- 1面向万物智联的应用框架的思考和探索(下)_通过最小化更新机制
- 2本地部署清华大模型 ChatGLM3
- 3python基础训练 十进制转十六进制
- 4ntfs硬盘如何在mac上读写移动硬盘文件?_mac ntfs读写
- 5Android 7.0 设置语言失效_android 设置系统语言重启恢复
- 6【HCIA-Datacom V1.0培训教材】WLAN_hcia教材电子版
- 7人脸识别算法(一)---eigenfaces_人脸 向量 内积
- 8[Day 1] OpenHarmony介绍_openharmony用的什么语言
- 9MySQL 一个字段,用','隔开,存储多个id,关联查询_mysql某个字段包含多个外连接id
- 10Kubernetes 单节点安装Clickhouse_clickhouse docker 单节点表大小
第17章 配置客户端认证_max_prepared_transactions greater than
赞
踩
第17章 配置客户端认证
本主题说明如何配置Greenplum数据引擎客户端连接和认证。
在GPDB系统初始化之后,系统包含一个预定义的SUPERUSER ROLE。该USER的USER NAME与初始化GPDB系统的OS USER同名。该角色被称为gpadmin。默认情况下,系统会被设置为只允许gpadmin从本地连接。为了让其他ROLE可以连接,或者允许从远程主机连接,必须配置GPDB来允许这些连接。本章介绍如何配置客户端连接和GPDB认证。
允许连接到GreenplumDatabase
客户端的访问认证是通过一个叫做pg_hba.conf(也是标准的PostgreSQL的认证文件)的配置文件来控制的。关于该文件的细节可以参考PostgreSQL的文档。
在GPDB中,Master的pg_hba.conf文件控制着客户端连接到GPDB系统的认证。在Instance上也存在pg_hba.conf文件,通常该文件己经被正确配置为允许从Master访问。 不过就译者的经验来说,也出现过其配置错误的情况,该情况会导致gpexpand或 gp_dump之类的操作出错并失败。通常来说,Instance是不需要接受外部客户端连接的, 不太有必要修改其pg_hba.conf文件。
pg_hba.conf是包含每行一条记录的平面文件。空行被忽略,任何在井号(#)后的符号串都会被忽略。每行记录由一系列Space和Tab混合分割的字段组成。如果需要在字段中出现空白字符,需要将字段用引号引起来。记录不可跨行。每个远程客户端访问权限记 录都像这种格式:
| host | database | role | CIDR-address authentication-method |
| 而每个UNIX嵌套连接的访问权限记录像这种格式: | |||
| local | database | role | authentication-method |
这些字段的含义如下:
Table 24:pg_hba.conf Fields
| 字段 | 描述 |
| local | Matches connection attempts using UNIX-domain sockets. Without a record of this type, UNIX-domain socket connections are disallowed. 匹配UNIX嵌套连接。如果没有这种记录,UNIX嵌套连接是不被允许的。 |
| host | Matches connection attempts made using TCP/IP. Remote TCP/IP connections will not be possible unless the server is started with an appropriate value for the listen_addresses server configuration parameter. 匹配TCP/IP方式的连接。除非该Server属于一个合适的IP段,否则其访问 是不被允许的。 |
| hostssl | Matches connection attempts made using TCP/IP, but only when the connection is made with SSL encryption. SSL must be enabled at server start time by setting the ssl configuration parameter 匹配TCP/IP方式的SSL加密连接。这个配置需要配合SSL参数的设置,该参 数在GPDB启动时生效。 |
| hostnossl | Matches connection attempts made over TCP/IP that do not use SSL. 匹配TCP/IP方式的非SSL加密连接。 |
| database | Specifies which database names this record matches. The value all specifies that it matches all databases. Multiple database names can be supplied by separating them with commas. A separate file containing database names can be specified by preceding the file name with @. 设置该记录匹配的DB Name。all可以匹配全部DB。多个DB Name可以使 用逗号(,)分割。或者使用@符号跟随文件名的方式指定,该文件包含需要匹配的DB Name。 |
| Field | Description |
