GSSAPI Authentication (Enterprise)
CockroachDB supports the Generic Security Services API (GSSAPI) with Kerberos authentication.
Note:
GSSAPI authentication is an enterprise-only feature.
Configuring KDC
To use Kerberos authentication with CockroachDB, configure a Kerberos service principal name (SPN) for CockroachDB and generate a valid keytab file with the following specifications:
- Set the SPN to the name specified by your client driver. For example, if you use the psql client, set SPN to
postgres
. - Create SPNs for all DNS addresses that a user would use to connect to your CockroachDB cluster (including any TCP load balancers between the user and the CockroachDB node) and ensure that the keytab contains the keys for every SPN you create.
Configuring the CockroachDB node
Copy the keytab file to a location accessible by the
cockroach
binary.Create certificates for internode and
root
user authentication:
$ mkdir certs my-safe-directory
$ cockroach cert create-ca \
--certs-dir=certs \
--ca-key=my-safe-directory/ca.key
$ cockroach cert create-node \
localhost \
$(hostname) \
--certs-dir=certs \
--ca-key=my-safe-directory/ca.key
$ cockroach cert create-client \
root \
--certs-dir=certs \
--ca-key=my-safe-directory/ca.key
Provide the path to the keytab in the
KRB5_KTNAME
environment variable.Start a CockroachDB node:
$ cockroach start \
--certs-dir=certs \
--listen-addr=0.0.0.0
- Connect to CockroachDB as
root
using theroot
client certificate generated above:
$ cockroach sql --certs-dir=certs
Note:
You need the enterprise license if you want to use the GSSAPI feature. However, if you only want to test that the GSSAPI setup is working, you don't need to enable an enterprise license.
- Enable GSSAPI authentication:
> SET cluster setting server.host_based_authentication.configuration = 'host all all all gss include_realm=0';
Setting the server.host_based_authentication.configuration
cluster setting makes it mandatory for all users (except root
) to authenticate using GSSAPI. The root
user is still required to authenticate using its client certificate.
The include_realm=0
option is required to tell CockroachDB to remove the @DOMAIN.COM
realm information from the username. We don't support any advanced mapping of GSSAPI usernames to CockroachDB usernames right now. If you want to limit which realms' users can connect, you can also add one or more krb_realm
parameters to the end of the line as a whitelist, as follows: host all all all gss include_realm=0 krb_realm=domain.com krb_realm=corp.domain.com
- Create CockroachDB users for every Kerberos user. Ensure the username does not have the
DOMAIN.COM
realm information. For example, if one of your Kerberos user has a usernamecarl@realm.com
, then you need to create a CockroachDB user with the usernamecarl
:
> CREATE USER carl;
Grant privileges to the user:
> GRANT ALL ON DATABASE defaultdb TO carl;
Configuring the client
Note:
The cockroach sql
shell does not yet support GSSAPI authentication. You need to use a GSSAPI-compatible Postgres client, such as Postgres's psql
client.
- Install and configure your Kerberos client.
- Install the Postgres client (for example, postgresql-client-10 Debian package from postgresql.org).
- Get a Kerberos TGT for the Kerberos user from the KDC using
kinit
. - Use the
psql
client, which natively supports GSSAPI authentication, to connect to CockroachDB:
> psql "postgresql://localhost:26257/defaultdb?sslmode=require" -U carl
- If you specified an enterprise license earlier, you should now have a Postgres shell in CockroachDB, indicating that the GSSAPI authentication was successful. If you did not specify an enterprise license, you'll see a message like this:
psql: ERROR: use of GSS authentication requires an enterprise license.
If you see this message, GSSAPI authentication is set up correctly.