Kerberos/SPNEGO custom realm for Elasticsearch Shield 2.0
Java Shell
Latest commit 3b43b5e Apr 25, 2016 @salyh salyh readme updated to 2.3.1

Shield Kerberos Realm

Build Status Coverage Status License

Kerberos/SPNEGO custom realm for Elasticsearch Shield 2.3.1.
Authenticate HTTP and Transport requests via Kerberos/SPNEGO.


Apache License Version 2.0


  • Kerberos/SPNEGO REST/HTTP authentication
  • Kerberos/SPNEGO Transport authentication
  • No JAAS login.conf required
  • No external dependencies

Community support

Twitter @hendrikdev22

Commercial support

Available. Please contact


  • Elasticsearch 2.3.1
  • Shield Plugin 2.3.1
  • Kerberos Infrastructure (ActiveDirectory, MIT, Heimdal, ...)

Install release

Download latest release and store it somewhere. Then execute:

$ bin/plugin install file:///path/to/target/release/

Build and install latest

$ git clone
$ mvn package
$ bin/plugin install file:///path/to/target/release/


Configuration is done in elasticsearch.yml cc-kerberos 0 /path/to/server.keytab HTTP/localhost@REALM.COM role1, role2 true /etc/krb5.conf false
security.manager.enabled: false
  • acceptor_keytab_path - The absolute path to the keytab where the acceptor_principal credentials are stored.
  • acceptor_principal - Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
  • roles - Roles which should be assigned to the initiator (the user who's logged in)
  • strip_realm_from_principal - If true then the realm will be stripped from the user name
  • - If true a whole bunch of kerberos/security related debugging output will be logged to standard out
  • - Absolute path to krb5.conf file.
  • security.manager.enabled - Must currently be set to false. This will likely change with Elasticsearch 2.2, see PR 14108

REST/HTTP authentication

$ kinit
$ curl --negotiate -u : "http://localhost:9200/_logininfo?pretty"

Or with a browser that supports SPNEGO like Chrome or Firefox

Transport authentication

try (TransportClient client = TransportClient.builder().settings(settings).build()) {
        try (KerberizedClient kc = new KerberizedClient(client,
                                        "HTTP/localhost@REALM.COM")) {

            ClusterHealthResponse response = kc.admin().cluster().prepareHealth().execute().actionGet();
            assertThat(response.isTimedOut(), is(false));

Login with password

KerberizedClient kc = new KerberizedClient(client,

Login with (client side) keytab

KerberizedClient kc = new KerberizedClient(client,

Login with TGT (Ticket)

KerberizedClient kc = new KerberizedClient(client,

Login with

KerberizedClient kc = new KerberizedClient(client,