| role | Specifies which database role names this record matches. The value all specifies that it matches all roles. If the specified role is a group and you want all members of that group to be included, precede the role name with a +. Multiple role names can be supplied by separating them with commas. A separate file containing role names can be specified by preceding the file name with @. 匹配哪个ROLE。all可以匹配全部的ROLE。如果想把一个GROUP的所有成 员匹配上,可以在ROLE Name前使用加号(+)表示。多个ROLE Name可以使 用逗号(,)分割。或者使用@符号跟随文件名的方式指定,该文件包含需要匹配的 ROLE Name。 |
| CIDR-address | Specifies the client machine IP address range that this record matches. It contains an IP address in standard dotted decimal notation and a CIDR mask length. IP addresses can only be specified numerically, not as domain or host names. The mask length indicates the number of high-order bits of the client IP address that must match. Bits to the right of this must be zero in the given IP address. There must not be any white space between the IP address, the /, and the CIDR mask length. Typical examples of a CIDR-address are 172.20.143.89/32 for a single host, or 172.20.143.0/24 for a small network, or 10.6.0.0/16 for a larger one. To specify a single host, use a CIDR mask of 32 for IPv4 or 128 for IPv6. In a network address, do not omit trailing zeroes. 指定该记录匹配的客户端IP地址范围。其包含一个标准的逗号分割IP地址 和一个掩码长度值。IP地址只能使用数字形式,不可以使用域名或者 Hostname。掩码长度表示IP地址高位与客户端IP匹配的长度。指定的掩码 长度右边的二进制IP地址位必须是0。IP地址与分隔符(/)和掩码长度之间 不可以有任何的空字符。比如172.20.143.89/32。其只能匹配172.20.143.89IP 地址。 172.20.143.0/24可以匹配172.20.143开始的任何IP地址。要匹配单 个IP地址IPv4使用32作为掩码长度,IPv6使用128作为掩码长度。 |
| IP-address IP-mask | These fields can be used as an alternative to the CIDR-address notation. Instead of specifying the mask length, the actual mask is specified in a separate column. 例如, 255.0.0.0 represents an IPv4 CIDR mask length of 8, and 255.255.255.255 represents a CIDR mask length of 32. These fields only apply to host, hostssl, and hostnossl records. 通过标准子网掩码的格式作为掩码长度的可选方案。其被作为一个单独的 字段。255.0.0.0等效于IPv4的8位掩码长度。255.255.255.255等效于IPv4 的32位掩码长度。 |
| authentication-method | Specifies the authentication method to use when connecting. Greenplum supports the authentication methods supported by PostgreSQL 9.0. 指定连接时使用的认证方法。比如trust为不需要密码,md5为使用md5 加密认证。更多细节可以查看PostgreSQL8.4的文档中认证方法的部分。 |
编辑Pg_hba.con文件
下面的例子展示如何编辑Master上的pg_hba.conf文件从而允许远程的客户端通过加密认证的方式访问数据库。
Note: For amore secure system, consider removing all connections that use trustauthentication from your master pg_hba.conf. Trust authentication means therole is granted access without any authentication, therefore bypassing allsecurity. Replace trust entries with ident authentication if your system has anident service available.
注意:对于一个更安全的系统,考虑取消使用trust认证,由你做主的pg_hba.conf所有连接。 trust认证意味着角色被授予无需任何身份验证的访问,因此绕过所有安全性。如果你的系统提供的ident服务,身份认证更换信任条目。
编辑Pg_hba.conf文件
1. 使用文本编辑器(比如 VI)打开$MASTER_DATA_DIRECTORY/pg_hba.conf文件。
2. 为每类需要允许的连接添加一行记录。记录是被顺序读取的,所有记录的顺序 是有象征性意义的。通常前面的记录匹配更少的连接但要求较弱的认证,后面 的记录匹配更多的连接但要求更严格的认证。比如:
