Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Kerberos] Add documentation for Kerberos realm #32662

Merged
merged 15 commits into from
Aug 20, 2018

Conversation

bizybot
Copy link
Contributor

@bizybot bizybot commented Aug 7, 2018

This commit adds documentation for configuring Kerberos realm.
Configuring Kerberos realm documentation highlights important
terminology and requirements before creating Kerberos realm.
Most of the documentation is centered around configuration from
Elasticsearch rather than go deep into Kerberos implementation.
Kerberos realm settings are mentioned in the security settings
for Kerberos realm.

This commit adds documentation for configuring Kerberos realm.
Configuring Kerberos realm documentation highlights important
terminology and requirements before creating Kerberos realm.
Most of the documentation is centered around configuration from
Elasticsearch rather than go deep into Kerberos implementation.
Kerberos realm settings are mentioned in the security settings
for Kerberos realm.

TODO:
- Troubleshooting documentation will be added in the next PR
@bizybot bizybot added review v7.0.0 :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v6.4.0 v6.5.0 labels Aug 7, 2018
@bizybot bizybot requested review from tvernum and lcawl August 7, 2018 02:33
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-docs

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

Windows or `kadmin` for MIT Kerberos are some tools that can be used
for creation of keytabs. Place this keytab file in the `ES_PATH_CONF`.
Make sure that this keytab file has read permissions. As this file contains
credentials appropriate measures must be taken to protect it.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we clarify further the principal names to use for Elasticsearch? I saw in the code that we allow logging in for principal *. If we're using unbound keytabs, it might make sense to mention that here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I will update this to add that information. Thank you.

@bizybot bizybot requested a review from jaymode August 13, 2018 00:27

`keytab.path`:: Specifies the path to the Kerberos keytab file that contains the
service principal used by this {es} node. It expects the keytab file to be present in `ES_PATH_CONF`
and have read permissions. Required.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that the keytab file must be in the ES_PATH_CONF, or is that just the default location?

Copy link
Contributor Author

@bizybot bizybot Aug 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it must be in the ES_PATH_CONF else elasticsearch will not have file permissions to access it unless we go. This is as per default installation. We can modify java security policy and give a different location but I am not sure if we mention that anywhere.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we say something similar for other files such as certificates? I think we should just be consistent with what we say

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, at places we say to put certificates in es configuration directory and have updated this to be consistent with what we say. Thank you.


--

. Create a keytab for the service node.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is unclear what is meant by "the service node" here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed it toElasticsearch node. Thank you.

Windows and `kadmin` for MIT Kerberos.
--

. Put the keytab file in the `ES_PATH_CONF`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per earlier comment, can we put it in a different path if keytab.path is set appropriately?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, we cannot put keytab in different path as we need permissions to access the file. Thank you.

credentials, therefore you must take appropriate measures to protect it.

IMPORTANT: On every {es} node, there must be a keytab file for the HTTP
principal. The keytab files are unique for each node since they include the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the first time we've referred to an "HTTP principal". Can this be clarified?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarified further, Thank you.

Principal names in Kerberos have the form `user/instance@REALM`. If this option
is `true`, the realm part (`@REALM`) is removed before setting the `username`
field in `User`. The shortened `username` value can then used during role mapping.
Defaults to `false`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean you can't use role mappings unless that realm part is removed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it is a option to decide whether to keep the @REALM part in the username. Changed the sentence as suggested by Jay. Thank you.

the format `username@REALM`. This `username` can then be used for mapping
roles to the user. There is a realm setting `remove_realm_name` which when
set to `true` removes the realm part (`@REALM`) and the resulting `username` can
then be used for role mapping.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per previous comment, this seems to imply that you can't use role mappings successfully unless you set remove_realm_name to true. Is that right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, as explained above changed the wording as suggested by Jay. Thank you.

Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left some comments and suggestions


`remove_realm_name`:: Set to `true` to remove the realm part of principal names.
Principal names in Kerberos have the form `user/instance@REALM`. If this option
is `true`, the realm part (`@REALM`) is removed before setting the `username`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this goes into the code too much. I would just say the realm part (@realm) will not be included in the username

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the unwanted information. Thanks.


==== Create a Kerberos realm

Following are the steps to enable Kerberos realm:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe Perform the following steps to define a Kerberos realm

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lisa addressed this in her commit. Thank you.


Following are the steps to enable Kerberos realm:

. Enable SSL/TLS for HTTP
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this really a requirement?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not entirely as in it can function without enabling TLS. Some clients like Apache HTTP client do not complete the mutual authentication step to verify server. We can remove this if we do not want to have this as a hard requirement. We do not explicitly enforce this. Please suggest. Thank you.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do not enforce it, then we should remove it.

+
--

`krb5.conf` is the Kerberos configuration file. {es} uses Java GSS and
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/is the/is the name of the

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lisa addressed this in her commit. Thank you.

--

`krb5.conf` is the Kerberos configuration file. {es} uses Java GSS and
JAAS Krb5LoginModule to support Kerberos authentication using Spnego
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the JAAS Krb5LoginModule. s/Spnego/the SPNEGO

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lisa addressed this in her commit. Thank you.

Make sure that this keytab file has read permissions. As this file contains
credentials appropriate measures must be taken to protect it.

