Kerberos with Posit Professional Products
It is possible to use Kerberos tickets to login to Posit professional products or to provide user access to other resources like databases, but direct integration is not supported.
Using Kerberos to Login
A Kerberos system can be used to login to Posit professional products by configuring Workbench or Connect to use PAM authentication and PAM to use Kerberos.
Posit professional products do not support Kerberos SSO (Windows Integrated Auth/SPNEGO). However, many Kerberos providers can serve as SAML or OIDC/OAuth2 IdPs, which can be configured with Posit professional products. It is also possible to configure Kerberos SSO with proxied authentication in the product, but this is an advanced configuration.
Using Kerberos to login to Posit professional products will not automatically enable forwarding a Kerberos ticket to another system. Forwarding a ticket to another system is a distinct process. Details are below.
Ticket Initialization
The ticket initialization method you choose will depend on whether you can use a service account for all users or whether each user requires a distinct ticket.
Service Account
If you can use a service account, you will make a Kerberos ticket available to users that will be entirely separate from their authentication process.
The service account ticket can be initialized with a kinit
command. It is up to you whether to keep the ticket evergreen for users by scheduling the kinit
using a cron job or other scheduler, or to have users create the ticket as needed with a kinit
command at the top of their R or Python script or app.
This configuration is compatible with using a keytab to store credentials, should you wish to do so.
Per-user
This option is substantially more complicated from an administrative perspective than many others, and is only recommended for admins who already have substantial comfort with PAM and Kerberos. Other options for authenticating into data sources are detailed at here.
Usually, user tickets are generated on login using an appropriate PAM module. It is also possible to create user tickets with a kinit
as described in the service account section above.
Since Workbench already requires a Linux account with home directory for each user, the main addition is to use a Kerberos PAM module and password forwarding with the auth-pam-sessions-use-password
configuration.
In most configurations, Connect does not require local system accounts, so configuring per-user tickets requires:
- Using PAM authentication to ensure that local system accounts exist for each user.
- Configuring the appropriate PAM module to initialize tickets on user login.
- Configuring the RunAsCurrentUser setting and PAM credential cacheing.