# allow the gpadmin user local access to all databases
# using ident authentication
local all gpadmin ident sameuser
host all gpadmin 127.0.0.1/32 ident
host all gpadmin ::1/128 ident
# allow the 'dba' role access to any database from any
# host with IP address 192.168.x.x and use md5 encrypted
# passwords to authenticate the user
# Note that to use SHA-256 encryption, replace md5 with
# password in the line below
host all dba 192.168.0.0/32 md5
# allow all roles access to any database from any
# host and use ldap to authenticate the user. Greenplum role
# names must match the LDAP common name.
host all all 192.168.0.0/32 ldap ldapserver=usldap1
ldapport=1389 ldapprefix="cn="
ldapsuffix=",ou=People,dc=company,dc=com"
3. 保存并关闭文件。
4. 重新加载pg_hba.conf文件从而使得刚刚的修改生效:
$ gpstop -u
Note: Notethat you can also control database access by setting object privileges asdescribed in Managing Object Privileges. The pg_hba.conf file just controlswho can initiate a database session and how those connections areauthenticated.
注:请注意,您也可以通过在管理对象权限设置描述对象权限控制访问数据库。pg_hba.conf文件只控制谁可以启动数据库会话以及这些连接是如何进行身份验证。
Greenplum的分配对每个连接进行一些资源,所以设置建议允许的连接的最大数目。
为了限制对GPDB系统的并发访问,可以通过配置Server参数max_connections来实现。
这是一个本地化参数,就是说,需要把Master,Standby以及所有的Instance都修改该参数。通常建议Instance的值是Master的5-10倍,不过这个规律并非总是如此,在max_connections比较大的时候通常没有这么高的倍数,2-3倍也是允许的,但无论如何Instance的值不能小于Master。在设置max_connections时,其依赖的参数max_prepared_transactions参数也需要修改,该参数的值至少要和Master上的 max_connections值一样大,另外Instance上的值需与Master相同。
例如:
• In$MASTER_DATA_DIRECTORY/postgresql.conf (including standby master):
max_connections=100
max_prepared_transactions=100
• InSEGMENT_DATA_DIRECTORY/postgresql.conf for all segment instances:
max_connections=500
max_prepared_transactions=100
以下步骤设定与Greenplum数据实用程序gpconfig的参数值。
有关gpconfig信息,请参阅Greenplum的数据库实用程序指南。
1. 以GPDB数据库管理员的身份登录到master主机并且source the file $GPHOME/greenplum_path.sh.
2. 设置的max_connections参数的值。如下的gpconfig命令将段实例的参数设置为1000,将master设置为200. $ gpconfig -c max_connections -v 1000-m 200
段实例上的参数必须大于master的参数值。Pivotal建议段实例的max_connections的值是master的5-10倍。
3. 设置max_prepared_transactions参数的值。这gpconfig命令设置在主机和所有段的值都设置为200。
$ gpconfig -c max_prepared_transactions-v 200
max_prepared_transactions的值必须大于或等于master的max_connections。The value ofmax_prepared_transactions must be greater than or equal to max_connectionson the master.