IMPORTANT: On every {es} node, there must be a keytab file for HTTP
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/HTTP/the HTTP

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, Thank you.

IMPORTANT: On every {es} node, there must be a keytab file for HTTP
principal. The keytab files are unique for each node as they include the
hostname. Usually it will be of format `HTTP/es.domain.local@ES.DOMAIN.LOCAL`
{es} node can act as any principal a client requests as long as that
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/node/nodes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thank you.


NOTE: You can only have one Kerberos realm configured on a {es} node.

To configure Kerberos realm, there are few mandatory realm settings and
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/Kerberos/a Kerberos. s/there are/there are a

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed, Thank you.

configuration file. Add realm configuration of type `kerberos` under
the `xpack.security.authc.realms` namespace.

Most common configuration for Kerberos realm is as follows:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/Most/A

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, Thank you.

The `kerberos` realm enables you to map Kerberos users to the roles.
This role mapping can be configured via the
{ref}/security-api-role-mapping.html[role-mapping API] or by using a file
stored on each node. You identify user by its `username` field.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/identify user/identify a user

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lisa addressed this in her commit, Thank you.

Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending making sure we're consistent about config files and ES_PATH_CONF

Copy link
Contributor

@lcawl lcawl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made a few edits in the "important" section of the configuration page. If those changes are satisfactory, this PR LGTM

@bizybot bizybot merged commit e143cce into elastic:master Aug 20, 2018
@lcawl lcawl added the >docs General docs changes label Aug 20, 2018
@jaymode
Copy link
Member

jaymode commented Aug 20, 2018

@bizybot please do not forget to backport this to 6.x and 6.4

jasontedor added a commit that referenced this pull request Aug 20, 2018
* master:
  Generalize remote license checker (#32971)
  Trim translog when safe commit advanced (#32967)
  Fix an inaccuracy in the dynamic templates documentation. (#32890)
  Logging: Use settings when building daemon threads (#32751)
  All Translog inner closes should happen after tragedy exception is set (#32674)
  HLREST: AwaitsFix ML Test
  Pass DiscoveryNode to initiateChannel (#32958)
  Add mzn and dz to unsupported locales (#32957)
  Use settings from the context in BootstrapChecks (#32908)
  Update docs for node specifications (#30468)
  HLRC: Forbid all Elasticsearch logging infra (#32784)
  Only configure publishing if it's applied externally (#32351)
  Fixes libs:dissect when in eclipse
  Protect ScriptedMetricIT test cases against failures on 0-doc shards (#32959) (#32968)
  [Kerberos] Add documentation for Kerberos realm (#32662)
  Watcher: Properly find next valid date in cron expressions (#32734)
  Fix some small issues in the getting started docs (#30346)
  Set forbidden APIs target compatibility to compiler java version   (#32935)
  Move connection listener to ConnectionManager (#32956)
bizybot added a commit that referenced this pull request Aug 20, 2018
This commit adds documentation for configuring Kerberos realm.
Configuring Kerberos realm documentation highlights important
terminology and requirements before creating Kerberos realm.
Most of the documentation is centered around configuration from
Elasticsearch rather than go deep into Kerberos implementation.
Kerberos realm settings are mentioned in the security settings
for Kerberos realm.
bizybot added a commit that referenced this pull request Aug 20, 2018
This commit adds documentation for configuring Kerberos realm.
Configuring Kerberos realm documentation highlights important
terminology and requirements before creating Kerberos realm.
Most of the documentation is centered around configuration from
Elasticsearch rather than go deep into Kerberos implementation.
Kerberos realm settings are mentioned in the security settings
for Kerberos realm.
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Aug 21, 2018
…e-types

* elastic/master: (89 commits)
  Fix assertion in AbstractSimpleTransportTestCase (elastic#32991)
  [DOC] Splits role mapping APIs into separate pages (elastic#32797)
  HLRC: ML Close Job (elastic#32943)
  Generalize remote license checker (elastic#32971)
  Trim translog when safe commit advanced (elastic#32967)
  Fix an inaccuracy in the dynamic templates documentation. (elastic#32890)
  Logging: Use settings when building daemon threads (elastic#32751)
  All Translog inner closes should happen after tragedy exception is set (elastic#32674)
  HLREST: AwaitsFix ML Test
  Pass DiscoveryNode to initiateChannel (elastic#32958)
  Add mzn and dz to unsupported locales (elastic#32957)
  Use settings from the context in BootstrapChecks (elastic#32908)
  Update docs for node specifications (elastic#30468)
  HLRC: Forbid all Elasticsearch logging infra (elastic#32784)
  Only configure publishing if it's applied externally (elastic#32351)
  Fixes libs:dissect when in eclipse
  Protect ScriptedMetricIT test cases against failures on 0-doc shards (elastic#32959) (elastic#32968)
  [Kerberos] Add documentation for Kerberos realm (elastic#32662)
  Watcher: Properly find next valid date in cron expressions (elastic#32734)
  Fix some small issues in the getting started docs (elastic#30346)
  ...
@bizybot bizybot deleted the kerberos-documentation branch August 21, 2018 06:36
@jimczi jimczi added v7.0.0-beta1 and removed v7.0.0 labels Feb 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>docs General docs changes :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v6.4.0 v6.5.0 v7.0.0-beta1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants