Enabling Kerberos authentication in Watson Query
If you want to connect to a data source with Kerberos authentication, you must provide the Kerberos configuration file to Watson Query before you create the connection.
Watson
Query supports connecting to the following connectors that
have Kerberos authentication:
- Apache Hive
- Cloudera Impala
Before you begin
- Who needs to complete this task?
- To complete this task, you must be an administrator of the project (namespace) where Cloud Pak for Data is installed.
Note: You can configure Kerberos authentication
when you create connections to data sources in Platform connections or in Watson
Query. You
can skip the steps in this task if you already provided the configuration file to the platform
connection. For more information, see Enabling platform
connections to use Kerberos
authentication.
Procedure
Complete the following tasks to configure Kerberos in Watson Query:
- Providing the Kerberos configuration file (krb5.conf) in Watson Query
- Optional: Verifying the Kerberos configuration and environment variables in Watson Query
- If you have instances of Watson
Query running in tethered projects, you must copy the
krb5-conf-files
configmap to the tethered projects. For more information, see Copying secrets and configmaps to tethered projects in Watson Query.
Providing the Kerberos configuration file (krb5.conf) in Watson Query
- Retrieve the krb5.conf Kerberos configuration file from the node where the Key Distribution Center (KDC) is configured. The file is typically in /etc directory.
- Copy the krb5.conf file to a workstation that can
access the environment where the
oc
commands are run. - Create a ConfigMap object named
krb5-config-files in the same Cloud Pak for Data project where the Watson
Query service is
running. The ConfigMap contains the Kerberos configuration file
(krb5.conf)
information.
oc create configmap krb5-config-files \ --from-file=${KRB5_CONF_FILE} \ --namespace=${PROJECT_CPD_INST_OPERANDS}
Where:${PROJECT_CPD_INST_OPERANDS} is the name of the Cloud Pak for Data project (namespace).
${KRB5_CONF_FILE}
is the Kerberos configuration file from the node where the Key Distribution Center (KDC) is configured
- Additional step for the
Apache Hive connection for these conditions:
- You are running Cloud Pak for Data on a FIPS-enabled cluster.
- Your Apache Hive Kerberos instance is not configured for AES 256 encryption.
krb5-config-files
):allow_weak_crypto = true
Optional: Verifying the Kerberos configuration and environment variables in Watson Query
- Verify that the
KRB5_CONF_FILE
environment variable is set and points to the default configuration file location /mnt/blumeta0/configmap/external/krb5-config-files/krb5.conf in thec-db2u-dv-db2u-0
pod.oc exec -it c-db2u-dv-db2u-0 -n ${PROJECT_CPD_INST_OPERANDS} -c db2u -- bash su - db2inst1 echo ${KRB5_CONF_FILE}
The output matches the following example.
/mnt/blumeta0/configmap/external/krb5-config-files/krb5.conf
- Verify that the configuration file content is mounted as a file under the default file location
/mnt/blumeta0/configmap/external/krb5-config-files/.
oc exec -it c-db2u-dv-db2u-0 -n ${PROJECT_CPD_INST_OPERANDS} -c db2u -- bash su - db2inst1 ls -l ${KRB5_CONF_FILE}
The output resembles the following example.
lrwxrwxrwx. 1 root root 16 May 4 09:25 /mnt/blumeta0/configmap/external/krb5-config-files/krb5.conf -> ..data/krb5.conf
- Verify the content of the krb5.conf file that is mounted in the pod.
oc exec -it c-db2u-dv-db2u-0 -n ${PROJECT_CPD_INST_OPERANDS} -c db2u -- bash su - db2inst1 cat ${KRB5_CONF_FILE}
The output resembles the following example:
[libdefaults] forwardable= true default_realm = IBM.COM ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] IBM.COM = { admin_server = mykrbadminserver.ibm.com kdc = mykdcadminserver.ibm.com }
Note: If the Kerberos configuration file (krb5.conf) is not mounted under /mnt/blumeta0/configmap/external/krb5-config-files, force the pod to restart to ensure that ConfigMap updates are picked up by Watson Query.