Requirements
- A working Active Directory or Kerberos environment
- A Service Principal
- A GSSAPI-compatible PostgreSQL Client (psql, etc.)
- A client machine with a Kerberos client installed and configured
Configure KDC for CockroachDB
To use Kerberos authentication with CockroachDB, configure a Kerberos service principal name (SPN) for CockroachDB and generate a valid keytab file with the following specifications:- Set the SPN to the name specified by your client driver. For example, if you use the psql client, set SPN to
postgres. - Create SPNs for all DNS addresses that a user would use to connect to your CockroachDB cluster (including any TCP load balancers between the user and the CockroachDB node) and ensure that the keytab contains the keys for every SPN you create.
Active Directory
For Active Directory, the client syntax for generating a keytab that maps a service principal to the SPN is as follows:ktpass command, using the following syntax:
loadbalancer2 to the above example):
MIT KDC
In MIT KDC, you cannot map a service principal to an SPN with a different username, so you will need to create a service principal that includes the SPN for your client.ktutil command can be used to read multiple keytab files and output them into a single output here.
Configure the CockroachDB node
-
Copy the keytab file to a location accessible by the
cockroachbinary. -
for inter-node and
rootuser authentication: -
Provide the path to the keytab in the
KRB5_KTNAMEenvironment variable. Example:export KRB5_KTNAME=/home/cockroach/postgres.keytab -
Start a CockroachDB node:
-
Connect to CockroachDB as
rootusing therootclient certificate generated above: - .
You need the Enterprise license if you want to use the GSSAPI feature. However, if you only want to test that the GSSAPI setup is working, you do not need to enable an Enterprise license.
-
Enable GSSAPI authentication:
Setting the
server.host_based_authentication.configurationto this particular value makes it mandatory for all non-rootusers to authenticate using GSSAPI. Therootuser is always an exception and remains able to authenticate using a valid client cert or a user password. Theinclude_realm=0option is required to tell CockroachDB to remove the@DOMAIN.COMrealm information from the username. We do not support any advanced mapping of GSSAPI usernames to CockroachDB usernames right now. If you want to limit which realms’ users can connect, you can also add one or morekrb_realmparameters to the end of the line as an allowlist, as follows:host all all all gss include_realm=0 krb_realm=domain.com krb_realm=corp.domain.comThe syntax is based on thepg_hba.confstandard for PostgreSQL which is documented here. It can be used to exclude other users from Kerberos authentication. -
Create CockroachDB users for every Kerberos user. Ensure the username does not have the
DOMAIN.COMrealm information. For example, if one of your Kerberos users has a usernamecarl@realm.com, then you need to create a CockroachDB user with the usernamecarl:Grant privileges to the user:
Configure the client
-
Install and configure your Kerberos client:
For CentOS/RHEL systems, run:
For Ubuntu/Debian systems, run:Edit the
/etc/krb5.conffile to include:Example: -
Get a ticket for the db user:
-
Verify if a valid ticket has been generated:
-
Connect to the cluster using the
cockroach sqlcommand as the Kerberos user: -
If you specified an Enterprise license earlier, the command succeeds. This indicates that the GSSAPI authentication was successful. Otherwise, the error
ERROR: use of GSS authentication requires an Enterprise licenseis shown.

