Github

GSSAPI authentication based on FreeIPA

Andrey Aksenov

Access to a Greengage DB cluster can be controlled by using GSSAPI authentication. In particular, you can set up a FreeIPA server for identity management. Since FreeIPA relies on MIT Kerberos for authentication, you can integrate your Greengage DB cluster with a FreeIPA server and configure the mapping between FreeIPA users and Greengage DB roles. This allows using GSSAPI authentication for corresponding users.

Prerequisites

The following hosts and IPA domain parameters are used to illustrate the integration of a Greengage DB cluster with a FreeIPA server:

  • Master host: name — mdw.example.com, FQDN — mdw.example.com.

  • FreeIPA host: name — ipa.example.com, FQDN — ipa.example.com, operating system — RHEL or CentOS.

  • Realm: EXAMPLE.COM.

  • Service principal: postgres/mdw.example.com@EXAMPLE.COM.

Replace the host names, fully qualified domain names (FQDN), and the realm name to fit your environment.

Set up the FreeIPA server

Log in to the FreeIPA host as a user with superuser privileges:

$ ssh sampleuser@ipa.example.com

In this example, the user name is sampleuser.

Install FreeIPA packages

To install FreeIPA packages, execute the following command:

$ sudo yum install ipa-server

Configure the FreeIPA server

Execute the command below to configure the FreeIPA server non-interactively:

$ sudo ipa-server-install \
  --unattended \
  --hostname=ipa.example.com \
  --domain=example.com \
  --realm=EXAMPLE.COM \
  --ds-password=87654321 \
  --admin-password=12345678
IMPORTANT

It is not recommended to specify passwords as plain text when setting up a FreeIPA server non-interactively. As a safer alternative, you can load passwords from environment variables.

When the FreeIPA server configuration is finished, view the status of services using the ipactl status command:

$ sudo ipactl status

In particular, the output should show that the Directory, krb5kdc, and kadmin services are running:

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING

Create FreeIPA services and users

Perform the steps described below on the FreeIPA host:

  • Create a service that is required to enable Kerberos authentication in Greengage DBMS.

  • Create a regular FreeIPA user. This user is mapped later to the corresponding Greengage DB role.

NOTE

You need to create FreeIPA users for all Greengage DB users that use Kerberos authentication.

Authenticate as admin

The admin user is created automatically to perform administrative activities. You need to authenticate as admin by running kinit:

$ kinit admin

When the following prompt is shown, enter the password specified in the admin-password option during the FreeIPA server configuration:

Password for admin@EXAMPLE.COM:

Create the postgres service

The postgres service is needed to enable Kerberos authentication in Greengage DB.

First, add the Greengage DB master host to the IPA domain using ipa host-add:

$ ipa host-add mdw.example.com

Then, create a service that corresponds to the postgres process on the master host:

$ ipa service-add postgres/mdw.example.com@EXAMPLE.COM

The result should look as follows:

--------------------------------------------------------------------------------------
Added service "postgres/mdw.example.com@EXAMPLE.COM"
--------------------------------------------------------------------------------------
  Principal name: postgres/mdw.example.com@EXAMPLE.COM
  Principal alias: postgres/mdw.example.com@EXAMPLE.COM
  Managed by: mdw.example.com

Add the service’s key to a keytab file

When the postgres service is created, you need to add its key to a keytab file. To do this, use the ipa-getkeytab command:

$ ipa-getkeytab \
  --principal=postgres/mdw.example.com@EXAMPLE.COM \
  --keytab=ggdb-freeipa.keytab

This command creates the ggdb-freeipa.keytab file.

Create a regular user

Create a regular FreeIPA user using the ipa user-add command:

$ ipa user-add alice \
  --first=Alice \
  --last=Johnson \
  --password

Enter the desired password and press Enter when these prompts are shown:

Password:
Enter Password again to verify:

The result should look as follows:

------------------
Added user "alice"
------------------
  User login: alice
  First name: Alice
  Last name: Johnson
  Full name: Alice Johnson
  Display name: Alice Johnson
  Initials: AJ
  Home directory: /home/alice
  GECOS: Alice Johnson
  Login shell: /bin/sh
  Principal name: alice@EXAMPLE.COM
  Principal alias: alice@EXAMPLE.COM
  User password expiration: 20250109101949Z
  Email address: alice@example.com
  UID: 1389000001
  GID: 1389000001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

You can see that the user’s principal is alice@EXAMPLE.COM. The principal name is used later to map the FreeIPA user and Greengage DB role.

