[Kerberos] Add documentation for Kerberos realm #32662
Conversation
This commit adds documentation for configuring Kerberos realm. Configuring Kerberos realm documentation highlights important terminology and requirements before creating Kerberos realm. Most of the documentation is centered around configuration from Elasticsearch rather than go deep into Kerberos implementation. Kerberos realm settings are mentioned in the security settings for Kerberos realm. TODO: - Troubleshooting documentation will be added in the next PR
bizybot
added
review
v7.0.0
:Security/Authentication
|
Pinging @elastic/es-docs |
|
Pinging @elastic/es-security |
| Windows or `kadmin` for MIT Kerberos are some tools that can be used | ||
| for creation of keytabs. Place this keytab file in the `ES_PATH_CONF`. | ||
| Make sure that this keytab file has read permissions. As this file contains | ||
| credentials appropriate measures must be taken to protect it. |
There was a problem hiding this comment.
Can we clarify further the principal names to use for Elasticsearch? I saw in the code that we allow logging in for principal *. If we're using unbound keytabs, it might make sense to mention that here
There was a problem hiding this comment.
Sure, I will update this to add that information. Thank you.
|
|
||
| `keytab.path`:: Specifies the path to the Kerberos keytab file that contains the | ||
| service principal used by this {es} node. It expects the keytab file to be present in `ES_PATH_CONF` | ||
| and have read permissions. Required. |
There was a problem hiding this comment.
Does this mean that the keytab file must be in the ES_PATH_CONF, or is that just the default location?
There was a problem hiding this comment.
Yes, it must be in the ES_PATH_CONF else elasticsearch will not have file permissions to access it unless we go. This is as per default installation. We can modify java security policy and give a different location but I am not sure if we mention that anywhere.
There was a problem hiding this comment.
Do we say something similar for other files such as certificates? I think we should just be consistent with what we say
There was a problem hiding this comment.
Yes, at places we say to put certificates in es configuration directory and have updated this to be consistent with what we say. Thank you.
|
|
||
| -- | ||
|
|
||
| . Create a keytab for the service node. |
There was a problem hiding this comment.
It is unclear what is meant by "the service node" here.
There was a problem hiding this comment.
Changed it toElasticsearch node. Thank you.
| Windows and `kadmin` for MIT Kerberos. | ||
| -- | ||
|
|
||
| . Put the keytab file in the `ES_PATH_CONF`. |
There was a problem hiding this comment.
Per earlier comment, can we put it in a different path if keytab.path is set appropriately?
There was a problem hiding this comment.
No, we cannot put keytab in different path as we need permissions to access the file. Thank you.
| credentials, therefore you must take appropriate measures to protect it. | ||
|
|
||
| IMPORTANT: On every {es} node, there must be a keytab file for the HTTP | ||
| principal. The keytab files are unique for each node since they include the |
There was a problem hiding this comment.
This is the first time we've referred to an "HTTP principal". Can this be clarified?
There was a problem hiding this comment.
Clarified further, Thank you.
| Principal names in Kerberos have the form `user/instance@REALM`. If this option | ||
| is `true`, the realm part (`@REALM`) is removed before setting the `username` | ||
| field in `User`. The shortened `username` value can then used during role mapping. | ||
| Defaults to `false`. |
There was a problem hiding this comment.
Does this mean you can't use role mappings unless that realm part is removed?
There was a problem hiding this comment.
No, it is a option to decide whether to keep the @REALM part in the username. Changed the sentence as suggested by Jay. Thank you.
| the format `username@REALM`. This `username` can then be used for mapping | ||
| roles to the user. There is a realm setting `remove_realm_name` which when | ||
| set to `true` removes the realm part (`@REALM`) and the resulting `username` can | ||
| then be used for role mapping. |
There was a problem hiding this comment.
Per previous comment, this seems to imply that you can't use role mappings successfully unless you set remove_realm_name to true. Is that right?
There was a problem hiding this comment.
