Does Greenplum support Kerberos Authentication between its nodes?

Question

I need to "kerberize" our Greenplum cluster. One of the aspects of this is that I should kerberize the interface between the GP master and its Segment Hosts. I have been unable to determine if this is supported or not.

I have seen the parameters in the posgresql.conf file (krb_server_keyfile and krb_srvname) and have tried to set these, but it does not seem to work (Greenplum still works, it just does not appear the connection is kerberized).

I did this with hadoop and it was pretty straight forward, but, again, cannot figure out how to do it in GP or if it is even possible. Any ideas?

Thanks

Answer 1

So... the answer, as near as I can tell is this:

First, for clarification, there are two places where I am required to "kerberize" GP. The first in master/slave connectivity. This turned out the be easy enough after I learned this communication is ssh based. I just switched the rsa/dsa generated passwordless authorization with Kerberos SSH. I am not sure this is really any more or less secure, but a requirement none-the-less. The second is locking down the administrative/jdbc access. This should easy, after all GP is based upon Postgres, I have have secured Postgres with Kerberos in the past. Unfortuntaly, GP is based upon Postgres 8.2. This was before GSS support for Kerberos was added to Postgres, and I cannot get this to work. I am not positive that it can. Maybe GP will upgrade to 8.4 (at a minimum) soon and I can try that.

Answer 2

Refer to Greenplum HD Manager 1.2 Installation and User Guide for instructions on how to deploy Kerberos. The document is related to Hadoop, but should serve for a general Greenplum install.