Enabling Kerberos (MIT and AD) authentication for MariaDB Database Server

Perform the following steps for enabling Kerberos authentication on MariaDB Database Server and to connect Cloudera Manager Server to Kerberos enabled MariaDB. These steps are applicable for TLS 1.2 and non-TLS 1.2 clusters.

  1. SSH into the MariaDB database host.
  2. Run the following command to install the auth_gssapi.so plugin:
    sudo yum install MariaDB-gssapi-server

    Ensure the plugin is present in the following directory /usr/lib64/mysql/plugin.

  3. On the MariaDB server, create Service Principal and Keytab by running the following commands:
    1. For MIT Kerberos
      Run the following command to create Service Principal:
      kadmin -p root/admin -q "addprinc -randkey mariadb/${HOST}"
      For AD Kerberos
      Run the following command on AD server to create Service Principal:
      dsadd user CN=mariadb,CN=Users,DC=qe-infra-ad,DC=cloudera,DC=com -pwd Test123 -samid mariadb -upn mariadb@QE-INFRA-AD.CLOUDERA.COM
    2. For MIT Kerberos
      Run the following command to create Keytab:
      kadmin -p root/admin -q "ktadd -k /path/to/mariadb.keytab mariadb/${HOST}"
      For AD Kerberos
      Run the following command on AD server to create Keytab:
      ktpass.exe /princ mariadb@QE-INFRA-AD.CLOUDERA.COM /mapuser mariadb@QE-INFRA-AD.CLOUDERA.COM /pass Test123 /out mariadb.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

      Copy the Keytab file to the database host.

    3. For AD Kerberos only
      Run the following command to map service principal name to the principal:
      setspn -s mariadb/QE-INFRA-AD.CLOUDERA.COM mariadb
    4. Add the Service Principal and Keytab to the /etc/my.cnf configuration file:
      gssapi_keytab_path=/path/to/mariadb.keytab
      gssapi_principal_name=service_principal_name/host.domain.com@REALM
  4. You must install the plugin on the Mariadb (database) side. You can do this either by following Step 4. a. or Step 4. b.:
    1. Run the following query on Mariadb database:
      INSTALL SONAME 'auth_gssapi';
    2. Add the following plugin to the /etc/my.cnf configuration file by running the following command:
      plugin_load_add = auth_gssapi
      Restart the MariaDB server by running the following command:
      sudo systemctl restart mariadb
    After performing Step 4. a. or Step 4. b., the plugin is visible in the plugin table. To verify the plugin, run the following query:
    SHOW PLUGINS;
  5. Create user principals and do kinit on the Cloudera Manager Server by running the following commands:
    For MIT Kerberos
    1. Create user principal by running the following command:
      kadmin -p root/admin -q "addprinc cm_kerb_user"
    2. Run the following command to create Keytab for the user in MIT:
      kadmin -p root/admin -q "ktadd -k /mdbktb/cm_kerb_user.keytab cm_kerb_user"
    3. Do kinit by running the following command:
      kinit cm_kerb_user
    For AD Kerberos
    1. Run the following command to create user in Active Directory:
      dsadd user CN=cm_kerb_user,CN=Users,DC=qe-infra-ad,DC=cloudera,DC=com -pwd Test123 -samid cm_kerb_user -upn cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM
    2. Run the following command to create Keytab for the user in Active Directory:
      ktpass.exe /princ cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM /mapuser cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM /pass Test123 /out cm_kerb_user.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
    3. Run the following command to map service principal name to the principal in Active Directory:
      setspn -s cm_kerb_user/QE-INFRA-AD.CLOUDERA.COM cm_kerb_user
    4. Copy the Keytab file to the Cloudera Manager Server host.
    5. Do kinit by running the following command in the Cloudera Manager Server host:
      sudo /usr/bin/kinit -kt /cdep/keytabs/cm_kerb_user.keytab -l 1d -r 8d cm_kerb_user
  6. On MariaDB Database, you must create the user for using the Kerberos authentication by running the following commands:
    CREATE USER 'cm_kerb_user'@'%' IDENTIFIED WITH gssapi;
    GRANT ALL PRIVILEGES ON cm.* TO 'cm_kerb_user'@'%' IDENTIFIED VIA gssapi;
  7. Run the following command to log in the user using Kerberos and verify whether the Kerberos configuration and user are working correctly:
     mysql --plugin-dir=/usr/lib64/mysql/plugin --user=cm_kerb_user --host=hostname
  8. Connect Cloudera Manager Server to Kerberos enabled MariaDB by performing the following steps:
    1. By default mysql-connector-java.jar is available. You must have MariaDB Connector/J JDBC driver for building Java applications on top of MariaDB such as mariadb-java-client-3.1.4.jar.

      Add mariadb-java-client-3.1.4.jar file to /usr/share/java location.

    2. Add the following line to the /etc/default/cloudera-scm-server file.
      export CMF_JDBC_DRIVER_JAR="${CMF_JDBC_DRIVER_JAR}:/usr/share/java/mariadb-java-client-3.3.3.jar"
    3. Create a /etc/jaas.conf file with the following content. Also, for the keyTab section, add the correct directory location for the cm_kerb_user.keytab keytab:
      Krb5ConnectorContext {
                  com.sun.security.auth.module.Krb5LoginModule required
                  useKeyTab=true
                  keyTab="/mdbktb/cm_kerb_user.keytab"
                  principal="cm_kerb_user@ROOT.COMOPS.SITE"
                  doNotPrompt=true;
              };
    4. For TLS cluster
      Update the JDBC URL in /etc/cloudera-scm-server/db.properties as follows:
      The updated URL should look like this:
      com.cloudera.cmf.orm.hibernate.connection.url=jdbc:mysql://localhost:3306/cm?user=cm_kerb_user&sslMode=PREFERRED&trustCertificateKeyStoreUrl=file:///cdep/mariadbssl/db_keystore.jks&trustCertificateKeyStoreType=jks&trustCertificateKeyStorePassword=verystrongpassword&enabledTLSProtocols=TLSv1.2
      For non-TLS cluster
      Update the JDBC URL in /etc/cloudera-scm-server/db.properties as follows:
      The updated URL should look like this:
      com.cloudera.cmf.orm.hibernate.connection.url=jdbc:mariadb://<<host>>:3306/cm?user=cm_kerb_user
    5. Add below properties to /etc/default/cloudera-scm-server:
      export CMF_JAVA_OPTS="${CMF_JAVA_OPTS}
      -Djava.security.krb5.kdc=krbmariadb-1.krbmariadb.root.hwx.site
      -Djava.security.krb5.realm=ROOT.HWX.SITE -Djava.security.auth.login.config=/etc/jaas.conf"
    6. Restart the Cloudera Manager Server by running the following command:
      sudo systemctl restart cloudera-scm-server