ClickHouse/docs/en/operations/external-authenticators/kerberos.md

# Kerberos {#external-authenticators-kerberos}

Existing and properly configured ClickHouse users can be authenticated via Kerberos authentication protocol.

Currently, Kerberos can only be used as an external authenticator for existing users, which are defined in `users.xml` or in local access control paths. Those users may only use HTTP requests and must be able to authenticate using GSS-SPNEGO mechanism.

For this approach, Kerberos must be configured in the system and must be enabled in ClickHouse config.


## Enabling Kerberos in ClickHouse {#enabling-kerberos-in-clickhouse}

To enable Kerberos, one should include `kerberos` section in `config.xml`. This section may contain additional parameters.

#### Parameters:

- `principal` - canonical service principal name that will be acquired and used when accepting security contexts.
    - This parameter is optional, if omitted, the default principal will be used.


- `realm` - a realm, that will be used to restrict authentication to only those requests whose initiator's realm matches it.
    - This parameter is optional, if omitted, no additional filtering by realm will be applied.

Example (goes into `config.xml`):

```xml
<clickhouse>
    <!- ... -->
    <kerberos />
</clickhouse>
```

With principal specification:

```xml
<clickhouse>
    <!- ... -->
    <kerberos>
        <principal>HTTP/clickhouse.example.com@EXAMPLE.COM</principal>
    </kerberos>
</clickhouse>
```

With filtering by realm:

```xml
<clickhouse>
    <!- ... -->
    <kerberos>
        <realm>EXAMPLE.COM</realm>
    </kerberos>
</clickhouse>
```

:::warning
You can define only one `kerberos` section. The presence of multiple `kerberos` sections will force ClickHouse to disable Kerberos authentication.
:::

:::warning
`principal` and `realm` sections cannot be specified at the same time. The presence of both `principal` and `realm` sections will force ClickHouse to disable Kerberos authentication.
:::

## Kerberos as an external authenticator for existing users {#kerberos-as-an-external-authenticator-for-existing-users}

Kerberos can be used as a method for verifying the identity of locally defined users (users defined in `users.xml` or in local access control paths). Currently, **only** requests over the HTTP interface can be *kerberized* (via GSS-SPNEGO mechanism).

Kerberos principal name format usually follows this pattern:

- *primary/instance@REALM*

The */instance* part may occur zero or more times. **The *primary* part of the canonical principal name of the initiator is expected to match the kerberized user name for authentication to succeed**.

### Enabling Kerberos in `users.xml` {#enabling-kerberos-in-users-xml}

In order to enable Kerberos authentication for the user, specify `kerberos` section instead of `password` or similar sections in the user definition.

Parameters:

- `realm` - a realm that will be used to restrict authentication to only those requests whose initiator's realm matches it.
    - This parameter is optional, if omitted, no additional filtering by realm will be applied.

Example (goes into `users.xml`):

```xml
<clickhouse>
    <!- ... -->
    <users>
        <!- ... -->
        <my_user>
            <!- ... -->
            <kerberos>
                <realm>EXAMPLE.COM</realm>
            </kerberos>
        </my_user>
    </users>
</clickhouse>
```

:::warning
Note that Kerberos authentication cannot be used alongside with any other authentication mechanism. The presence of any other sections like `password` alongside `kerberos` will force ClickHouse to shutdown.
:::

:::info Reminder    
Note, that now, once user `my_user` uses `kerberos`, Kerberos must be enabled in the main `config.xml` file as described previously.
:::

### Enabling Kerberos using SQL {#enabling-kerberos-using-sql}

When [SQL-driven Access Control and Account Management](../access-rights.md#access-control) is enabled in ClickHouse, users identified by Kerberos can also be created using SQL statements.

```sql
CREATE USER my_user IDENTIFIED WITH kerberos REALM 'EXAMPLE.COM'
```

...or, without filtering by realm:

```sql
CREATE USER my_user IDENTIFIED WITH kerberos
```
New file 2021-02-22 16:18:59 +00:00			`# Kerberos {#external-authenticators-kerberos}`

Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`Existing and properly configured ClickHouse users can be authenticated via Kerberos authentication protocol.`
New file 2021-02-22 16:18:59 +00:00
Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			Currently, Kerberos can only be used as an external authenticator for existing users, which are defined in `users.xml` or in local access control paths. Those users may only use HTTP requests and must be able to authenticate using GSS-SPNEGO mechanism.
New file 2021-02-22 16:18:59 +00:00
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`For this approach, Kerberos must be configured in the system and must be enabled in ClickHouse config.`


			`## Enabling Kerberos in ClickHouse {#enabling-kerberos-in-clickhouse}`

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			To enable Kerberos, one should include `kerberos` section in `config.xml`. This section may contain additional parameters.

