Database. - - - - -       +

      The + kdc and admin_server keys in the + [realms] section specify the host + (gpdb-kdc) and port where the Kerberos server is + running. IP numbers can be used in place of host names.

      If + your Kerberos server manages authentication for other realms, you + would instead add the GPDB.KRB realm in the + [realms] and [domain_realm] + section of the kdc.conf file. See the Kerberos documentation for information + about the kdc.conf file.

      3. +
    3. To create the Kerberos database, run the kdb5_util. + # kdb5_util create -s

      The + kdb5_util + command creates the database to store keys + for the Kerberos realms that are managed by this KDC server. The + option creates a stash file. Without the stash + file, every time the KDC server starts it requests a + password.

      4. +
    4. Add an administrative user to the KDC database with the + kadmin.local utility. Because it does not itself + depend on Kerberos authentication, the kadmin.local + utility allows you to add an initial administrative user to the local + Kerberos server. To add the user gpadmin as an + administrative user to the KDC database, run the following + command:# kadmin.local -q "addprinc gpadmin/admin"

      Most + users do not need administrative access to the Kerberos server. They + can use kadmin to manage their own principals (for + example, to change their own password). For information about + kadmin, see the Kerberos documentation.

      5. +
    5. If needed, edit the + /var/kerberos/krb5kdc/kadm5.acl file to grant + the appropriate permissions to gpadmin.
      6. +
    6. Start the Kerberos + daemons:# /sbin/service krb5kdc start# +/sbin/service kadmin start
      7. +
    7. To start Kerberos automatically upon + restart:# /sbin/chkconfig krb5kdc on +# /sbin/chkconfig kadmin on
      8. +
    + +     -- GitLab