Kerberos is a ticket-based server-client mutual authentication protocol that is supported by the MySQL Server (commercial versions only) since release 8.0.26 .
Support for Kerberos is implemented by Connector/J (release 8.0.26 and later) using the GSS-API, JAAS API, and JCA API; providers for each of these APIs must be available on the Java Virtual Machine running your application that uses Kerberos authentication. Using non-default providers can lead to unexpected results.
The main usage of Kerberos authentication in MySQL is to allow
users to create connections without having to specify a user
name and password in the connection string. For that to work,
Connector/J must be configured with the connection property
and then the MySQL user name may be extracted from
the Kerberos principal associated to the locally cached
Ticket-Granting Ticket (TGT). Notice that a MySQL user name
differs from a Kerberos principal in not containing a realm
part; therefore, Connector/J cuts all the characters in the
principle after the “@” sign and uses it as the
MySQL user name.
If there is no TGT available in the local Kerberos cache, Connector/J uses the OS login user name as the MySQL user name. A user name specified in the connection string always takes precedence over names obtained by any other means for the MySQL user.
The MySQL user name is then sent to the MySQL server for validation. Non-existing users cause the server to return an error. Existing users are allowed to proceed with the authentication process, and the authentication mechanism that follows depends on how the MySQL user was created:
For users created with the authentication plugin
authentication_kerberos, MySQL server sends the corresponding Kerberos realm back to Connector/J, which, in turn, uses it to construct the Kerberos principal that identifies the user on the Kerberos server. One of three things may then happen:
The newly constructed Kerberos principal matches the Kerberos principal associated to the locally cached TGT; this TGT is then sent to the Kerberos server to obtain the desired MySQL Service Ticket, and the authentication proceeds.
The newly constructed Kerberos principal does not match the Kerberos principal associated to the locally cached TGT, or there is no local Kerberos cache; this Kerberos principal, as well as the password that may have been specified in the connection string (or an empty string if none was specified), is sent to the Kerberos server to obtain first a valid TGT, and then the desired MySQL Service Ticket; and the authentication proceeds.
An error is thrown if Connector/J is unable to obtain the correct Kerberos configurations, unable to communicate with the Kerberos server, or unable to perform either of the two steps above.
For users defined with a plugin different from
authentication_kerberos, the server requests Connector/J to use another authentication method.
In order to operate properly with the Kerberos server, Connector/J requires either a system-wide Kerberos configuration, or these local system property settings for the JVM:
[the KDC host name]
[the default Kerberos realm]
The process of configuring Connector/J to use Kerberos authentication is not always straightforward. Enabling logging in the internal Java providers can help find potential problems. That can be done by setting these system properties: