GridGain Developers Hub

Authenticating to Control Center with Kerberos

Andrey Belyaev
Sr. Software Engineer

This tutorial walks you through setting up Control Center to use Kerberos authentication with Keycloak.

auth architecture

The tutorial uses the following software versions:

  • Control Center 2023.3

  • Keycloak 19.0.2

  • Kerberos 5 1.19.2

1. Configure Control Center to use OAuth2 Keycloak Authentication

  1. Open the Keycloak Administration console in your browser and log in as administrator.

  2. Create the gridgain realm:

    1. Initiate realm creation.

      screen 7

    2. Enter the name "gridgain" ans save the new realm.

      screen 8

  3. Create the control-center client:

    1. Initiate client creation.

      screen 9

    2. Enter the values as they appear in the screenshot below and click Next.

      screen 10

    3. Enter the values as they appear in the screenshot below and click Save.

      screen 11

  4. On the Client Details page, define access settings for the client you have created. Use your actual Control Center host address and port number.

    screen 12

    • Root URL: http://[cc-host]:[cc-port]

    • Home URL: http://[cc-host]:[cc-port]/api/v1/oauth2/login/keycloak

    • Valid Redirect URIs: http://[cc-host]:[cc-port]/*

  5. On the Credentials tab, copy Client secret, which is required to set up Control Center connection to Keycloak.

    screen 13

  6. Click the OpenID endpoint configuration link on the Realm Settings page.

    screen 14

  7. On the page that opens, define the following settings.

    screen 15

  8. Create a new Control Center user:

    1. Initiate user creation.

      screen 16

    2. Enter the values as they appear in the screenshot below and click Create.

      screen 17

  9. Manually set up a password for cc-user:

    1. Initiate the Set password procedure.

      screen 18

    2. Enter the required password and click Save.

      screen 19

      You can now authenticate to Control Center as cc-user with the password you created in the previous step.

  10. Edit the Control Center’s application.yaml configuration. Use the values from p.5 and p.7 above. Replace [kc-url] with the actual Keycloak network address.
          client-id: control-center
          client-secret: <secret>
          scope: openid, profile, roles
          authorization-uri: http://[kc-url]/realms/gridgain/protocol/openid-connect/auth
          token-uri: http://[kc-url]/realms/gridgain/protocol/openid-connect/token
          jwk-set-uri: http://[kc-url]/realms/gridgain/protocol/openid-connect/certs

2. Set up Kerberos Server on Ubuntu

  1. Install Key Distribution Center and Kerberos Admin Service:

    $ sudo apt install krb5-admin-server krb5-kdc

    During installation, set the following properties:

    • Default realm: EXAMPLE.COM

    • Kerberos server:

    • Admin server:

  2. Create a realm:

    $ sudo krb5_newrealm

3. Create Kerberos principals

  1. Create a new principal to be used by Keycloack:

    $ sudo kadmin.local -q 'addprinc -randkey HTTP/'
  2. Generate the principal keytab file:

    $ sudo kadmin.local -q 'ktadd -k /tmp/http.keytab HTTP/'
  3. Place the http.keytab file on the Keycloack machine locally.

  4. Create a principal and keytab to be used by Control Center:

    $ sudo kadmin.local -q 'addprinc -randkey krb-user@EXAMPLE.COM'
    $ sudo kadmin.local -q 'ktadd -k /tmp/krb-user.keytab krb-user@EXAMPLE.COM'

4. Configure Keycloack to Log in with a Kerberos Ticket

  1. Select the gridgain realm and go to User Federation.

    screen 1

  2. Add the Kerberos provider and click Save.

    screen 2

  3. From the side menu, select Authentication.

    screen 3

  4. Add Kerberos as an alternative step to the Browser flow.

    screen 4

5. Sign in to Control Center with the Kerberos User

  1. Install the Kerberos client on the client side (if not already installed):

    $ sudo apt install krb5-user

    During installation, configure the realm host.

  2. Authenticate to Kerberos as krb-user with the keytab you have created in p. 3.3:

    $ kinit -kt /tmp/krb-user.keytab krb-user@EXAMPLE.COM
  3. Check if the Kerberos tickets have been successfully granted by KDC:

    $ klist

    The response should be:

    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: krb-user@EXAMPLE.COM
    Valid starting       Expires              Service principal
    10/16/2022 12:19:10  10/16/2022 22:19:10  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 10/17/2022 12:19:09
  4. Launch your browser (Chrome in this tutorial) with SPNEGO enabled to allow Kerberos authentication with Keycloack:

    $ /usr/bin/google-chrome-stable --auth-server-whitelist="*" --auth-negotiate-delegate-whitelist="*"
  5. Open Control Center in the browser and select the Sign in to your account with OpenID option.

    screen 5

    Authentication with the Kerberos principal is performed automatically

    screen 6