Kerberos/SPNEGO custom realm for Elasticsearch Shield 2.0
Java Shell
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
integ-test
src
.gitignore
.travis.yml
LICENSE
NOTICE
README.md
integration-tests.xml
pom.xml

README.md

Shield Kerberos Realm

Build Status Coverage Status License

Kerberos/SPNEGO custom realm for Elasticsearch Shield 2.3.1.
Authenticate HTTP and Transport requests via Kerberos/SPNEGO.

License

Apache License Version 2.0

Features

  • Kerberos/SPNEGO REST/HTTP authentication
  • Kerberos/SPNEGO Transport authentication
  • No JAAS login.conf required
  • No external dependencies

Community support

Stackoverflow
Twitter @hendrikdev22

Commercial support

Available. Please contact vertrieb@codecentric.de

Prerequisites

  • Elasticsearch 2.3.1
  • Shield Plugin 2.3.1
  • Kerberos Infrastructure (ActiveDirectory, MIT, Heimdal, ...)

Install release

Download latest release and store it somewhere. Then execute:

$ bin/plugin install file:///path/to/target/release/elasticsearch-shield-kerberos-realm-2.3.1.zip

Build and install latest

$ git clone https://github.com/codecentric/elasticsearch-shield-kerberos-realm.git
$ mvn package
$ bin/plugin install file:///path/to/target/release/elasticsearch-shield-kerberos-realm-2.3.1.zip

Configuration

Configuration is done in elasticsearch.yml

shield.authc.realms.cc-kerberos.type: cc-kerberos
shield.authc.realms.cc-kerberos.order: 0
shield.authc.realms.cc-kerberos.acceptor_keytab_path: /path/to/server.keytab
shield.authc.realms.cc-kerberos.acceptor_principal: HTTP/localhost@REALM.COM
shield.authc.realms.cc-kerberos.roles: role1, role2
shield.authc.realms.cc-kerberos.strip_realm_from_principal: true
de.codecentric.realm.cc-kerberos.krb5.file_path: /etc/krb5.conf
de.codecentric.realm.cc-kerberos.krb_debug: false
security.manager.enabled: false
  • acceptor_keytab_path - The absolute path to the keytab where the acceptor_principal credentials are stored.
  • acceptor_principal - Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
  • roles - Roles which should be assigned to the initiator (the user who's logged in)
  • strip_realm_from_principal - If true then the realm will be stripped from the user name
  • de.codecentric.realm.cc-kerberos.krb_debug - If true a whole bunch of kerberos/security related debugging output will be logged to standard out
  • de.codecentric.realm.cc-kerberos.krb5.file_path - Absolute path to krb5.conf file.
  • security.manager.enabled - Must currently be set to false. This will likely change with Elasticsearch 2.2, see PR 14108

REST/HTTP authentication

$ kinit
$ curl --negotiate -u : "http://localhost:9200/_logininfo?pretty"

Or with a browser that supports SPNEGO like Chrome or Firefox

Transport authentication

try (TransportClient client = TransportClient.builder().settings(settings).build()) {
    client.addTransportAddress(nodes[0].getTransport().address().publishAddress());
        try (KerberizedClient kc = new KerberizedClient(client,
                                        "user@REALM.COM",
                                        "secret",
                                        "HTTP/localhost@REALM.COM")) {

            ClusterHealthResponse response = kc.admin().cluster().prepareHealth().execute().actionGet();
            assertThat(response.isTimedOut(), is(false));
        }
}

Login with password

KerberizedClient kc = new KerberizedClient(client,
                                        "user@REALM.COM",
                                        "secret",
                                        "HTTP/localhost@REALM.COM")

Login with (client side) keytab

KerberizedClient kc = new KerberizedClient(client,
                                        Paths.get("client.keytab"),
                                        "user@REALM.COM",
                                        "HTTP/localhost@REALM.COM")

Login with TGT (Ticket)

KerberizedClient kc = new KerberizedClient(client,
                                        "user@REALM.COM",
                                         Paths.get("ticket.cc"),
                                        "HTTP/localhost@REALM.COM")    

Login with javax.security.auth.Subject

KerberizedClient kc = new KerberizedClient(client,
                                         subject,
                                        "HTTP/localhost@REALM.COM")