Enabling Kerberos (MIT and AD) authentication for MariaDB Database Server
Perform the following steps for enabling Kerberos authentication on MariaDB Database Server and to connect Cloudera Manager Server to Kerberos enabled MariaDB. These steps are applicable for TLS 1.2 and non-TLS 1.2 clusters.
- SSH into the MariaDB database host.
-
Run the following command to install the
auth_gssapi.soplugin:sudo yum install MariaDB-gssapi-serverEnsure the plugin is present in the following directory
/usr/lib64/mysql/plugin. -
On the MariaDB server, create Service Principal and Keytab by running the following
commands:
-
- For MIT Kerberos
-
Run the following command to create Service Principal:
kadmin -p root/admin -q "addprinc -randkey mariadb/${HOST}" - For AD Kerberos
-
Run the following command on AD server to create Service Principal:
dsadd user CN=mariadb,CN=Users,DC=qe-infra-ad,DC=cloudera,DC=com -pwd Test123 -samid mariadb -upn mariadb@QE-INFRA-AD.CLOUDERA.COM
-
- For MIT Kerberos
-
Run the following command to create Keytab:
kadmin -p root/admin -q "ktadd -k /path/to/mariadb.keytab mariadb/${HOST}" - For AD Kerberos
-
Run the following command on AD server to create Keytab:
ktpass.exe /princ mariadb@QE-INFRA-AD.CLOUDERA.COM /mapuser mariadb@QE-INFRA-AD.CLOUDERA.COM /pass Test123 /out mariadb.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop setCopy the Keytab file to the database host.
-
- For AD Kerberos only
-
Run the following command to map service principal name to the principal:
setspn -s mariadb/QE-INFRA-AD.CLOUDERA.COM mariadb
- Add the Service Principal and Keytab to the /etc/my.cnf
configuration
file:
gssapi_keytab_path=/path/to/mariadb.keytab gssapi_principal_name=service_principal_name/host.domain.com@REALM
-
-
You must install the plugin on the Mariadb (database) side. You can do this either by
following Step 4. a. or Step 4. b.:
- Run the following query on Mariadb
database:
INSTALL SONAME 'auth_gssapi'; - Add the following plugin to the /etc/my.cnf configuration file
by running the following
command:
plugin_load_add = auth_gssapiRestart the MariaDB server by running the following command:sudo systemctl restart mariadb
After performing Step 4. a. or Step 4. b., the plugin is visible in the plugin table. To verify the plugin, run the following query:SHOW PLUGINS; - Run the following query on Mariadb
database:
-
Create user principals and do
kiniton the Cloudera Manager Server by running the following commands:- For MIT Kerberos
-
-
Create user principal by running the following command:
kadmin -p root/admin -q "addprinc cm_kerb_user" -
Do
kinitby running the following command:kinit cm_kerb_user
-
- For AD Kerberos
-
-
Run the following command to create user in Active Directory:
dsadd user CN=cm_kerb_user,CN=Users,DC=qe-infra-ad,DC=cloudera,DC=com -pwd Test123 -samid cm_kerb_user -upn cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM -
Run the following command to create Keytab for the user in Active Directory:
ktpass.exe /princ cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM /mapuser cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM /pass Test123 /out cm_kerb_user.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set - Run the following command to map service principal name to the principal in
Active
Directory:
setspn -s cm_kerb_user/QE-INFRA-AD.CLOUDERA.COM cm_kerb_user - Copy the Keytab file to the Cloudera Manager Server host.
-
Do
kinitby running the following command in the Cloudera Manager Server host:sudo /usr/bin/kinit -kt /cdep/keytabs/cm_kerb_user.keytab -l 1d -r 8d cm_kerb_user
-
-
On MariaDB Database, you must create the user for using the Kerberos authentication by
running the following commands:
CREATE USER 'cm_kerb_user'@'%' IDENTIFIED WITH gssapi;GRANT ALL PRIVILEGES ON cm.* TO 'cm_kerb_user'@'%' IDENTIFIED VIA gssapi; -
Run the following command to log in the user using Kerberos and verify whether the
Kerberos configuration and user are working correctly:
mysql --plugin-dir=/usr/lib64/mysql/plugin --user=cm_kerb_user --host=hostname -
Connect Cloudera Manager Server to Kerberos enabled MariaDB by performing the following
steps:
-
By default mysql-connector-java.jar is available. You must have MariaDB Connector/J JDBC driver for building Java applications on top of MariaDB such as mariadb-java-client-3.1.4.jar.
Add mariadb-java-client-3.1.4.jar file to /usr/share/java location.
-
Add the following line to the /etc/default/cloudera-scm-server file.
export CMF_JDBC_DRIVER_JAR="${CMF_JDBC_DRIVER_JAR}:/usr/share/java/mariadb-java-client-3.3.3.jar" - Create a /etc/jaas.conf file with the following
content:
Krb5ConnectorContext { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/tmp/cm_kerb_user.keytab" (/location of keytab) principal="cm_kerb_user@ROOT.COMOPS.SITE" doNotPrompt=true; }; -
- For TLS cluster
-
Update the JDBC URL in /etc/cloudera-scm-server/db.properties as follows:The updated URL should look like this:
com.cloudera.cmf.orm.hibernate.connection.url=jdbc:mysql://localhost:3306/cm?user=cm_kerb_user&sslMode=trust&trustCertificateKeyStoreUrl=file:///cdep/mariadbssl/db_keystore.jks&trustCertificateKeyStoreType=jks&trustCertificateKeyStorePassword=verystrongpassword&enabledTLSProtocols=TLSv1.2 - For non-TLS cluster
-
Update the JDBC URL in /etc/cloudera-scm-server/db.properties as follows:The updated URL should look like this:
com.cloudera.cmf.orm.hibernate.connection.url=jdbc:mariadb://<<host>>:3306/cm?user=cm_kerb_user
- Add below properties to
/etc/default/cloudera-scm-server:
export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Djava.security.krb5.kdc=krbmariadb-1.krbmariadb.root.hwx.site -Djava.security.krb5.realm=ROOT.HWX.SITE -Djava.security.auth.login.config=/etc/jaas.conf" - Restart the Cloudera Manager Server by running the following
command:
sudo systemctl restart cloudera-scm-server
-
