Using Kerberos authentication with Databand Self-Hosted
To use Kerberos authentication you must first prepare for Kerberos authentication, then install and deploy Databand in your Kubernetes cluster, and finally mount resources to your Databand pods.
Prerequisites
Before you begin using Kerberos authentication with your Databand Self-Hosted deployment, you must have the following:
- A key distribution center (KDC) server that is properly configured and is reachable from the machines where Databand is run
- A PostgreSQL database that supports Kerberos authentication and is configured with a unique service principle name (SPN)
- A Kerberos principal with a PostgreSQL user that has access to the Databand database and has permission to Read, Write, and Create
Preparing your Kubernetes namespace for Kerberos authentication
The following section describes how to create and prepare the Databand namespace in Kubernetes.
Begin by preparing your configmap and keytab files.
- Create the namespace where you want to deploy Databand and set it to the current context:
helm upgrade databand --install --create-namespace --namespace databand-system --values ./user-values.yaml .
- Create a configmap with the content of the Kerberos config file:
kubectl create configmap krb5-config --from-file=<local_path_to_krb_conf>
- If you want to use a keytab file, create a Kubernetes secret with the contents of the keytab file:
kubectl create secret generic krb5-keytab --from-file=<local_path_to_keytab_file>
Next, follow the installation instructions for deploying Databand Self-Hosted with Kubernetes. After you complete the instructions in the Preparing your environment, Docker registry, and value files section, see the following section to mount your resources to your Databand pods.
Mounting resources to your Databand pods
- After you generate two secrets, as described in step 7 of Preparing your environment, Docker registry, and value files,
add the Kerberos configmap and keytab secret to
user-values.yaml
and mount them as volumes to Databand pods.
....
databand:
extraConfigmapMounts:
- name: krb-config
configMap: <name_to_configmap_holds_krb_config> # from step 2
mountPath: /etc/krb5_config # /etc/krb5
readOnly: true
extraSecretsMounts:
- name: krb-keytab
secret: <name_to_secret_holds_keytab_data> # from step 3
mountPath: /etc/krb5_secret
readOnly: true
- Enable Databand Kerberos authentication:
web:
kerberos:
enabled: true
config_path: "<path to the volume that has krb.conf file>"
keytab_path: "<path to the volume that has keytab file>"
kinit_args: "<Arguments to supply kinit command> " # "-k <principal>"
renewal_interval: 3600 # the interval Databand will ask to renew the Kerberos ticket
- Update the Databand database config in
user-values.yaml
to use Kerberos authentication:
sql_alchemy_conn:
protocol: "postgresql+psycopg2"
username: "<principal>@CORP.EXAMPLE.COM" # The principal that has db user
password: "" # Leave password empty
host: "<Database host>"
port: "<Database port>"
dbname: "<Databand Application db name>" # By default databand
existingSecret:
name: ""
secretKeys:
userPasswordKey: ""
Now, you can install the Databand Helm chart on your cluster, deploy Databand with Red Hat OpenShift, and log in using Kerberos authentication.