Set up the Greengage DB master

To configure the Greengage DB master host, log in to it as gpadmin:

$ ssh gpadmin@mdw.example.com

Install FreeIPA client libraries

Install FreeIPA client libraries on the Greengage DB master host:

$ sudo apt install freeipa-client
$ sudo yum install ipa-client

Configure the FreeIPA client

Execute the command below to configure the FreeIPA client non-interactively:

$ sudo ipa-client-install \
  --unattended \
  --server=ipa.example.com \
  --domain=example.com \
  --realm=EXAMPLE.COM \
  --principal admin \
  --password=12345678

Note that the password option uses the admin user’s password set during the FreeIPA server configuration.

Copy the keytab file

  1. Copy the keytab file (ggdb-freeipa.keytab) generated on the FreeIPA host to the /home/gpadmin/ directory on the Greengage DB master host.

  2. Set the ownership and permissions of the keytab file you copied as follows:

    $ sudo chown gpadmin:gpadmin ggdb-freeipa.keytab
$ sudo chmod 400 ggdb-freeipa.keytab

Create a Greengage DB role

Create the alice Greengage DB role:

$ createuser alice

This role is mapped to the alice@EXAMPLE.COM principal in the next section.

Configure GSSAPI authentication

  1. Set a path to the keytab file using the krb_server_keyfile server configuration parameter:

    $ gpconfig -c krb_server_keyfile -v  '/home/gpadmin/ggdb-freeipa.keytab'

    The result should look as follows:

    20250109:11:30:05:004599 gpconfig:mdw:gpadmin-[INFO]:-completed successfully with parameters '-c krb_server_keyfile -v /home/gpadmin/ggdb-freeipa.keytab'

  2. Open the pg_hba.conf file for editing:

    $ vi $MASTER_DATA_DIRECTORY/pg_hba.conf

    Add the following line to this file:

    # connection-type  database  user   address  auth-method  auth-options
host               all       alice  samenet  gss          include_realm=1 krb_realm=EXAMPLE.COM map=user_map

    This configuration lets the alice user access any database using GSSAPI authentication (auth-method is gss). The related GSSAPI authentication options are specified in the auth-options field:

    • include_realm — 1 means to keep the realm name in the authenticated user principal.

    • krb_realm — sets the name of the Kerberos realm to EXAMPLE.COM.

    • map — specifies that user_map maps Kerberos principals and Greengage DB roles. The actual mapping is defined in the pg_ident.conf file.

  3. Open the pg_ident.conf file:

    $ vi $MASTER_DATA_DIRECTORY/pg_ident.conf

    Map the alice@EXAMPLE.COM principal to the alice role as follows:

    # MAPNAME  SYSTEM-USERNAME    PG-USERNAME
user_map   alice@EXAMPLE.COM  alice

  4. Reload the configuration using gpstop to apply the changes:

    $ gpstop -u

Connect to a database

This section describes how to connect to a database protected with GSSAPI authentication using psql. Perform the steps described below on the master host.

  1. Before connecting to the database, create a ticket-granting ticket (TGT) for the alice FreeIPA user using the kinit command:

    $ kinit alice

  2. Enter the user’s password specified in the Create a regular user section and change it as the prompt suggests:

    Password for alice@EXAMPLE.COM:
Password expired.  You must change it now.
Enter new password:
Enter it again:

  3. Check the ticket existence in the ticket cache using the klist command:

    $ klist

    The result should look like this:

    Ticket cache: KEYRING:persistent:997:997
Default principal: alice@EXAMPLE.COM

Valid starting       Expires              Service principal
01/09/2025 12:05:07  01/10/2025 12:05:07  krbtgt/EXAMPLE.COM@EXAMPLE.COM

  4. Connect to the default postgres database under the alice role using psql:

    $ psql postgres -U alice -h mdw.example.com

    The output should look like this:

    psql (9.4.26)
Type "help" for help.

postgres=>

  5. Select the current user name:

    SELECT current_user;

    The command should return the following:

     current_user
---------------
 alice
Previous
MIT Kerberos KDC
Next
LDAP
Open search page