YMatrix

Version Release History
Platform Requirements

YMatrix

Quick Start

Standard Cluster Deployment

Data Modeling

Connecting to The database

Data Writing

Data Migration

Data Query

Maintenance and Monitoring

Performance Tuning

Troubleshooting

Reference Guide

SQL Reference

FAQ

scenario

GSSAPI Certification

GSSAPI encrypted connections can encrypt all data in network transmission, including query statements and returned results (passwords are not transmitted over the network), which ensures the integrity and confidence of the data during transmission.

Configuration instructions

In YMatrix, GSSAPI encryption is implemented through Kerberos. The role of Kerberos is to provide a secure authentication mechanism that supports configuration in the pg_hba.conf file. Allow clients to authenticate through Kerberos tickets By collaborating with the Kerberos Key Distribution Center (KDC), ensuring that only authorized users can access the database.

  • The configuration example of pg_hba.conf is as follows:
    hostgssenc  all    mxadmin   10.51.0.40/32    gss

    Use Example

Notes!
Make sure the YMatrix server is installed and running. If it has not been installed, please refer to [Quick Installation] (https://ymatrix.cn/doc/6.2/get-started) for pre-installation.

  1. Install the Kerberos Client Tools
    sudo yum install krb5-workstation
  2. Create a Kerberos service principal

On the Kerberos management server, create a service principal for the YMatrix service. Typically, the name of the service principal is in the format of servicename/hostname@realm, e.g. postgres/[email protected].

  • Create a service principal using the kadmin tool:
    kadmin
  • At the kadmin prompt, run the following command and a service principal with a random key will be created.
    addprinc -randkey postgres/[email protected]
  1. Export the key of the service principal

Export the service principal's key to a keytab file (keytab file). Run the following command:

Note! /path/to/postgresql.keytab needs to be replaced with the storage path of the keytab file.

ktadd -k /path/to/postgresql.keytab
postgres/[email protected]
  1. Distribute keytab files

Copy the generated keytab file to the host running the YMatrix server and make sure the YMatrix server has access to the file. For example:

  scp /path/to/postgresql.keytab
  [email protected]:/etc/postgresql.keytab
  1. Modify the pg_hba.conf file

In the pg_hba.conf file, add or modify the authentication method to gss.

  host all all 10.51.0.40/32 gss

This means that clients from the 10.51.0.40/32 segment are allowed to access all databases using Kerberos authentication.

  1. Modify the postgresql.conf file

Open the main configuration file of YMatrix postgresql.conf, set the krb_server_keyfile parameter, and specify the path to the keytab file.

  krb_server_keyfile = '/etc/postgresql.keytab'
  1. Restart the YMatrix server

After saving the configuration file changes, restart the YMatrix server for the configuration to take effect.

  mxstop -u
  1. Create a Kerberos user map
    CREATE USER "username@REALM";
  2. Obtain Kerberos Tickets

On the client system, use the kinit command to get the Kerberos ticket:

  kinit username@REALM

Replace username with the user's Kerberos username and REALM with the Kerberos domain name.

  1. Connect to the YMatrix database

Connect to the database using the YMatrix client tool that supports Kerberos authentication. If the client tool supports automatic acquisition of Kerberos tickets, there is no need to manually specify a username and password.

  psql -h server.example.com -U username dbname
  - 登录成功提示
  GSSAPI-encrypted connection
  1. Verify Kerberos certification

Check the log file of the YMatrix server to confirm whether the Kerberos authentication is successful.