ClickHouse/docs/en/operations/external-authenticators/kerberos.md

# Kerberos

Existing and properly configured ClickHouse users can be authenticated via Kerberos authentication protocol.

Currently, Kerberos can only be used as an external authenticator for existing users, which are defined in `users.xml` or in local access control paths. Those users may only use HTTP requests and must be able to authenticate using GSS-SPNEGO mechanism.

For this approach, Kerberos must be configured in the system and must be enabled in ClickHouse config.


## Enabling Kerberos in ClickHouse {#enabling-kerberos-in-clickhouse}

To enable Kerberos, one should include `kerberos` section in `config.xml`. This section may contain additional parameters.

#### Parameters:

- `principal` - canonical service principal name that will be acquired and used when accepting security contexts.
    - This parameter is optional, if omitted, the default principal will be used.


- `realm` - a realm, that will be used to restrict authentication to only those requests whose initiator's realm matches it.
    - This parameter is optional, if omitted, no additional filtering by realm will be applied.

Example (goes into `config.xml`):

```xml
<clickhouse>
    <!- ... -->
    <kerberos />
</clickhouse>
```

With principal specification:

```xml
<clickhouse>
    <!- ... -->
    <kerberos>
        <principal>HTTP/clickhouse.example.com@EXAMPLE.COM</principal>
    </kerberos>
</clickhouse>
```

With filtering by realm:

```xml
<clickhouse>
    <!- ... -->
    <kerberos>
        <realm>EXAMPLE.COM</realm>
    </kerberos>
</clickhouse>
```

:::warning
You can define only one `kerberos` section. The presence of multiple `kerberos` sections will force ClickHouse to disable Kerberos authentication.
:::

:::warning
`principal` and `realm` sections cannot be specified at the same time. The presence of both `principal` and `realm` sections will force ClickHouse to disable Kerberos authentication.
:::

## Kerberos as an external authenticator for existing users {#kerberos-as-an-external-authenticator-for-existing-users}

Kerberos can be used as a method for verifying the identity of locally defined users (users defined in `users.xml` or in local access control paths). Currently, **only** requests over the HTTP interface can be *kerberized* (via GSS-SPNEGO mechanism).

Kerberos principal name format usually follows this pattern:

- *primary/instance@REALM*

The */instance* part may occur zero or more times. **The *primary* part of the canonical principal name of the initiator is expected to match the kerberized user name for authentication to succeed**.

### Enabling Kerberos in `users.xml` {#enabling-kerberos-in-users-xml}

In order to enable Kerberos authentication for the user, specify `kerberos` section instead of `password` or similar sections in the user definition.

Parameters:

- `realm` - a realm that will be used to restrict authentication to only those requests whose initiator's realm matches it.
    - This parameter is optional, if omitted, no additional filtering by realm will be applied.

Example (goes into `users.xml`):

```xml
<clickhouse>
    <!- ... -->
    <users>
        <!- ... -->
        <my_user>
            <!- ... -->
            <kerberos>
                <realm>EXAMPLE.COM</realm>
            </kerberos>
        </my_user>
    </users>
</clickhouse>
```

:::warning
Note that Kerberos authentication cannot be used alongside with any other authentication mechanism. The presence of any other sections like `password` alongside `kerberos` will force ClickHouse to shutdown.
:::

:::info Reminder
Note, that now, once user `my_user` uses `kerberos`, Kerberos must be enabled in the main `config.xml` file as described previously.
:::

### Enabling Kerberos using SQL {#enabling-kerberos-using-sql}

When [SQL-driven Access Control and Account Management](../access-rights.md#access-control) is enabled in ClickHouse, users identified by Kerberos can also be created using SQL statements.

```sql
CREATE USER my_user IDENTIFIED WITH kerberos REALM 'EXAMPLE.COM'
```

...or, without filtering by realm:

```sql
CREATE USER my_user IDENTIFIED WITH kerberos
```
Remove H1 anchor tags from docs 2022-06-02 10:55:18 +00:00			`# Kerberos`
New file 2021-02-22 16:18:59 +00:00
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`Existing and properly configured ClickHouse users can be authenticated via Kerberos authentication protocol.`
New file 2021-02-22 16:18:59 +00:00
Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			Currently, Kerberos can only be used as an external authenticator for existing users, which are defined in `users.xml` or in local access control paths. Those users may only use HTTP requests and must be able to authenticate using GSS-SPNEGO mechanism.
New file 2021-02-22 16:18:59 +00:00
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`For this approach, Kerberos must be configured in the system and must be enabled in ClickHouse config.`


			`## Enabling Kerberos in ClickHouse {#enabling-kerberos-in-clickhouse}`

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			To enable Kerberos, one should include `kerberos` section in `config.xml`. This section may contain additional parameters.

