It is possible to use Kerberos tickets to login to RStudio Pro Products or to provide user access to other resources like databases, but direct integration is not supported.
Using Kerberos to Login #
RStudio Pro Products do not support Kerberos SSO (Windows Integrated Auth/SPNEGO). However, many Kerberos providers can serve as SAML or OIDC/OAuth2 IdPs, which can be configured with RStudio Pro Products. It is also possible to configure Kerberos SSO with proxied authentication in the product, but this is an advanced configuration.
Using Kerberos to login to RStudio Pro Products will not automatically enable forwarding a Kerberos ticket to another system. Forwarding a ticket to another system is a distinct process. Details are below.
Ticket Initialization #
The ticket initialization method you choose will depend on whether you can use a service account for all users or whether each user requires a distinct ticket.
Service Account #
If you can use a service account, you will make a Kerberos ticket available to users that will be entirely separate from their authentication process.
The service account ticket can be initialized with a
kinit command. It is up to you whether to keep the ticket evergreen for users by scheduling the
kinit using a cron job or other scheduler, or to have users create the ticket as needed with a
kinit command at the top of their R or Python script or app.
This configuration is compatible with using a keytab to store credentials, should you wish to do so.
This option is substantially more complicated from an administrative perspective than many others, and is only recommended for admins who already have substantial comfort with PAM and Kerberos. Other options for authenticating into data sources are detailed at db.rstudio.com.
Usually, user tickets are generated on login using an appropriate PAM module. It is also possible to create user tickets with a
kinit as described in the service account section above.
Since RStudio Server Pro already requires a Linux account with home directory for each user, the main addition is to use a Kerberos PAM module and password forwarding with the
In most configurations, RStudio Connect does not require local system accounts, so configuring per-user tickets requires:
- Using PAM authentication to ensure that local system accounts exist for each user.
- Configuring the appropriate PAM module to initialize tickets on user login.
- Configuring the RunAsCurrentUser setting and PAM credential cacheing.