This section provides information about configuring security for a DataStax Enterprise (DSE) cluster using Kerberos.
Kerberos is a computer network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner using tickets. This section does not provide detailed information on installing and setting up Kerberos. For this information, see the MIT Kerberos Consortium.
When using Kerberos security, you need to be aware of the scope of Kerberos tickets. Using the su or sudo command leaves any existing credentials behind and requires you to re-authenticate as that new user. If you encounter authentication issues, please ensure that you have a proper Kerberos ticket.
For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.
The following are general guidelines for setting up Kerberos:
Because JCE-based products are restricted for export to certain countries by the U.S. Export Administration Regulations, DataStax Enterprise does not ship with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy. DataStax recommends installing the JCE Unlimited Strength Jurisdiction Policy Files:
If you choose not to use AES-256, you must remove the AES-256 settings as an allowed cypher for each principal and regenerate the keys for the krbtgt principal. Remove AES-256 settings in one of the following ways:
If you have not created the principles, use the -e flag to specify encryption:salt type pairs. For example: -e "arcfour-hmac:normal des3-hmac-sha1:normal" This method requires Kerberos 5-1.2 on the KDC.
If you have already created the principles, modify the Kerberos principals using the -e flag as described above and then recreate the keytab file. This method requires Kerberos 5-1.2 on the KDC.
Alternately, you can modify the /etc/krb5kdc/kdc.conf file by removing any entries containing aes256 from the supported_enctypes variable for the realm in which the DSE nodes are members. Then change the keys for the krbtgt principal.
If the KDC is used by other applications, changing the krbtgt principal's keys invalidates any existing tickets. To prevent this, use the -keepold option when executing the change_password command. For example: 'cpw -randkey krbtgt/krbtgt/REALM@REALM'
Do not upgrade DataStax Enterprise and set up Kerberos at the same time; see Security.
To set up Kerberos on your DSE nodes, do the following on every node:
Install the Kerberos client software.
Use Kerberos to generate one keytab file for each node:
kadmin -p <username>/admin addprinc -randkey dse/<FQDN> addprinc -randkey HTTP/<FQDN> ktadd -k dse.keytab dse/<FQDN> ktadd -k dse.keytab HTTP/<FQDN> quit
In the cassandra.yaml configuration file, set the authenticator:
Change the replication strategy and default replication factor for the system_auth keyspace. See Configuring system_auth keyspace replication.
DataStax recommends configuring system_auth keyspaces for fault tolerance (in case of failure). In a multi-node cluster, if the node storing the user data goes down, using the default replication factor of 1 for the system_auth keyspace precludes logging into any secured node.
Set the DSE service principals, keytab location, and qop (Quality of Protection) in the dse.yaml configuration file:
kerberos_options: keytab: resources/dse/conf/dse.keytab service_principal: <dse_user>/_HOST@<REALM> http_principal: HTTP/_HOST@<REALM> qop: auth
After setting up Kerberos as described above, you can turn it on and off by changing the authenticator in the cassandra.yaml file: