Applies to:
Denodo 8.0
,
Denodo 7.0
Last modified on: 09 Dec 2021
Tags:
Administration
Kerberos
This document details the process for configuring Kerberos in the Denodo servers.
Note: This document is the third one of a series of four documents that provide a detailed explanation on how to configure Kerberos in the Denodo server and the client tools.
You can check the Kerberizing Denodo for SSO - Step by step guide - Introduction (I) that contains the index of this set of documents and a detailed explanation of the environment used for this example.
The next step is to configure the Denodo Platform installation in order to enable Kerberos using the generated “denodovm.keytab” file. For the Denodo Platform (Virtual DataPort server) we will follow the instructions explained in the Setting-Up the Kerberos Authentication in the Virtual DataPort Server section of the Denodo documentation.
Note: check that documentation for a detailed explanation. This guide only shows the steps done in this sample environment.
Let’s start copying the keytab to a known directory, for example /opt/denodo/shared/vdp/kerberos/denodovm.keytab
As this server is Linux, Virtual DataPort also needs a Kerberos configuration file. Our machine is already joined to the Windows Domain and, by default, it has a krb5.conf file located at /etc/krb5.conf
You will get an output like this one:
Important things to consider in a krb5.conf file:
NOTE: A krb5 file used by a web application will not be automatically refreshed after a change. To ensure the changes in the file take effect, all Denodo servers must be completely stopped, including the Tomcat embedded web container and all web applications. To change the krb5 file used by the web applications follow these steps:
In addition to that, after a change, a web application will override the krb5 file of other web applications as they run on the same JVM. To avoid configuration problems with this, we recommend using the default location of the krb5 file or, if a custom krb5 file is needed for the web applications, to configure the same file for all the web applications running on the same web container.
Now we have all the files needed, so we can start configuring the Denodo Platform. We will start first testing the LDAP configuration to avoid permissions issues later when Kerberos is activated in the server.
As usual for Linux boxes, we need to ensure the RMI Host configuration of VDP is correct for connecting from external. Execute:
more /opt/denodo/denodo80/denodo-platform/conf/vdp/VDPConfiguration.properties | grep registryURL
Note: you should use the hostname of the server, in our example this is denodovm.denodo.loc
If you need to modify the RMI host, edit the VDPConfiguration.properties, save it and execute the standard script:
/opt/denodo/denodo80/denodo-platform/bin/regenerateFiles.sh
Once the RMI host configuration is correct, start the server and ensure the Virtual DataPort server is running correctly.
In order to test the connection, open a Denodo Administration Tool (from your laptop, for example) and connect to Virtual DataPort using a local user (for example, the default admin/admin user).
Note: You can use //denodovm.denodo.loc:9999/admin for the connection.
By default Kerberos-related log messages are written to the console (standard output). As a best practice, it is recommended to add a new logger to the $DENODO_HOME/conf/vdp/log4j2.xml file (only with Denodo 8.0 or Denodo 7.0 starting update 20190903):
<Logger name="com.denodo.util.logging.JavaConsoleLogging" level="debug" />
After doing this modification you have to restart the VDP server (in our host, execute: service vdpserver80 restart )
This step is not needed for enabling Kerberos authentication but it helps a lot for creating the roles before enabling Kerberos and for testing privileges associated with the users.
Follow these steps:
Why do we use that configuration?
Why do we use that configuration?
With the previous test, we know the privileges are working so we can move to configure Kerberos!
Follow these steps:
Why do we use this configuration?
Now the Virtual DataPort server was configured successfully with Kerberos. Now it’s time to configure the web applications. In our case, the Denodo Data Catalog.
Follow these steps:
Note: Next step in this process would be configuring the Denodo client applications and external tools to authenticate using Kerberos. You can check the third and last part of this tutorial in the following link: Kerberizing Denodo for SSO - Step by step guide - Clients Configuration (IV)