Enabling Splice Machine Kerberos Authentication on Your Cluster

Kerberos authentication in Splice Machine uses an external KDC server.

LDAPĀ authentication is available only with a Splice Machine Enterprise license; you cannot use LDAPĀ authentication with the Community version of Splice Machine.

To obtain a license for the SpliceĀ Machine Enterprise Edition, please Contact Splice Machine Sales today.

Follow these steps to enable Kerberos authentication:

  1. Use KDC to create a new principal and generate a keytab file. For example:
    # kadmin.local
    addprinc -randkey jdoe@yourdomain.com
    
  2. Set the password for the new principal:
    # kadmin.local: cpw jdoe
    
    Enter password for principal "jdoe@yourdomain.com"
    
  3. Create keytab file jdoe.keytab:
    # kadmin.local: xst -k /tmp/jdoe.keytab jdoe@yourdomain.com
    
  4. Copy the keytab file to your region servers.

  5. Verify that you can successfully kinit with the new keytab file and access the hadoop file system on the region server node:
    $ kinit jdoe@yourdomain.com -kt /tmp/jdoe.keytab
    
  6. Configure kerberos authentication against the database by setting your authentication properties as follows:
    <property>
        <name>splice.authentication</name>
        <value>KERBEROS</value>
    </property>
    

    On Cloudera Manager, you can go to HBase Configuration and search for splice.authentication. Change the value to KERBEROS for both Client Configuration and Service Configuration and restart HBase.

  7. On the region server, start Splice Machine (sqlshell.sh), and create a matching user name in your database:
    splice> call SYSCS_UTIL.SYSCS_CREATE_USER( 'jdoe', 'jdoe' );
    
  8. Grant privileges to the new user. For example, here we grant all privileges to user jdoe on a table named myTable:
    splice> GRANT ALL PRIVILEGES ON Splice.myTable to jdoe;
    

You can enable Kerberos mode on a Cloudera cluster using the configuration wizard described here: https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cm_sg_intro_kerb.html