This page discusses Stardog’s support for Kerberos as a means for authenticating users.
Stardog can be configured to run in both MIT and Active Directory Kerberos environments. In order to do so a
keytab file must be properly created.
Once the keytab file is acquired the following server properties can be set in
| ||The path to the keytab file for the Stardog server.|
| ||The Kerberos principal that will be the default administrator of is service.|
| ||A boolean value to enable debug logging in the Java Kerberos libraries.|
| ||A string value used to translate a krb5 principal name to a Stardog username. The string is an expression in two parts divided by a |
| ||The Kerberos principal that is authorized to connect as a cluster peer. Stardog cluster nodes connected directly to each other. This directive tells Stardog to use Kerberos authentication for this communication and to only allow connections from entities with the given Kerberos principal|
| ||The path to the keytab file that Stardog cluster peers will use to prove to other nodes they are authorized peers. The principal in this keytab must match the value of |
Once Stardog is properly configured for Kerberos, Stardog user names should be created that match their associated Kerberos principal names. Authentication will be done based on the Kerberos environment and authorization is done based on the principal names matching Stardog users.
For more details about configuring these values, see our example
See our blog, Kerberos: Three-Headed Stardog, for a more detailed walkthrough on using Stardog with Kerberos.
As of Stardog version 7.4.5 you can configure your Stardog instance to authenticate via Kerberos when using Stardog Explorer and Stardog Studio.
Once the additional
stardog.properties options are added as specified below, your browser should be able to negotiate with Kerberos credentials. To authenticate to a Stardog application via Kerberos, in the connection dialog leave the
password fields blank and enter the
endpoint url for your Stardog instance. When there is no username or password Studio will attempt to connect using browser credentials.
Once Kerberos authentication is setup the following options can be set in
stardog.properties for Explorer and Studio.
|Explorer|| ||A comma separated list of domains to allow |
|Studio|| ||A comma separated list of domains to allow |
|All|| ||A boolean value that instructs Stardog to allow credentials in |
Note that browsers and Stardog will not allow
cors.allowed.origins to be set to
cors.allow.credientials is set to true as it may expose credentials to malicious hosts.
In most cases the workstation should be properly configured for Kerberos Authentication, however it may be necessary to instruct your browser to whitelist the domain, usually if the host machine is not on the same domain as the Kerberos server. Set the following for your browser:
$ defaults write com.google.Chrome AuthServerWhitelist "*.example.com" $ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.example.com"
- From the browser visit
network.negotiate-auth.trusted-urisset the domain against which you want to authenticate, for example,