Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

D toc

This section describes how to enable relational connections to leverage your Hadoop Single Sign-On (SSO) infrastructure.When this feature is enabled and properly configured, users can create relational (JDBC) connections that use SSO that you have already configured. 

Connections that were created before this feature is enabled continue to operate as expected without modification.

Limitations

  • For this release, this feature applies to SQL Server connections only.
  • Cross-realm is not supported. As a result, the SQL Server instance, service principal, and 
    D s item
    itemprincipal
     must be in the same Kerberos realm.

Pre-requisites

Enable

D s config

ParameterDescription
webapp.connectivity.enableSsoKerberosDelegateSet this flag to true to enable Kerberos-based SSO connections to be created for supported connection types.

Configure

Configure JAAS file and path

D s config

ParameterDescription
webapp.connectivity.kerberosDelegateConfigPath

Path on the

D s item
itemnode
to the location of the JAAS configuration file required by the DataDirect driver.

Info

NOTE: The default location is listed below. You may wish to move this file to a location outside of the

D s item
iteminstallation
to ensure that the file is not overwritten during upgrades.

More information on this file is provided below.

JAAS file

For connections that support Kerberos-delegated authentication, the underlying driver supports a JAAS file in which you can provide environment-specific configuration to the driver. As needed, you can modify this file. 

Connection TypeDefault path to JAAS file
SQL Server%(topOfTree)s/services/data-service/build/conf/kerberosdelegate.config 

Example JAAS file for SQL Server

Below is an example file, where you must apply the Kerberos global keytab and principal values that are to be used to authenticate to use the Kerberos-delegated connections of this type:

Code Block
trifacta_jaas_config {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  doNotPrompt=true
  keyTab="</absolute/path/to/trifacta_jdbc_sso.keytab>"
  principal="<principal_name>";
};
 
JDBC_DRIVER_01 {
  com.sun.security.auth.module.Krb5LoginModule required debug=false
  useTicketCache=true;
};

where:

  • keytab = the absolute path on the 
    D s item
    itemnode
     where the Kerberos global keytab is located.
  • principal = Set to the service principal name of the user's service account in LDAP.

Specify Kerberos configuration file

On the 

D s item
itemnode
, locate the following file:

Code Block
<root>/etc/krb5.conf


If it doesn't exist, create it with the following content, some of which you must specify:

Code Block
[libdefaults]
    default_realm = <my_default_realm>
    forwardable = true # Important that this is set!
  
[realms]
    <my_default_realm> = {
        kdc = <kdc_domain>
    }
  
[domain_realm]
    <my_domain> = <my_default_realm>
SettingDescription
default_realmSet this value to your default Kerberos realm.
forwardableThis value must be set to true.
kdc

For each realm that you create, you must create an entry in [realms].

For the kdc entry, apply the KDC domain that the JDBC connection should use.

my_domain

For each domain to which the Kerberos delegation applies, you must create an entry in [domain_realm].

Entries should look like the following:

Code Block
trifacta.com = TRIFACTA.COM


Modify the location of the Kerberos configuration file

If you need to move the location of the file from the default one, please complete the following:

Steps:

  1. If you haven't already done so, copy the file from its current location to its preferred location. 
  2. D s config
  3. Specify the path to the new location in the following parameter:

    Code Block
    "webapp.connectivity.krb5Path": "/etc/krb5.conf";
  4. Save your changes.

Local DNS configuration

The 

D s item
itemnode
 must be aware of how to map the KDC to an actual IP address. Edit the following file:

Code Block
/etc/hosts

Add an entry in the following format:

Code Block
<IP_address> <FQDN_to_KDC/AD-Server> <alias>
ParameterDescription
IP_addressIP address of the host of the KDC/AD authentication server. IPv4 format only.
FQDN_to_KDC/AD-Server
Fully qualified domain name of the KDC/AD host
aliasAlias to the host.

Example:

Code Block
127.255.255.255 ESNOEQ4-EC@BMBZ.trifacta.com ESNOEQ4-EC@BMBZ

Example Setup

The following example uses the default Kerberos realm to set an SSO connection to a SQL Server instance. This example is intended to demonstrate one way in which you can set up your SSO connections.

Steps:

  1. Create the 

    D s item
    itemservice principal
    :

    1. Form: HTTP/serviceprincipal@REAM 
    2. Enable this flag: ok_to_auth_as_delegate 
    3. Example:

      Code Block
      kadmin -q "addprinc -randkey +ok_to_auth_as_delegate HTTP/serviceprincipal"
      kadmin -q "addprinc -randkey +ok_to_auth_as_delegate HTTP/serviceprincipal@REALM"
    4. For more information on delegation flags, see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/kadmin_local.html
  2. Generate a keytab for the 

    D s item
    itemservice principal
    .

  3. Register the 

    D s item
    itemservice principal
     for Microsoft Sql Server instance:

    1. Enable this flag: ok_as_delegated 
    2. Example:

      Code Block
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>:<port>"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>:<port>@REALM"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>@REALM"
    3. For more information on setting this flag, see https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-2017.
  4. Create a linked SQL Server account: 

    1. Account must have the same name as the end-user principal. 

    2. Account needs connect permissions at least.

Info

NOTE: If you are using LDAP/AD SSO, you can register all of the above SPNs using AD mechanisms. You do not have to use the delegation flags. Delegation can be managed through the UI for the service account.

Use

When you create a new connection of a supported type, you can select the Kerberos Delegate credentials type. When selected, no username or credentials are applied as part of the connection object. Instead, authentication is determined via Kerberos authentication with the cluster.

Sharing

When sharing SSO connections, the credentials for the connection cannot be shared for security reasons. The Kerberos principal for the user with whom the connection is shared is applied. That user must have the appropriate permissions to access any required data through the connection. See Overview of Sharing.