			`#### Parameters:`

			- `principal` - canonical service principal name that will be acquired and used when accepting security contexts.
Formatting fixes 2021-12-21 15:36:44 +00:00			`- This parameter is optional, if omitted, the default principal will be used.`
Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00

			- `realm` - a realm, that will be used to restrict authentication to only those requests whose initiator's realm matches it.
Formatting fixes 2021-12-21 15:36:44 +00:00			`- This parameter is optional, if omitted, no additional filtering by realm will be applied.`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			Example (goes into `config.xml`):
New file 2021-02-22 16:18:59 +00:00
			```xml
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`<clickhouse>`
New file 2021-02-22 16:18:59 +00:00			`<!- ... -->`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<kerberos />`
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`</clickhouse>`
New file 2021-02-22 16:18:59 +00:00			```

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			`With principal specification:`
New file 2021-02-22 16:18:59 +00:00
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			```xml
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`<clickhouse>`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<!- ... -->`
			`<kerberos>`
			`<principal>HTTP/clickhouse.example.com@EXAMPLE.COM</principal>`
			`</kerberos>`
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`</clickhouse>`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			```
New file 2021-02-22 16:18:59 +00:00
Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			`With filtering by realm:`
New file 2021-02-22 16:18:59 +00:00
			```xml
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`<clickhouse>`
New file 2021-02-22 16:18:59 +00:00			`<!- ... -->`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<kerberos>`
			`<realm>EXAMPLE.COM</realm>`
			`</kerberos>`
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`</clickhouse>`
New file 2021-02-22 16:18:59 +00:00			```

Updates /operations docs 2022-03-30 02:38:50 +00:00			`:::warning`
			You can define only one `kerberos` section. The presence of multiple `kerberos` sections will force ClickHouse to disable Kerberos authentication.
			`:::`
New file 2021-02-22 16:18:59 +00:00
Updates /operations docs 2022-03-30 02:38:50 +00:00			`:::warning`
			`principal` and `realm` sections cannot be specified at the same time. The presence of both `principal` and `realm` sections will force ClickHouse to disable Kerberos authentication.
			`:::`
New file 2021-02-22 16:18:59 +00:00
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`## Kerberos as an external authenticator for existing users {#kerberos-as-an-external-authenticator-for-existing-users}`

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			Kerberos can be used as a method for verifying the identity of locally defined users (users defined in `users.xml` or in local access control paths). Currently, only requests over the HTTP interface can be kerberized (via GSS-SPNEGO mechanism).
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			`Kerberos principal name format usually follows this pattern:`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			`- primary/instance@REALM`

			`The /instance part may occur zero or more times. *The primary* part of the canonical principal name of the initiator is expected to match the kerberized user name for authentication to succeed**.`

			### Enabling Kerberos in `users.xml` {#enabling-kerberos-in-users-xml}

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			In order to enable Kerberos authentication for the user, specify `kerberos` section instead of `password` or similar sections in the user definition.

			`Parameters:`

			- `realm` - a realm that will be used to restrict authentication to only those requests whose initiator's realm matches it.
Formatting fixes 2021-12-21 15:36:44 +00:00			`- This parameter is optional, if omitted, no additional filtering by realm will be applied.`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			Example (goes into `users.xml`):
New file 2021-02-22 16:18:59 +00:00
			```xml
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`<clickhouse>`
New file 2021-02-22 16:18:59 +00:00			`<!- ... -->`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<users>`
New file 2021-02-22 16:18:59 +00:00			`<!- ... -->`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<my_user>`
			`<!- ... -->`
			`<kerberos>`
			`<realm>EXAMPLE.COM</realm>`
			`</kerberos>`
			`</my_user>`
			`</users>`
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`</clickhouse>`
New file 2021-02-22 16:18:59 +00:00			```

Updates /operations docs 2022-03-30 02:38:50 +00:00			`:::warning`
			Note that Kerberos authentication cannot be used alongside with any other authentication mechanism. The presence of any other sections like `password` alongside `kerberos` will force ClickHouse to shutdown.
			`:::`
New file 2021-02-22 16:18:59 +00:00
Updates /operations docs 2022-03-30 02:38:50 +00:00			`:::info Reminder`
			Note, that now, once user `my_user` uses `kerberos`, Kerberos must be enabled in the main `config.xml` file as described previously.
			`:::`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			`### Enabling Kerberos using SQL {#enabling-kerberos-using-sql}`

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			`When [SQL-driven Access Control and Account Management](../access-rights.md#access-control) is enabled in ClickHouse, users identified by Kerberos can also be created using SQL statements.`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			```sql
			`CREATE USER my_user IDENTIFIED WITH kerberos REALM 'EXAMPLE.COM'`
			```

			`...or, without filtering by realm:`

			```sql
			`CREATE USER my_user IDENTIFIED WITH kerberos`
			```