Enabling Kerberos (MIT and AD) authentication for MariaDB Database Server
Perform the following steps for enabling Kerberos authentication on MariaDB Database Server and to connect Cloudera Manager Server to Kerberos enabled MariaDB. These steps are applicable for TLS 1.2 and non-TLS 1.2 clusters.
- SSH into the MariaDB database host.
-
Run the following command to install the
auth_gssapi.so
plugin:sudo yum install MariaDB-gssapi-server
Ensure the plugin is present in the following directory
/usr/lib64/mysql/plugin
. -
On the MariaDB server, create Service Principal and Keytab by running the following
commands:
-
- For MIT Kerberos
-
Run the following command to create Service Principal:
kadmin -p root/admin -q "addprinc -randkey mariadb/${HOST}"
- For AD Kerberos
-
Run the following command on AD server to create Service Principal:
dsadd user CN=mariadb,CN=Users,DC=qe-infra-ad,DC=cloudera,DC=com -pwd Test123 -samid mariadb -upn mariadb@QE-INFRA-AD.CLOUDERA.COM
-
- For MIT Kerberos
-
Run the following command to create Keytab:
kadmin -p root/admin -q "ktadd -k /path/to/mariadb.keytab mariadb/${HOST}"
- For AD Kerberos
-
Run the following command on AD server to create Keytab:
ktpass.exe /princ mariadb@QE-INFRA-AD.CLOUDERA.COM /mapuser mariadb@QE-INFRA-AD.CLOUDERA.COM /pass Test123 /out mariadb.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
Copy the Keytab file to the database host.
-
- For AD Kerberos only
-
Run the following command to map service principal name to the principal:
setspn -s mariadb/QE-INFRA-AD.CLOUDERA.COM mariadb
- Add the Service Principal and Keytab to the /etc/my.cnf
configuration
file:
gssapi_keytab_path=/path/to/mariadb.keytab gssapi_principal_name=service_principal_name/host.domain.com@REALM
-
-
You must install the plugin on the Mariadb (database) side. You can do this either by
following Step 4. a. or Step 4. b.:
- Run the following query on Mariadb
database:
INSTALL SONAME 'auth_gssapi';
- Add the following plugin to the /etc/my.cnf configuration file
by running the following
command:
plugin_load_add = auth_gssapi
Restart the MariaDB server by running the following command:sudo systemctl restart mariadb
After performing Step 4. a. or Step 4. b., the plugin is visible in the plugin table. To verify the plugin, run the following query:SHOW PLUGINS;
- Run the following query on Mariadb
database:
-
Create user principals and do
kinit
on the Cloudera Manager Server by running the following commands:- For MIT Kerberos
-
-
Create user principal by running the following command:
kadmin -p root/admin -q "addprinc cm_kerb_user"
-
Run the following command to create Keytab for the user in MIT:
kadmin -p root/admin -q "ktadd -k /mdbktb/cm_kerb_user.keytab cm_kerb_user"
-
Do
kinit
by running the following command:kinit cm_kerb_user
-
- For AD Kerberos
-
-
Run the following command to create user in Active Directory:
dsadd user CN=cm_kerb_user,CN=Users,DC=qe-infra-ad,DC=cloudera,DC=com -pwd Test123 -samid cm_kerb_user -upn cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM
-
Run the following command to create Keytab for the user in Active Directory:
ktpass.exe /princ cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM /mapuser cm_kerb_user@QE-INFRA-AD.CLOUDERA.COM /pass Test123 /out cm_kerb_user.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
- Run the following command to map service principal name to the principal in
Active
Directory:
setspn -s cm_kerb_user/QE-INFRA-AD.CLOUDERA.COM cm_kerb_user
- Copy the Keytab file to the Cloudera Manager Server host.
-
Do
kinit
by running the following command in the Cloudera Manager Server host:sudo /usr/bin/kinit -kt /cdep/keytabs/cm_kerb_user.keytab -l 1d -r 8d cm_kerb_user
-
-
On MariaDB Database, you must create the user for using the Kerberos authentication by
running the following commands:
CREATE USER 'cm_kerb_user'@'%' IDENTIFIED WITH gssapi;
GRANT ALL PRIVILEGES ON cm.* TO 'cm_kerb_user'@'%' IDENTIFIED VIA gssapi;
-
Run the following command to log in the user using Kerberos and verify whether the
Kerberos configuration and user are working correctly:
mysql --plugin-dir=/usr/lib64/mysql/plugin --user=cm_kerb_user --host=hostname
-
Connect Cloudera Manager Server to Kerberos enabled MariaDB by performing the following
steps:
-
By default mysql-connector-java.jar is available. You must have MariaDB Connector/J JDBC driver for building Java applications on top of MariaDB such as mariadb-java-client-3.1.4.jar.
Add mariadb-java-client-3.1.4.jar file to /usr/share/java location.
-
Add the following line to the /etc/default/cloudera-scm-server file.
export CMF_JDBC_DRIVER_JAR="${CMF_JDBC_DRIVER_JAR}:/usr/share/java/mariadb-java-client-3.3.3.jar"
- Create a /etc/jaas.conf file with the following content. Also,
for the
keyTab
section, add the correct directory location for thecm_kerb_user.keytab
keytab:Krb5ConnectorContext { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/mdbktb/cm_kerb_user.keytab" principal="cm_kerb_user@ROOT.COMOPS.SITE" doNotPrompt=true; };
-
- For TLS cluster
-
Update the JDBC URL in /etc/cloudera-scm-server/db.properties as follows:The updated URL should look like this:
com.cloudera.cmf.orm.hibernate.connection.url=jdbc:mysql://localhost:3306/cm?user=cm_kerb_user&sslMode=PREFERRED&trustCertificateKeyStoreUrl=file:///cdep/mariadbssl/db_keystore.jks&trustCertificateKeyStoreType=jks&trustCertificateKeyStorePassword=verystrongpassword&enabledTLSProtocols=TLSv1.2
- For non-TLS cluster
-
Update the JDBC URL in /etc/cloudera-scm-server/db.properties as follows:The updated URL should look like this:
com.cloudera.cmf.orm.hibernate.connection.url=jdbc:mariadb://<<host>>:3306/cm?user=cm_kerb_user
- Add below properties to
/etc/default/cloudera-scm-server:
export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Djava.security.krb5.kdc=krbmariadb-1.krbmariadb.root.hwx.site -Djava.security.krb5.realm=ROOT.HWX.SITE -Djava.security.auth.login.config=/etc/jaas.conf"
- Restart the Cloudera Manager Server by running the following
command:
sudo systemctl restart cloudera-scm-server
-