Configuring Kerberos for Linux Clients
You can configure Linux client applications to connect to a Greenplum Database system
that is configured to authenticate with Kerberos.
If your JDBC application on Red Hat Enterprise Linux uses Kerberos authentication when it
connects to your Greenplum Database, your client system must be configured to use Kerberos
authentication. If you are not using Kerberos authentication to connect to a Greenplum
Database, Kerberos is not needed on your client system.
For information about enabling Kerberos authentication with Greenplum Database, see the
chapter "Setting Up Kerberos Authentication" in the Greenplum Database Administrator
Guide.
Requirements
The following are requirements to connect to a Greenplum Database that is enabled with
Kerberos authentication from a client system with a JDBC application.
Prerequisites
Required Software on the Client Machine
- The Kerberos kinit utility is required on the client
machine. The kinit utility is available when you install the Kerberos
packages:
- krb5-libs
- krb5-workstation
When you install the Kerberos packages, you can use other Kerberos utilities
such as klist to display Kerberos ticket information.
Java applications require this additional software:
Setting Up Client System with Kerberos Authentication
To connect to Greenplum Database with Kerberos authentication requires a Kerberos ticket.
On client systems, tickets are generated from Kerberos keytab files with the
kinit utility and are stored in a cache file.
- Install a copy of the Kerberos configuration file
krb5.conf from the Greenplum Database master. The file is used by the
Greenplum Database client software and the Kerberos utilities.
Install
krb5.conf in the directory /etc.
If needed,
add the parameter default_ccache_name to the
[libdefaults] section of the krb5.ini file and
specify location of the Kerberos ticket cache file on the client system.
- Obtain a Kerberos keytab file that contains the authentication credentials
for the Greenplum Database user.
- Run kinit specifying the keytab file to create a ticket
on the client machine. For this example, the keytab file
gpdb-kerberos.keytab is in the the current directory. The ticket cache
file is in the gpadmin user home directory.
> kinit -k -t gpdb-kerberos.keytab -c /home/gpadmin/cache.txt
gpadmin/kerberos-gpdb@KRB.EXAMPLE.COM
Running psql
From a remote system, you can access a Greenplum Database that has Kerberos authentication
enabled.
To connect to Greenplum Database with psql
- As the gpadmin user, open a command window.
- Start psql from the command window and specify a
connection to the Greenplum Database specifying the user that is configured with
Kerberos authentication.
The following example logs into the Greenplum Database on the
machine kerberos-gpdb as the gpadmin user with the
Kerberos credentials
gpadmin/kerberos-gpdb:
$ psql -U "gpadmin/kerberos-gpdb" -h kerberos-gpdb postgres
Running a Java Application
Accessing Greenplum Database from a Java application with Kerberos authentication uses the
Java Authentication and Authorization Service (JAAS)
- Create the file .java.login.config in the user home
folder.
For example, on a Linux system, the home folder is similar to
/home/gpadmin.
Add the following text to the
file:
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
ticketCache = "/home/gpadmin/cache.txt"
debug=true
client=true;
};
- Create a Java application that connects to Greenplum Database using
Kerberos authentication and run the application as the user.
This example database connection URL uses a PostgreSQL JDBC driver and specifies parameters
for Kerberos authentication.
jdbc:postgresql://kerberos-gpdb:5432/mytest?
kerberosServerName=postgres&jaasApplicationName=pgjdbc&
user=gpadmin/kerberos-gpdb
The parameter names and values specified depend on how the Java application performs
Kerberos authentication.