4. 停止并重新启动Greenplum的数据库系统。
$ gpstop -r
5. 您可以在master上使用gpconfig -s选项来确认参数的值,这gpconfig命令显示的max_connections参数的值。$ gpconfig -s max_connections
提高这些参数的值可能会导致Greenplum数据要求更多的共享内存。为了减轻这种影响,可以考虑降低其他内存相关参数,如gp_cached_segworkers_threshold。
客户端/服务端间的加密连接
通过启用SSL可以使得客户端和数据库端的数据在通过网络交互时进行加密。
GPDB原生支持客户端与Master服务端之间的SSL连接。SSL连接可以有效的防止第三 方对包的窥探,防止中间层的攻击。在非安全连接环境中有必要使用SSL,且在使用权限认证时更为必要。使用SSL需要在客户端和Master端都安装有OpenSSL。GP在设置 参数ssl=on(在Master的postgresql.conf文件)后启动就开启了SSL。在使用SSL模式启动 时,GP会查找Master目录下的server.key(服务器密钥)文件和erver.crt(服务器证书)文 件。这些文件必须被正确的安装,否则GP系统将无法启动。
重要提示:不要为server.key设置访问口令。GP不会为密钥提示输入口令,这样会导致出错并无法启动DB系统。
自签名证书可用于测试,但由证书颁发机构(CA)签署的证书应该在生产中使用,因此客户端可以验证服务器的身份。无论是全球或本地CA可以使用。如果所有的客户都是当地的组织,建议使用本地CA。
Creating a Self-signed Certificatewithout a Passphrase for Testing Only
没有用于测试口令创建自签名证书只为打造服务器用于测试的快速自签名证书,请使用以下的OpenSSL命令:
# openssl req-new -text -out server.req
请输入提示所要求的信息。请确保输入本地主机名称作为通用名。我们面临的挑战密码可以留空。
该方案将生成一个密钥是密码保护,不接受一个密码是长小于4个字符。
要使用此证书与Greenplum数据,请用以下命令密码:
# openssl rsa-in privkey.pem -out server.key
# rm privkey.pem
提示解锁现有键时输入旧密码。
然后,输入以下命令来打开证书到自签名证书和密钥和证书复制到一个位置,服务器会寻找他们。
# openssl req-x509 -in server.req -text -key server.key -out server.crt
最后,更改使用以下命令键的权限。如果权限比这些限制较少的服务器将拒绝该文件。
# chmod og-rwxserver.key
使用LDAP身份验证同时使用TLS/SSL
您可以控制与LDAP服务器访问Greenplum数据以及可选,通过添加参数,pg_hba.conf文件项安全加密连接。
Greenplum的数据库支持LDAP身份验证的TLS/SSL协议与LDAP服务器的通信进行加密:
• LDAPauthentication with STARTTLS and TLS protocol - STARTTLS starts with a cleartext connection (no encryption) and upgrades it to a secure connection (withencryption).
• 使用STARTTLS和TLS协议LDAP身份验证 – STARTTLS在开始后将有明文连接(不加密)并将其升级为一个安全连接(加密)。
• LDAPauthentication with a secure connection and TLS/SSL (LDAPS) - Greenplum Databaseuses the TLS or SSL protocol based on the protocol that is used by the LDAPserver.
• 使用安全连接和TLS/SSL(LDAPS)LDAP身份验证 - Greenplum数据引擎采用了基于所使用的LDAP服务器的协议TLS或SSL协议。
要使用LDAP身份验证,Greenplum数据引擎首选主机必须配置为LDAP客户端。请参阅有关配置LDAP客户端的信息LDAP文档。
启用LDAP身份验证与STARTTLS和TLS
要启用STARTTLS并具有TLS协议,需要附带值为1的ldaptis参数。默认端口是389,在这个例子中,认证方法参数包括ldaptis参数。
ldap ldapserver=myldap.com ldaptls=1 ldapprefix="uid="
ldapsuffix=",ou=People,dc=pivotal,dc=com"
指定与ldapport参数的非默认端口。在本实例中,认证方法包括ldaptis参数和ldapport参数指定的端口550。
ldap ldapserver=myldap.com ldaptls=1 ldapport=500ldapprefix="uid="
ldapsuffix=",ou=People,dc=pivotal,dc=com"
Enabing LDAP Authentication with aSecure Connection and TLS/SSL
To enable asecure connection with TLS/SSL, add idaps:// as the prefix to the LDAP servername specified in the idapserver parameter. The default port is 636.
