Skip to content

kongyew/greenplum-kerberos

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
docs
docs
 
 
gpdb
gpdb
 
 
kdc-kadmin
kdc-kadmin
 
 
kerberos-client
kerberos-client
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README-JDBC.md
README-JDBC.md
 
 
README.md
README.md
 
 
SetupGPDBKerberos.MD
SetupGPDBKerberos.MD
 
 
TROUBLESHOOTING.MD
TROUBLESHOOTING.MD
 
 
TROUBLESHOOTING_JDBC.MD
TROUBLESHOOTING_JDBC.MD
 
 
Untitled
Untitled
 
 
build_docker.sh
build_docker.sh
 
 
config.sh
config.sh
 
 
docker-compose-gpdb.yml
docker-compose-gpdb.yml
 
 
docker-compose-gpdb_spark.yml
docker-compose-gpdb_spark.yml
 
 
docker-compose.yml
docker-compose.yml
 
 
gpdb-kerberos.keytab
gpdb-kerberos.keytab
 
 
kerberos.env
kerberos.env
 
 
krb5.conf
krb5.conf
 
 
run_docker.sh
run_docker.sh
 
 
run_docker_spark.sh
run_docker_spark.sh
 
 

Repository files navigation

Greenplum with Kerberos

This example provides docker images with Kerberos KDC, Kerberos client and GPDB single node cluster

Table of Content

  • The noPermissions principal with no permissions. Useful for testing applications that use kerberos principals.
  • The function kadminCommand which performs kadmin commands using the kadmin/admin principal.

Running

Run docker-compose to initialize KDC, Kerberos client and Greenplum

To run Kerberos KDC and client run docker-compose up on the root directory of this repo.

To run Greenplum with Kerberos instance run docker-compose -f ./docker-compose-gpdb.yml up

Configure KDC server

  1. Login to kdc-kadmin instance
docker exec -it kdc-kadmin  bin/bash
  1. Copy the keytab (gpdb-kerberos.keytab) that is generated during execution of init-script.sh to the shared folder code among the docker instances
cp /tmp/gpdb-kerberos.keytab /code
  1. Copy the krb5.conf that is required by any Kerberos clients to the shared folder code among the docker instances
cp /etc/krb5.conf /code

Configure Greenplum server with Kerberos Authentication

  1. Login to Greenplum server (gpdbsne)
docker exec -it gpdbsne bin/bash
  1. As root, copy krb5.conf into etc/krb5.conf
[root@gpdbsne /]# cp /code/krb5.conf /etc/krb5.conf
  1. Change user as gpadmin. Copy kerberos tab file from shared folder code to home/gpadmin
[root@gpdbsne /]# su gpadmin
[gpadmin@gpdbsne /]$ cp /code/gpdb-kerberos.keytab  /home/gpadmin
  1. Copy .java.login.conf to /home/gpadmin. This file is required for JDBC with Kerberos
[gpadmin@gpdbsne /]$ cp /code/gpdb/files/.java.login.config /home/gpadmin
  1. Verify Kerberos client settings on GPDB. Using gpadmin, run kinit to initialize the kerberos tabfile with principal gpadmin/kdc-kadmin
[gpadmin@gpdbsne ~]$cd ~
[gpadmin@gpdbsne ~]$kinit -kt ./gpdb-kerberos.keytab gpadmin/kdc-kadmin

Use klist to verify the cache is initalized.

[gpadmin@gpdbsne ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: gpadmin/[email protected]

Valid starting     Expires            Service principal
11/05/17 21:01:10  11/06/17 21:01:10  krbtgt/[email protected]
  1. Configure Kerberos settings by running this script
[gpadmin@gpdbsne /]$ /code/gpdb/scripts/setupKerberos4PSQL.sh
  • Execute psql postgres -c 'create role "gpadmin/kdc-kadmin" login superuser;'
  • Add krb_server_keyfile = /home/gpadmin/gpdb-kerberos.keytab to this file: postgresql.conf
  • Add host all all 0.0.0.0/0 gss include_realm=0 krb_realm=EXAMPLE.COM to this file /gpdata/master/gpseg-1/pg_hba.conf
  • Restart GPDB
  1. Verify Greenplum authenticates users with Kerberos KDC. Next, login as gpadmin/kdc-kadmin to the greenplum database. No password is required.
[gpadmin@gpdbsne ~]$ psql -U "gpadmin/kdc-kadmin" -h gpdbsne.example.com postgres
psql (8.4.20, server 8.2.15)
WARNING: psql version 8.4, server version 8.2.
         Some psql features might not work.
Type "help" for help.

postgres=#

Verify this log entries in the KDC-kadmin server. The log file is /var/log/krb5kdc.log

Nov 05 21:03:26 kdc-kadmin.example.com krb5kdc[35](info): TGS_REQ (4 etypes {18 17 16 23}) 172.20.0.4: ISSUE: authtime 1509915670, etypes {rep=18 tkt=18 ses=18}, gpadmin/[email protected] for postgres/[email protected]

How to customize (eg. change the REALM)

  1. Change the file kerberos.env. This way the properties will be shared between the kdc and the kerberos client.
  2. Define environment variables in docker-compose.yml or docker-compose-gpdb.yml. You will need to define them for each service that uses kerberos.

If you want to keep up with the possible changes of this repo, you can use:

License

This example is open source and available under the MIT license.

Reference:

Greenplum Kerberos docs Greenplum with Single sign-on with Active Directory

About

Greenplum with Kerberos

kongyew.github.io/greenplum-kerberos/

Topics

kerberos greenplum kerberos-client

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages