Kerberos SSO

This article explains how to configure authentication to an Exasol database with Kerberos SSO.

Exasol supports single sign-on (SSO) functionality using Kerberos in JDBC and ODBC connections. This allows users to authenticate to Exasol using their Kerberos credentials for a seamless user experience.

To enable Kerberos SSO in Exasol, you must have a keytab file provided by a Kerberos Key Distribution Center (KDC) or by your Active Directory administrator in Windows. The keytab file consists of service principals for Exasol databases and must be uploaded to Exasol using ConfD.

To learn how to configure a database user to authenticate with Kerberos, see CREATE USER and ALTER USER.

Configure Kerberos in Exasol

Prerequisites

  • You must have a Kerberos keytab file.

  • You must have root access to the Exasol system.

This procedure uses the c4 and confd_client command-line tools in a Linux terminal. To learn more about these tools, see Exasol Deployment Tool (c4) and ConfD.

  1. Connect to the cluster operating system (COS) using c4 connect -i PLAY_ID -s cos.

    Example:
    Copy 
    ./c4 connect -i c3275f84 -s cos

    To find the play ID, you can use c4 ps.

    For more information about how to use c4 commands, see How to use c4.

  2. To find the database name when you are connected to COS, use the ConfD job db_list.

    Example:
    Copy 
    confd_client db_list
    - MY_DATABASE

  3. To configure the Kerberos service in Exasol, use the ConfD job db_configure_kerberos with the following parameters:

    Parameter Data type Description
    db_name string The name of the Exasol database.
    keytab string The Kerberos keytab file. To pass the file name, use the syntax {<filename}.
    realm (optional) string

    Realm of the Kerberos principal. Sets the database parameter -kerberosRealm.

    If the parameter is set, then only users of the specified realm will be accepted, even if the uploaded keytab contains entries for other realms.

    If the parameter is not set, then users from all realms in the keytab file are accepted.
    service (optional) string

    Kerberos service name. Sets the database parameter -kerberosServiceName.

    If the parameter is set, only the specified Kerberos service can be requested by the client.

    If the parameter is not set, any Kerberos service requested by the client is accepted as long as it exists in the uploaded keytab file.

    host (optional) string

    Hostname of the Kerberos principal. Sets the database parameter -kerberosHostname.

    If the parameter is set, then only the specified host is accepted by the client, even if the uploaded keytab file contains entries for other hostnames.

    If the parameter is not set, then the hostname will not be checked during Kerberos authentication.
Example:
Copy 
confd_client db_configure_kerberos db_name: MY_DATABASE keytab: '"{< ./my_keytab_file}"' realm: EXAMPLE.COM service: MY_SERVICE host: MY_HOSTNAME