This exampleldapserver parameter specifies a secure connection and the TLS/SSL protocol forthe LDAP server myldap.com.
ldapserver=ldaps://myldap.com
To specify anon-default port, add a colon (:) and the port number after the LDAP servername. This example ldapserver parameter includes the ldaps:// prefix and thenon-default port 550.
ldapserver=ldaps://myldap.com:550
ConfiguringAuthentication with a System-wide OpenLDAP System
If you have asystem-wide OpenLDAP system and logins are configured to use LDAP with TLS orSSL in the pg_hba.conf file, logins may fail with the following message:
could not start LDAP TLS session:error code '-11'
To use anexisting OpenLDAP system for authentication, Greenplum Database must be set upto use the LDAP server's CA certificate to validate user certificates. Followthese steps on both the master and standby hosts to configure HAWQ:
1. Copy the base64-encoded root CA chain file from the ActiveDirectory or LDAP server to the Greenplum Database master and standby masterhosts. This example uses the directory /etc/pki/
tls/certs.
2. Change to the directory where you copied the CA certificate fileand, as the root user, generate the hash for OpenLDAP:
# cd /etc/pki/tls/certs
# openssl x509 -noout -hash -in <ca-certificate-file>
# ln -s <ca-certificate-file> <ca-certificate-file>.0
3. Configure an OpenLDAP configuration file for Greenplum Databasewith the CA certificate directory and certificate file specified.
As the rootuser, edit the OpenLDAP configuration file /etc/openldap/ldap.conf:
SASL_NOCANONon
URI ldaps://ldapA.pivotal.privldaps://ldapB.pivotal.priv ldaps:// ldapC.pivotal.priv BASE dc=pivotal,dc=privTLS_CACERTDIR /etc/pki/tls/certs
TLS_CACERT /etc/pki/tls/certs/<ca-certificate-file>
Note: Forcertificate validation to succeed, the hostname in the certificate must match ahostname in the URI property. Otherwise, you must also add tls_reqcertallow to the file.
4. As the gpadmin user, edit /usr/local/hawq/greenplum_path.sh andadd the following line.
exportLDAPCONF=/etc/openldap/ldap.conf
GreenplumDatabase logs an error if the following are specified in an pg_hba.conf fileentry:
• If both the ldaps:// prefix and the ldaptls=i parameter arespecified.
• If both the ldaps:// prefix and the ldapport parameter arespecified.
Enablingencrypted communication for LDAP authentication only encrypts the communicationbetween Greenplum Database and the LDAP server.
SeeEncrypting Client/ServerConnections for information about encrypting client connections.
These areexample entries from an pg_hba.conf file.
This examplespecifies LDAP authentication with no encryption between Greenplum Database andthe LDAP server.
host all plainuser 0.0.0.0/0 ldapldapserver=myldap.com ldapprefix="uid="ldapsuffix=",ou=People,dc=pivotal,dc=com"
This examplespecifies LDAP authentication with the STARTTLS and TLS protocol betweenGreenplum Database and the LDAP server.
host all tlsuser 0.0.0.0/0 ldapldapserver=myldap.com ldaptls=1 ldapprefix="uid="ldapsuffix=",ou=People,dc=pivotal,dc=com"
This examplespecifies LDAP authentication with a secure connection and TLS/SSL protocolbetween Greenplum Database and the LDAP server.
host all ldapsuser 0.0.0.0/0 ldapldapserver=ldaps://myldap.com ldapprefix=nuid=" ldapsuffix=n,ou=People,dc=pivotal,dc=com"
您可以控制使用Kerberos身份验证服务器访问Greenplum数据。
Greenplum的数据库支持通用安全服务应用程序使用Kerberos身份验证接口(GSSAPI)。 GSSAPI为支持它的系统自动认证(单点登录)。您指定的Greenplum数据引擎的用户需要在Greenplum的数据库配置文件pg_hba.conf中Kerberos身份验证(角色)。如果当一个角色尝试登录到Greenplum数据引擎Kerberos身份验证不可用的登录失败。
Kerberos提供安全,加密的认证服务。它不加密客户机和数据库之间交换数据,并提供无授权服务。要加密在网络上交换数据时,必须使用SSL连接。要访问Greenplum的数据库和对象,如模式和表管理授权,可以使用数据库中给Greenplum数据用户和角色在pg_hba.conf文件设置和权限。有关管理授权特权的信息,请参阅管理角色和权限。http://web.mit.edu/kerberos/
对于使用Kerberos与Greenplum的数据库要求
以下项目需要使用Kerberos的Greenplum数据库:
• Kerberos KeyDistribution Center (KDC) server using the krb5-server library
• Kerberos version 5 krb5-iibs and krb5-workstation packages installed on the Greenplum Databasemaster host
• Greenplum Database version with support for Kerberos
• System time on the Kerberos server and Greenplum Database masterhost must be synchronized. (Install Linux ntp package on both servers.)
