This example provides docker images with Kerberos KDC, Kerberos client and GPDB single node cluster
-
A KDC for your desired realm.
-
The
kadmin/adminprincipal with every permission.
- The
noPermissionsprincipal with no permissions. Useful for testing applications that use kerberos principals. - The function
kadminCommandwhich performs kadmin commands using thekadmin/adminprincipal.
To run Kerberos KDC and client
run docker-compose up on the root directory of this repo.
To run Greenplum with Kerberos instance
run docker-compose -f ./docker-compose-gpdb.yml up
- Login to kdc-kadmin instance
docker exec -it kdc-kadmin bin/bash
- Copy the keytab (gpdb-kerberos.keytab) that is generated during execution of init-script.sh to the shared folder
codeamong the docker instances
cp /tmp/gpdb-kerberos.keytab /code
- Copy the krb5.conf that is required by any Kerberos clients to the shared folder
codeamong the docker instances
cp /etc/krb5.conf /code
- Login to Greenplum server (gpdbsne)
docker exec -it gpdbsne bin/bash
- As root, copy krb5.conf into etc/krb5.conf
[root@gpdbsne /]# cp /code/krb5.conf /etc/krb5.conf
- Change user as gpadmin. Copy kerberos tab file from shared folder
codetohome/gpadmin
[root@gpdbsne /]# su gpadmin
[gpadmin@gpdbsne /]$ cp /code/gpdb-kerberos.keytab /home/gpadmin
- Copy .java.login.conf to
/home/gpadmin. This file is required for JDBC with Kerberos
[gpadmin@gpdbsne /]$ cp /code/gpdb/files/.java.login.config /home/gpadmin
- Verify Kerberos client settings on GPDB. Using
gpadmin, run kinit to initialize the kerberos tabfile with principalgpadmin/kdc-kadmin
[gpadmin@gpdbsne ~]$cd ~
[gpadmin@gpdbsne ~]$kinit -kt ./gpdb-kerberos.keytab gpadmin/kdc-kadmin
Use klist to verify the cache is initalized.
[gpadmin@gpdbsne ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: gpadmin/kdc-kadmin@EXAMPLE.COM
Valid starting Expires Service principal
11/05/17 21:01:10 11/06/17 21:01:10 krbtgt/EXAMPLE.COM@EXAMPLE.COM
- Configure Kerberos settings by running this script
[gpadmin@gpdbsne /]$ /code/gpdb/scripts/setupKerberos4PSQL.sh
- Execute
psql postgres -c 'create role "gpadmin/kdc-kadmin" login superuser;' - Add
krb_server_keyfile = /home/gpadmin/gpdb-kerberos.keytabto this file: postgresql.conf - Add
host all all 0.0.0.0/0 gss include_realm=0 krb_realm=EXAMPLE.COMto this file /gpdata/master/gpseg-1/pg_hba.conf - Restart GPDB
- Verify Greenplum authenticates users with Kerberos KDC.
Next, login as
gpadmin/kdc-kadminto the greenplum database. No password is required.
[gpadmin@gpdbsne ~]$ psql -U "gpadmin/kdc-kadmin" -h gpdbsne.example.com postgres
psql (8.4.20, server 8.2.15)
WARNING: psql version 8.4, server version 8.2.
Some psql features might not work.
Type "help" for help.
postgres=#
Verify this log entries in the KDC-kadmin server. The log file is /var/log/krb5kdc.log
Nov 05 21:03:26 kdc-kadmin.example.com krb5kdc[35](info): TGS_REQ (4 etypes {18 17 16 23}) 172.20.0.4: ISSUE: authtime 1509915670, etypes {rep=18 tkt=18 ses=18}, gpadmin/kdc-kadmin@EXAMPLE.COM for postgres/gpdbsne.example.com@EXAMPLE.COM
- Change the file
kerberos.env. This way the properties will be shared between the kdc and the kerberos client. - Define environment variables in
docker-compose.ymlordocker-compose-gpdb.yml. You will need to define them for each service that uses kerberos.
If you want to keep up with the possible changes of this repo, you can use:
This example is open source and available under the MIT license.
Greenplum Kerberos docs Greenplum with Single sign-on with Active Directory