-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Kerberos] Add documentation for Kerberos realm #32662
Conversation
This commit adds documentation for configuring Kerberos realm. Configuring Kerberos realm documentation highlights important terminology and requirements before creating Kerberos realm. Most of the documentation is centered around configuration from Elasticsearch rather than go deep into Kerberos implementation. Kerberos realm settings are mentioned in the security settings for Kerberos realm. TODO: - Troubleshooting documentation will be added in the next PR
Pinging @elastic/es-docs |
Pinging @elastic/es-security |
Windows or `kadmin` for MIT Kerberos are some tools that can be used | ||
for creation of keytabs. Place this keytab file in the `ES_PATH_CONF`. | ||
Make sure that this keytab file has read permissions. As this file contains | ||
credentials appropriate measures must be taken to protect it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we clarify further the principal names to use for Elasticsearch? I saw in the code that we allow logging in for principal *
. If we're using unbound keytabs, it might make sense to mention that here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I will update this to add that information. Thank you.
|
||
`keytab.path`:: Specifies the path to the Kerberos keytab file that contains the | ||
service principal used by this {es} node. It expects the keytab file to be present in `ES_PATH_CONF` | ||
and have read permissions. Required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean that the keytab file must be in the ES_PATH_CONF, or is that just the default location?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it must be in the ES_PATH_CONF else elasticsearch will not have file permissions to access it unless we go. This is as per default installation. We can modify java security policy and give a different location but I am not sure if we mention that anywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we say something similar for other files such as certificates? I think we should just be consistent with what we say
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, at places we say to put certificates in es configuration directory and have updated this to be consistent with what we say. Thank you.
|
||
-- | ||
|
||
. Create a keytab for the service node. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is unclear what is meant by "the service node" here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed it toElasticsearch node
. Thank you.
Windows and `kadmin` for MIT Kerberos. | ||
-- | ||
|
||
. Put the keytab file in the `ES_PATH_CONF`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per earlier comment, can we put it in a different path if keytab.path is set appropriately?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, we cannot put keytab in different path as we need permissions to access the file. Thank you.
credentials, therefore you must take appropriate measures to protect it. | ||
|
||
IMPORTANT: On every {es} node, there must be a keytab file for the HTTP | ||
principal. The keytab files are unique for each node since they include the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the first time we've referred to an "HTTP principal". Can this be clarified?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarified further, Thank you.
Principal names in Kerberos have the form `user/instance@REALM`. If this option | ||
is `true`, the realm part (`@REALM`) is removed before setting the `username` | ||
field in `User`. The shortened `username` value can then used during role mapping. | ||
Defaults to `false`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean you can't use role mappings unless that realm part is removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it is a option to decide whether to keep the @REALM
part in the username. Changed the sentence as suggested by Jay. Thank you.
the format `username@REALM`. This `username` can then be used for mapping | ||
roles to the user. There is a realm setting `remove_realm_name` which when | ||
set to `true` removes the realm part (`@REALM`) and the resulting `username` can | ||
then be used for role mapping. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per previous comment, this seems to imply that you can't use role mappings successfully unless you set remove_realm_name to true. Is that right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, as explained above changed the wording as suggested by Jay. Thank you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left some comments and suggestions
|
||
`remove_realm_name`:: Set to `true` to remove the realm part of principal names. | ||
Principal names in Kerberos have the form `user/instance@REALM`. If this option | ||
is `true`, the realm part (`@REALM`) is removed before setting the `username` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this goes into the code too much. I would just say the realm part (
@realm) will not be included in the username
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the unwanted information. Thanks.
|
||
==== Create a Kerberos realm | ||
|
||
Following are the steps to enable Kerberos realm: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe Perform the following steps to define a Kerberos realm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lisa addressed this in her commit. Thank you.
|
||
Following are the steps to enable Kerberos realm: | ||
|
||
. Enable SSL/TLS for HTTP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this really a requirement?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not entirely as in it can function without enabling TLS. Some clients like Apache HTTP client do not complete the mutual authentication step to verify server. We can remove this if we do not want to have this as a hard requirement. We do not explicitly enforce this. Please suggest. Thank you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we do not enforce it, then we should remove it.
+ | ||
-- | ||
|
||
`krb5.conf` is the Kerberos configuration file. {es} uses Java GSS and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/is the/is the name of the
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lisa addressed this in her commit. Thank you.
-- | ||
|
||
`krb5.conf` is the Kerberos configuration file. {es} uses Java GSS and | ||
JAAS Krb5LoginModule to support Kerberos authentication using Spnego |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the JAAS Krb5LoginModule. s/Spnego/the SPNEGO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lisa addressed this in her commit. Thank you.