			`#### Parameters:`

			- `principal` - canonical service principal name that will be acquired and used when accepting security contexts.
Formatting fixes 2021-12-21 15:36:44 +00:00			`- This parameter is optional, if omitted, the default principal will be used.`
Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00

			- `realm` - a realm, that will be used to restrict authentication to only those requests whose initiator's realm matches it.
Formatting fixes 2021-12-21 15:36:44 +00:00			`- This parameter is optional, if omitted, no additional filtering by realm will be applied.`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			Example (goes into `config.xml`):
New file 2021-02-22 16:18:59 +00:00
			```xml
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`<clickhouse>`
New file 2021-02-22 16:18:59 +00:00			`<!- ... -->`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<kerberos />`
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`</clickhouse>`
New file 2021-02-22 16:18:59 +00:00			```

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			`With principal specification:`
New file 2021-02-22 16:18:59 +00:00
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			```xml
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`<clickhouse>`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<!- ... -->`
			`<kerberos>`
			`<principal>HTTP/clickhouse.example.com@EXAMPLE.COM</principal>`
			`</kerberos>`
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`</clickhouse>`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			```
New file 2021-02-22 16:18:59 +00:00
Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			`With filtering by realm:`
New file 2021-02-22 16:18:59 +00:00
			```xml
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`<clickhouse>`
New file 2021-02-22 16:18:59 +00:00			`<!- ... -->`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<kerberos>`
			`<realm>EXAMPLE.COM</realm>`
			`</kerberos>`
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`</clickhouse>`
New file 2021-02-22 16:18:59 +00:00			```

Removed /ja folder, cleaned up /ru markdown 2022-04-09 13:29:05 +00:00			`:::warning`
			You can define only one `kerberos` section. The presence of multiple `kerberos` sections will force ClickHouse to disable Kerberos authentication.
			`:::`
New file 2021-02-22 16:18:59 +00:00
Removed /ja folder, cleaned up /ru markdown 2022-04-09 13:29:05 +00:00			`:::warning`
			`principal` and `realm` sections cannot be specified at the same time. The presence of both `principal` and `realm` sections will force ClickHouse to disable Kerberos authentication.
			`:::`
New file 2021-02-22 16:18:59 +00:00
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`## Kerberos as an external authenticator for existing users {#kerberos-as-an-external-authenticator-for-existing-users}`

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			Kerberos can be used as a method for verifying the identity of locally defined users (users defined in `users.xml` or in local access control paths). Currently, only requests over the HTTP interface can be kerberized (via GSS-SPNEGO mechanism).
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			`Kerberos principal name format usually follows this pattern:`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			`- primary/instance@REALM`

			`The /instance part may occur zero or more times. *The primary* part of the canonical principal name of the initiator is expected to match the kerberized user name for authentication to succeed**.`

			### Enabling Kerberos in `users.xml` {#enabling-kerberos-in-users-xml}

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			In order to enable Kerberos authentication for the user, specify `kerberos` section instead of `password` or similar sections in the user definition.

			`Parameters:`

			- `realm` - a realm that will be used to restrict authentication to only those requests whose initiator's realm matches it.
Formatting fixes 2021-12-21 15:36:44 +00:00			`- This parameter is optional, if omitted, no additional filtering by realm will be applied.`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			Example (goes into `users.xml`):
New file 2021-02-22 16:18:59 +00:00
			```xml
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`<clickhouse>`
New file 2021-02-22 16:18:59 +00:00			`<!- ... -->`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<users>`
New file 2021-02-22 16:18:59 +00:00			`<!- ... -->`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00			`<my_user>`
			`<!- ... -->`
			`<kerberos>`
			`<realm>EXAMPLE.COM</realm>`
			`</kerberos>`
			`</my_user>`
			`</users>`
docs: switch <yandex> to <clickhouse> 2021-10-26 05:50:15 +00:00			`</clickhouse>`
New file 2021-02-22 16:18:59 +00:00			```

Removed /ja folder, cleaned up /ru markdown 2022-04-09 13:29:05 +00:00			`:::warning`
			Note that Kerberos authentication cannot be used alongside with any other authentication mechanism. The presence of any other sections like `password` alongside `kerberos` will force ClickHouse to shutdown.
			`:::`
New file 2021-02-22 16:18:59 +00:00
Remove H1 anchor tags from docs 2022-06-02 10:55:18 +00:00			`:::info Reminder`
Removed /ja folder, cleaned up /ru markdown 2022-04-09 13:29:05 +00:00			Note, that now, once user `my_user` uses `kerberos`, Kerberos must be enabled in the main `config.xml` file as described previously.
			`:::`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			`### Enabling Kerberos using SQL {#enabling-kerberos-using-sql}`

Semi-final kerberos + ldap (ru) 2021-02-28 19:11:29 +00:00			`When [SQL-driven Access Control and Account Management](../access-rights.md#access-control) is enabled in ClickHouse, users identified by Kerberos can also be created using SQL statements.`
Added En and Ru Kerberos docs 2021-02-24 10:10:37 +00:00
			```sql
			`CREATE USER my_user IDENTIFIED WITH kerberos REALM 'EXAMPLE.COM'`
			```

			`...or, without filtering by realm:`

			```sql
			`CREATE USER my_user IDENTIFIED WITH kerberos`
			```