Using Kerberos authentication with Databand Self-Hosted

Streamline authentication while improving security by using Kerberos authentication.

To use Kerberos authentication you must first prepare for Kerberos authentication, then install and deploy Databand in your Kubernetes cluster, and finally mount resources to your Databand pods.

Prerequisites

Before you begin using Kerberos authentication with your Databand Self-Hosted deployment, you must have the following:

  • A key distribution center (KDC) server that is properly configured and is reachable from the machines where Databand is run
  • A PostgreSQL database that supports Kerberos authentication and is configured with a unique service principle name (SPN)
  • A Kerberos principal with a PostgreSQL user that has access to the Databand database and has permission to Read, Write, and Create

Preparing your Kubernetes namespace for Kerberos authentication

The following section describes how to create and prepare the Databand namespace in Kubernetes.

Begin by preparing your configmap and keytab files.

  1. Create the namespace where you want to deploy Databand and set it to the current context:
    helm upgrade databand --install --create-namespace --namespace databand-system --values ./user-values.yaml .
  2. Create a configmap with the content of the Kerberos config file:
    kubectl create configmap krb5-config --from-file=<local_path_to_krb_conf>
  3. If you want to use a keytab file, create a Kubernetes secret with the contents of the keytab file:
kubectl create secret generic krb5-keytab --from-file=<local_path_to_keytab_file>

Next, follow the installation instructions for deploying Databand Self-Hosted with Kubernetes. After you complete the instructions in the Preparing your environment, Docker registry, and value files section, proceed to mount your resources to your Databand pods.

Mounting resources to your Databand pods

  1. After you generate two secrets, as described in Preparing your environment, Docker registry, and value files, add the Kerberos configmap and keytab secret to user-values.yaml and mount them as volumes to Databand pods. 
    ....
databand:
extraConfigmapMounts:
- name: krb-config
  configMap: <name_to_configmap_holds_krb_config> # from step 2
  mountPath: /etc/krb5_config # /etc/krb5
  readOnly: true
extraSecretsMounts:
- name: krb-keytab
  secret: <name_to_secret_holds_keytab_data> # from step 3
  mountPath: /etc/krb5_secret
  readOnly: true
  2. Enable Databand Kerberos authentication:
    web:
  kerberos:
    enabled: true
    config_path: "<path to the volume that has krb.conf file>"
    keytab_path: "<path to the volume that has keytab file>"
    kinit_args: "<Arguments to supply kinit command> " # "-k <principal>"
    renewal_interval: 3600 # the interval Databand will ask to renew the Kerberos ticket
  3. Update the Databand database config in user-values.yaml to use Kerberos authentication:
    sql_alchemy_conn:
  protocol: "postgresql+psycopg2"
  username: "<principal>@CORP.EXAMPLE.COM" # The principal that has db user
  password: "" # Leave password empty
  host: "<Database host>"
  port: "<Database port>"
  dbname: "<Databand Application db name>" # By default databand 
  existingSecret:
    name: ""
    secretKeys:
      userPasswordKey: ""

Now, you can install the Databand Helm chart on your cluster, deploy Databand with Red Hat OpenShift, and log in using Kerberos authentication.