Shield Kerberos Realm

Kerberos/SPNEGO custom realm for Elasticsearch Shield 2.3.1.
Authenticate HTTP and Transport requests via Kerberos/SPNEGO.

License

Apache License Version 2.0

Features

• Kerberos/SPNEGO REST/HTTP authentication
• Kerberos/SPNEGO Transport authentication
• No JAAS login.conf required
• No external dependencies

Community support

Stackoverflow
Twitter @hendrikdev22

Commercial support

Available. Please contact [email protected]

Prerequisites

• Elasticsearch 2.3.1
• Shield Plugin 2.3.1
• Kerberos Infrastructure (ActiveDirectory, MIT, Heimdal, ...)

Install release

Download latest release and store it somewhere. Then execute:

$ bin/plugin install file:///path/to/target/release/elasticsearch-shield-kerberos-realm-2.3.1.zip

Build and install latest

$ git clone https://github.com/codecentric/elasticsearch-shield-kerberos-realm.git
$ mvn package
$ bin/plugin install file:///path/to/target/release/elasticsearch-shield-kerberos-realm-2.3.1.zip

Configuration

Configuration is done in elasticsearch.yml

shield.authc.realms.cc-kerberos.type: cc-kerberos
shield.authc.realms.cc-kerberos.order: 0
shield.authc.realms.cc-kerberos.acceptor_keytab_path: /path/to/server.keytab
shield.authc.realms.cc-kerberos.acceptor_principal: HTTP/[email protected]
shield.authc.realms.cc-kerberos.roles: role1, role2
shield.authc.realms.cc-kerberos.strip_realm_from_principal: true
de.codecentric.realm.cc-kerberos.krb5.file_path: /etc/krb5.conf
de.codecentric.realm.cc-kerberos.krb_debug: false
security.manager.enabled: false

• acceptor_keytab_path - The absolute path to the keytab where the acceptor_principal credentials are stored.
• acceptor_principal - Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
• roles - Roles which should be assigned to the initiator (the user who's logged in)
• strip_realm_from_principal - If true then the realm will be stripped from the user name
• de.codecentric.realm.cc-kerberos.krb_debug - If true a whole bunch of kerberos/security related debugging output will be logged to standard out
• de.codecentric.realm.cc-kerberos.krb5.file_path - Absolute path to krb5.conf file.
• security.manager.enabled - Must currently be set to false. This will likely change with Elasticsearch 2.2, see PR 14108

REST/HTTP authentication

$ kinit
$ curl --negotiate -u : "http://localhost:9200/_logininfo?pretty"

Or with a browser that supports SPNEGO like Chrome or Firefox

Transport authentication

try (TransportClient client = TransportClient.builder().settings(settings).build()) {
    client.addTransportAddress(nodes[0].getTransport().address().publishAddress());
        try (KerberizedClient kc = new KerberizedClient(client,
                                        "[email protected]",
                                        "secret",
                                        "HTTP/[email protected]")) {

            ClusterHealthResponse response = kc.admin().cluster().prepareHealth().execute().actionGet();
            assertThat(response.isTimedOut(), is(false));
        }
}

Login with password

KerberizedClient kc = new KerberizedClient(client,
                                        "[email protected]",
                                        "secret",
                                        "HTTP/[email protected]")

Login with (client side) keytab

KerberizedClient kc = new KerberizedClient(client,
                                        Paths.get("client.keytab"),
                                        "[email protected]",
                                        "HTTP/[email protected]")

Login with TGT (Ticket)

KerberizedClient kc = new KerberizedClient(client,
                                        "[email protected]",
                                         Paths.get("ticket.cc"),
                                        "HTTP/[email protected]")    

Login with javax.security.auth.Subject

KerberizedClient kc = new KerberizedClient(client,
                                         subject,
                                        "HTTP/[email protected]")