Kerberos/SPNEGO custom realm for Elasticsearch Shield 2.3.1.
Authenticate HTTP and Transport requests via Kerberos/SPNEGO.
Apache License Version 2.0
- Kerberos/SPNEGO REST/HTTP authentication
- Kerberos/SPNEGO Transport authentication
- No JAAS login.conf required
- No external dependencies
Stackoverflow
Twitter @hendrikdev22
Available. Please contact vertrieb@codecentric.de
- Elasticsearch 2.3.1
- Shield Plugin 2.3.1
- Kerberos Infrastructure (ActiveDirectory, MIT, Heimdal, ...)
Download latest release and store it somewhere. Then execute:
$ bin/plugin install file:///path/to/target/release/elasticsearch-shield-kerberos-realm-2.3.1.zip
$ git clone https://github.com/codecentric/elasticsearch-shield-kerberos-realm.git
$ mvn package
$ bin/plugin install file:///path/to/target/release/elasticsearch-shield-kerberos-realm-2.3.1.zip
Configuration is done in elasticsearch.yml
shield.authc.realms.cc-kerberos.type: cc-kerberos
shield.authc.realms.cc-kerberos.order: 0
shield.authc.realms.cc-kerberos.acceptor_keytab_path: /path/to/server.keytab
shield.authc.realms.cc-kerberos.acceptor_principal: HTTP/localhost@REALM.COM
shield.authc.realms.cc-kerberos.roles: role1, role2
shield.authc.realms.cc-kerberos.strip_realm_from_principal: true
de.codecentric.realm.cc-kerberos.krb5.file_path: /etc/krb5.conf
de.codecentric.realm.cc-kerberos.krb_debug: false
security.manager.enabled: false
acceptor_keytab_path
- The absolute path to the keytab where the acceptor_principal credentials are stored.acceptor_principal
- Acceptor (Server) Principal name, must be present in acceptor_keytab_path fileroles
- Roles which should be assigned to the initiator (the user who's logged in)strip_realm_from_principal
- If true then the realm will be stripped from the user namede.codecentric.realm.cc-kerberos.krb_debug
- If true a whole bunch of kerberos/security related debugging output will be logged to standard outde.codecentric.realm.cc-kerberos.krb5.file_path
- Absolute path to krb5.conf file.security.manager.enabled
- Must currently be set tofalse
. This will likely change with Elasticsearch 2.2, see PR 14108
$ kinit
$ curl --negotiate -u : "http://localhost:9200/_logininfo?pretty"
Or with a browser that supports SPNEGO like Chrome or Firefox
try (TransportClient client = TransportClient.builder().settings(settings).build()) {
client.addTransportAddress(nodes[0].getTransport().address().publishAddress());
try (KerberizedClient kc = new KerberizedClient(client,
"user@REALM.COM",
"secret",
"HTTP/localhost@REALM.COM")) {
ClusterHealthResponse response = kc.admin().cluster().prepareHealth().execute().actionGet();
assertThat(response.isTimedOut(), is(false));
}
}
KerberizedClient kc = new KerberizedClient(client,
"user@REALM.COM",
"secret",
"HTTP/localhost@REALM.COM")
KerberizedClient kc = new KerberizedClient(client,
Paths.get("client.keytab"),
"user@REALM.COM",
"HTTP/localhost@REALM.COM")
KerberizedClient kc = new KerberizedClient(client,
"user@REALM.COM",
Paths.get("ticket.cc"),
"HTTP/localhost@REALM.COM")
KerberizedClient kc = new KerberizedClient(client,
subject,
"HTTP/localhost@REALM.COM")