• Network connectivity between the Kerberos server and theGreenplum Database master
• Java 1.7.0_17 or later isrequired to use Kerberos-authenticated JDBC on Red Hat Enterprise Linux 6.x
• Java 1.6.0_21 or later is required to use Kerberos-authenticatedJDBC on Red Hat Enterprise Linux 4.x or 5.x
启用Kerberos验证了Greenplum数据引擎
完成以下任务来设置Kerberos身份验证与Greenplum数据:
1. 验证系统是否满足prequisites为使用Kerberos的Greenplum数据引擎。请参阅将Kerberos与Greenplum的数据库要求。.
2. 设置,或标识,Kerberos密钥分发中心(KDC)服务器用于身份验证。请参阅安装和配置Kerberos KDC服务器。
3. 在KDC服务器上的Kerberos数据库,在服务器上设置 Kerberos的realm and principals。对于Greenplum数据,principal主要是使用Kerberos身份验证Greenplum数据引擎的用户。
4. 创建的Kerberos密钥表为Greenplum的数据库文件。要访问Greenplum数据引擎,您可以创建只有Kerberos和Greenplum数据称为服务密钥。在Kerberos服务器,服务密钥存储在Kerberos数据库。
在Greenplum的master,服务密钥存储在key tables,这是被称为keytabs文件。服务密钥通常存储在keytab文件/etc/krb5.keytab的。此service key和服务密码等价,必须保持安全。使用该密钥加密的数据是只读数据。
5. 安装Kerberos客户端软件包和Greenplum数据主密钥表文件。
6. 创建使用密钥表文件中的Greenplum数据引擎主节点上gpadminKerberos票据。该票据包含了授权访问数据库Greenplum的Kerberos身份验证凭据。
通过对Greenplum数据引擎配置Kerberos身份验证,可以使用Kerberos进行PSQL和JDBC。
安装和配置Kerberos KDC服务器
步骤设置一个Kerberos密钥分发中心(KDC)服务器的Red Hat Enterprise Linux主机与Greenplum数据引擎的使用上。
1. 安装Kerberos服务器包:
sudo yum install krb5-libs krb5-serverkrb5-workstation
2. 编辑/etc/krb5.conf中的配置文件。下面的例子显示了一个默认的KRB.GREENPLUM.COM领域Kerberos服务器。
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server =FILE:/var/log/kadmind.log
[libdefaults]
default_realm = KRB.GREENPLUM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = aes128-ctsdes3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-ctsdes3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-ctsdes3-hmac-sha1 des-cbc-crc des-cbc-md5
[realms]
KRB.GREENPLUM.COM = {
kdc = kerberos-gpdb:88
admin_server = kerberos-gpdb:749
default_domain = kerberos-gpdb
}
[domain_realm]
.kerberos-gpdb = KRB.GREENPLUM.COM
kerberos-gpdb = KRB.GREENPLUM.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
在[realms]部分的KDC和ADMIN_SERVER键指定Kerberos服务器运行的主机(kerberos-gpdb)和端口。 IP号码来代替主机名的使用。
如果你的Kerberos服务器其他领域管理认证,你会增加而不是在[realms]中的KRB.GREENPLUM.COM境界和kdc.conf文件中的[domain-realm]部分。请参见有关kdc.conf文件信息Kerberos文档。
See the Kerberos documentation forinformation about the kdc.conf file.
3. To create a Kerberos KDC database, run the kdb5_util.
kdb5_util create -s
该kdb5_util创建选项创建数据库来存储密钥受此KDC服务器管理的Kerberos realms。 -s选项创建一个存储文件。如果没有存储文件,每次KDC服务器启动时,它要求输入密码。
4. 管理用户与kadmin.local程序添加到KDC数据库。因为它本身不依赖于Kerberos身份验证,kadmin.local实用程序允许您最初的管理用户添加到本地Kerberos服务器。要以管理用户将用户添加到gpadmin KDC数据库,运行以下命令:
kadmin.local -q"addprinc gpadmin/admin"
大多数用户并不需要Kerberos服务器的管理权限。他们可以使用的kadmin来管理自己的主体(例如,要改变自己的密码)。有关的kadmin信息,请参阅Kerberos文档。For information about kadmin, see the Kerberos documentation.
5. If needed, edit the /var/kerberos/krb5kdc/kadm5.acl file to grantthe appropriate permissions to gpadmin.
6. Start the Kerberos daemons:
/sbin/servicekrb5kdc start /sbin/service kadmin start
7. To start Kerberos automatically upon restart:
/sbin/chkconfigkrb5kdc on /sbin/chkconfig kadmin on
Create Greenplum Database Roles in theKDC Database
Add principalsto the Kerberos realm for Greenplum Database.
在交互模式下启动kadmin.local,然后添加两个principals到GreenplumDatabase Realm。
1. Startkadmin.local in interactive mode:
kadmin.local
2. Addprincipals:
kadmin.local:addprinc gpadmin/kerberos-gpdb@KRB.GREENPLUM.COM
kadmin.local: addprinc postgres/master.test.com@KRB.GREENPLUM.COM
The adprinccommands prompt for passwords for each principal. The first addprinc creates aGreenplum Database user as a principal, gpadmin/kerberos-gpdb. The secondaddprinc command creates the postgres process on the Greenplum Database masterhost as a principal in the Kerberos KDC. This principal is required when usingKerberos authentication with Greenplum Database.
3. Create aKerberos keytab file with kadmin.local. The following example creates a keytabfile gpdb- kerberos.keytab in the current directory with authenticationinformation for the two principals.
kadmin.local:xst -k gpdb-kerberos.keytab
gpadmin/kerberos-gpdb@KRB.GREENPLUM.COM
postgres/master.test.com@KRB.GREENPLUM.COM
You will copythis file to the Greenplum Database master host.
4. Exitkadmin.local interactive mode with the quit command:
kadmin.local:quit
Install and Configure the Kerberos Client
Steps toinstall the Kerberos client on the Greenplum Database master host.
Install theKerberos client libraries on the Greenplum Database master and configure theKerberos client.
1. Install the Kerberos packages on the Greenplum Database master.
sudo yuminstall krb5-libs krb5-workstation
2. Ensure that the /etc/krb5.conffile is the same as the one that is on the Kerberos server.
3. Copy the gpdb-kerberos.keytab file that was generated on theKerberos server to the Greenplum Database master host.
4. Remove any existing tickets with the Kerberos utility kdestroy.Run the utility as root.
sudo kdestroy
Use theKerberos utility kinit to request a ticket using the keytab file on theGreenplum Database master for gpadmin/kerberos-gpdb@KRB.GREENPLUM.COM. The -toption specifies the keytab file on the Greenplum Database master.
# kinit -k -tgpdb-kerberos.keytab gpadmin/kerberos-gpdb@KRB.GREENPLUM.COM
Use theKerberos utility klist to display the contents of the Kerberos ticket cache onthe Greenplum Database master. The following is an example:
# klist
Ticket cache: FILE:/tmp/krb5cc_108061
Default principal:gpadmin/kerberos-gpdb@KRB.GREENPLUM.COM
Valid starting Expires Serviceprincipal
03/28/13 14:50:26 03/29/13 14:50:26krbtgt/KRB.GREENPLUM.COM
@KRB.GREENPLUM.COM
renew until 03/28/13 14:50:26
Set up Greenplum Database with Kerberosfor PSQL
Configure aGreenplum Database to use Kerberos.
