Sometimes, IT groups configuring RStudio Team at their organization want to use Kerberos tickets to provide RStudio Team users access to internal data sources.
This page will help you understand your options if you want to Kerberize access to data sources from RStudio Team.
If you can use a service account #
In many cases, access to a data source can be done via a Kerberos ticket belonging to a service account. For example, if all of the developers on your RStudio Server Pro have the same level of database access, or if all of the apps on your instance of RStudio Connect can read the same data, you can configure Kerberos access from one service account for the entire server.
In this case, the Kerberos process is entirely separate from authenticating into the server. Any user, once authenticated with the method of your choice, will be able to take advantage of the Kerberized data connection.
This can be achieved with any authentication mechanism by using a
Kinit command issued by the operating system or R or Python code.
If you need per-user Kerberos access #
If you want RStudio Team to forward a Kerberos ticket for user-level database access for data scientists on RStudio Server Pro or app viewers on RStudio Connect, you will need to configure RStudio Server Pro and RStudio Connect to use PAM authentication and a Kerberos-PAM module.
This option is substantially more complicated from an administrative perspective than many others, and we recommend considering the other options for authenticating into data sources detailed at db.rstudio.com before undertaking this configuration.
In order to achieve this configuration, you will need to:
- Ensure users have accounts on the Linux server using the Kerberos-PAM module.
- Ensure users have accounts in the product by configuring PAM authentication in RStudio Server Pro, and/or RStudio Connect.
- [For Shiny apps on RStudio Connect] Configure the run as current user setting and PAM credential cacheing.
RStudio Connect cannot directly use groups on the underlying Linux server via PAM authentication, so you will need to manage group membership manually in the product or via the RStudio Connect API. The RStudio Connect API Cookbook includes code to create RStudio Connect users from LDAP, which you could run on a scheduled basis.
To use Kerberos SSO/Windows Integrated Auth (SPNEGO) #
Using Kerberos SSO with RStudio Team products is a completely different process from forwarding a Kerberos ticket to a data source from within RStudio Team.
Our products do not directly support Kerberos SSO. However many Kerberos SSO providers support SAML configuration. In that case, RStudio Team products can be configured to directly use your SAML IdP to have a smooth SSO user experience. If your SAML IdP provider does not support Kerberos, you can configure proxied authentication in the product.
the Kerberos SSO ticket is a service ticket, and not a ticket-granting-ticket, it
cannot directly be forwarded to a data source to grant Kerberized access.
If you wish to use Kerberos SSO and forward a ticket to a data source,
you will have to configure
Kinit to generate a data access ticket
on the RStudio Team servers in
addition to configuring Kerberos SSO for authentication.