Make sure that this keytab file has read permissions. As this file contains | ||
credentials appropriate measures must be taken to protect it. | ||
|
||
IMPORTANT: On every {es} node, there must be a keytab file for HTTP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/HTTP/the HTTP
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, Thank you.
IMPORTANT: On every {es} node, there must be a keytab file for HTTP | ||
principal. The keytab files are unique for each node as they include the | ||
hostname. Usually it will be of format `HTTP/es.domain.local@ES.DOMAIN.LOCAL` | ||
{es} node can act as any principal a client requests as long as that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/node/nodes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thank you.
|
||
NOTE: You can only have one Kerberos realm configured on a {es} node. | ||
|
||
To configure Kerberos realm, there are few mandatory realm settings and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Kerberos/a Kerberos. s/there are/there are a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed, Thank you.
configuration file. Add realm configuration of type `kerberos` under | ||
the `xpack.security.authc.realms` namespace. | ||
|
||
Most common configuration for Kerberos realm is as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Most/A
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, Thank you.
The `kerberos` realm enables you to map Kerberos users to the roles. | ||
This role mapping can be configured via the | ||
{ref}/security-api-role-mapping.html[role-mapping API] or by using a file | ||
stored on each node. You identify user by its `username` field. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/identify user/identify a user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lisa addressed this in her commit, Thank you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM pending making sure we're consistent about config files and ES_PATH_CONF
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made a few edits in the "important" section of the configuration page. If those changes are satisfactory, this PR LGTM
…beros-documentation
@bizybot please do not forget to backport this to 6.x and 6.4 |
* master: Generalize remote license checker (#32971) Trim translog when safe commit advanced (#32967) Fix an inaccuracy in the dynamic templates documentation. (#32890) Logging: Use settings when building daemon threads (#32751) All Translog inner closes should happen after tragedy exception is set (#32674) HLREST: AwaitsFix ML Test Pass DiscoveryNode to initiateChannel (#32958) Add mzn and dz to unsupported locales (#32957) Use settings from the context in BootstrapChecks (#32908) Update docs for node specifications (#30468) HLRC: Forbid all Elasticsearch logging infra (#32784) Only configure publishing if it's applied externally (#32351) Fixes libs:dissect when in eclipse Protect ScriptedMetricIT test cases against failures on 0-doc shards (#32959) (#32968) [Kerberos] Add documentation for Kerberos realm (#32662) Watcher: Properly find next valid date in cron expressions (#32734) Fix some small issues in the getting started docs (#30346) Set forbidden APIs target compatibility to compiler java version (#32935) Move connection listener to ConnectionManager (#32956)
This commit adds documentation for configuring Kerberos realm. Configuring Kerberos realm documentation highlights important terminology and requirements before creating Kerberos realm. Most of the documentation is centered around configuration from Elasticsearch rather than go deep into Kerberos implementation. Kerberos realm settings are mentioned in the security settings for Kerberos realm.
This commit adds documentation for configuring Kerberos realm. Configuring Kerberos realm documentation highlights important terminology and requirements before creating Kerberos realm. Most of the documentation is centered around configuration from Elasticsearch rather than go deep into Kerberos implementation. Kerberos realm settings are mentioned in the security settings for Kerberos realm.
…e-types * elastic/master: (89 commits) Fix assertion in AbstractSimpleTransportTestCase (elastic#32991) [DOC] Splits role mapping APIs into separate pages (elastic#32797) HLRC: ML Close Job (elastic#32943) Generalize remote license checker (elastic#32971) Trim translog when safe commit advanced (elastic#32967) Fix an inaccuracy in the dynamic templates documentation. (elastic#32890) Logging: Use settings when building daemon threads (elastic#32751) All Translog inner closes should happen after tragedy exception is set (elastic#32674) HLREST: AwaitsFix ML Test Pass DiscoveryNode to initiateChannel (elastic#32958) Add mzn and dz to unsupported locales (elastic#32957) Use settings from the context in BootstrapChecks (elastic#32908) Update docs for node specifications (elastic#30468) HLRC: Forbid all Elasticsearch logging infra (elastic#32784) Only configure publishing if it's applied externally (elastic#32351) Fixes libs:dissect when in eclipse Protect ScriptedMetricIT test cases against failures on 0-doc shards (elastic#32959) (elastic#32968) [Kerberos] Add documentation for Kerberos realm (elastic#32662) Watcher: Properly find next valid date in cron expressions (elastic#32734) Fix some small issues in the getting started docs (elastic#30346) ...
This commit adds documentation for configuring Kerberos realm.
Configuring Kerberos realm documentation highlights important
terminology and requirements before creating Kerberos realm.
Most of the documentation is centered around configuration from
Elasticsearch rather than go deep into Kerberos implementation.
Kerberos realm settings are mentioned in the security settings
for Kerberos realm.