After you haveset up Kerberos on the Greenplum Database master, you can configure GreenplumDatabase to use Kerberos. For information on setting up the Greenplum Databasemaster, seeInstalland Configurethe Kerberos Client.
1. Create aGreenplum Database administrator role in the database template1 for the Kerberos principal that isused as the database administrator. The following example usesgpamin/kerberos-gpdb.
psql template1-c 'create role "gpadmin/kerberos-gpdb" login superuser;'
The role youcreate in the database template1 will be available in any newGreenplum Database that you create.
2. Modifypostgresql.conf to specify the location of the keytab file. 例如, adding this line to the postgresql.confspecifies the folder /home/gpadmin as the location of the keytab file gpdb-kerberos.keytab.
krb_server_keyfile= '/home/gpadmin/gpdb-kerberos.keytab'
3. Modify theGreenplum Database file pg_hba.conf to enable Kerberos support. Then restartGreenplum Database (gpstop -ar). 例如, adding the following line topg_hba.conf adds GSSAPI and
Kerberossupport. The value for krb_reaim is the Kerberos realm that is used forauthentication to Greenplum Database.
host all all 0.0.0.0/0gss include_realm=0 krb_realm=KRB.GREENPLUM.COM
Forinformation about the pg_hba.conf file, see The pg_hba.conf file in the Postgres documentation.
4. Create aticket using kinit and show the tickets in the Kerberos ticket cache withklist.
5. As a test, login to the database as the gpadmin role with the Kerberos credentialsgpadmin/kerberos-
gpdb:
psql -U"gpadmin/kerberos-gpdb" -h master.test template1
A username mapcan be defined in the pg_ident.conf file and specified in the pg_hba.conf fileto simplify logging into Greenplum Database. 例如, this psqlcommand logs into the default Greenplum Database on mdw.proddb as the Kerberosprincipal adminuser/mdw.proddb:
$ psql -U"adminuser/mdw.proddb" -h mdw.proddb
If the defaultuser is adminuser, the pg_ident.conf file and the pg_hba.conf file can beconfigured so that the adminuser can log in to the"database as theKerberos principal adminuser/mdw.proddb without specifying the -U option:
$ psql -hmdw.proddb
The followingusername map is defined in the Greenplum Database file $master_data_directory/
pg_ident.conf:
| # MAPNAME | SYSTEM-USERNAME | GP-USERNAME |
| mymap | /^(.*)mdw\.proddb$ | adminuser |
The map can bespecified in the pg_hba.conf file as part of the line that enables Kerberossupport:
host all all 0.0.0.0/0krb5 include_realm=0 krb_realm=proddb map=mymap
For moreinformation about specifying username maps see Username maps in the Postgres documentation.
6. If a Kerberosprincipal is not a Greenplum Database user, a message similar to the followingis displayed from the psql command line when the user attempts to log in to thedatabase:
psql:krb5_sendauth: Bad response
The principalmust be added as a Greenplum Database user.
Set up Greenplum Database with Kerberosfor JDBC
EnableKerberos-authenticated JDBC access to Greenplum Database.
You canconfigure Greenplum Database to use Kerberos to run user-defined Javafunctions.
1. Ensure thatKerberos is installed and configured on the Greenplum Database master. SeeInstall and Configurethe Kerberos Client.
2. Create thefile .java.login.config in the folder/home/gpadmin and add the following textto the file:
pgjdbc {
com.sun.security.auth.module.KrbLoginModulerequired
doNotPrompt=true
useTicketCache=true
debug=true
client=true;
};
3. Create a Javaapplication that connects to Greenplum Database using Kerberos authentication.The following example database connection URL uses a PostgreSQL JDBC driver andspecifies parameters for Kerberos authentication:
jdbc:postgresql://mdw:5432/mytest?kerberosServerName=postgres
&jaasApplicationName=pgjdbc&user=gpadmin/kerberos-gpdb
The parameternames and values specified depend on how the Java application performs Kerberosauthentication.
Testthe Kerberos login by running a sample Java application from GreenplumDatabase.