No, as explained above changed the wording as suggested by Jay. Thank you.
|
|
||
| `remove_realm_name`:: Set to `true` to remove the realm part of principal names. | ||
| Principal names in Kerberos have the form `user/instance@REALM`. If this option | ||
| is `true`, the realm part (`@REALM`) is removed before setting the `username` |
There was a problem hiding this comment.
this goes into the code too much. I would just say the realm part (@realm) will not be included in the username
There was a problem hiding this comment.
Removed the unwanted information. Thanks.
|
|
||
| ==== Create a Kerberos realm | ||
|
|
||
| Following are the steps to enable Kerberos realm: |
There was a problem hiding this comment.
Maybe Perform the following steps to define a Kerberos realm
There was a problem hiding this comment.
Lisa addressed this in her commit. Thank you.
|
|
||
| Following are the steps to enable Kerberos realm: | ||
|
|
||
| . Enable SSL/TLS for HTTP |
There was a problem hiding this comment.
Not entirely as in it can function without enabling TLS. Some clients like Apache HTTP client do not complete the mutual authentication step to verify server. We can remove this if we do not want to have this as a hard requirement. We do not explicitly enforce this. Please suggest. Thank you.
There was a problem hiding this comment.
If we do not enforce it, then we should remove it.
| + | ||
| -- | ||
|
|
||
| `krb5.conf` is the Kerberos configuration file. {es} uses Java GSS and |
There was a problem hiding this comment.
Lisa addressed this in her commit. Thank you.
| -- | ||
|
|
||
| `krb5.conf` is the Kerberos configuration file. {es} uses Java GSS and | ||
| JAAS Krb5LoginModule to support Kerberos authentication using Spnego |
There was a problem hiding this comment.
the JAAS Krb5LoginModule. s/Spnego/the SPNEGO
There was a problem hiding this comment.
Lisa addressed this in her commit. Thank you.
| Make sure that this keytab file has read permissions. As this file contains | ||
| credentials appropriate measures must be taken to protect it. | ||
|
|
||
| IMPORTANT: On every {es} node, there must be a keytab file for HTTP |
| IMPORTANT: On every {es} node, there must be a keytab file for HTTP | ||
| principal. The keytab files are unique for each node as they include the | ||
| hostname. Usually it will be of format `HTTP/[email protected]` | ||
| {es} node can act as any principal a client requests as long as that |
|
|
||
| NOTE: You can only have one Kerberos realm configured on a {es} node. | ||
|
|
||
| To configure Kerberos realm, there are few mandatory realm settings and |
There was a problem hiding this comment.
s/Kerberos/a Kerberos. s/there are/there are a
There was a problem hiding this comment.
Addressed, Thank you.
| configuration file. Add realm configuration of type `kerberos` under | ||
| the `xpack.security.authc.realms` namespace. | ||
|
|
||
| Most common configuration for Kerberos realm is as follows: |
| The `kerberos` realm enables you to map Kerberos users to the roles. | ||
| This role mapping can be configured via the | ||
| {ref}/security-api-role-mapping.html[role-mapping API] or by using a file | ||
| stored on each node. You identify user by its `username` field. |
There was a problem hiding this comment.
s/identify user/identify a user
There was a problem hiding this comment.
Lisa addressed this in her commit, Thank you.
…beros-documentation
|
@bizybot please do not forget to backport this to 6.x and 6.4 |
* master: Generalize remote license checker (#32971) Trim translog when safe commit advanced (#32967) Fix an inaccuracy in the dynamic templates documentation. (#32890) Logging: Use settings when building daemon threads (#32751) All Translog inner closes should happen after tragedy exception is set (#32674) HLREST: AwaitsFix ML Test Pass DiscoveryNode to initiateChannel (#32958) Add mzn and dz to unsupported locales (#32957) Use settings from the context in BootstrapChecks (#32908) Update docs for node specifications (#30468) HLRC: Forbid all Elasticsearch logging infra (#32784) Only configure publishing if it's applied externally (#32351) Fixes libs:dissect when in eclipse Protect ScriptedMetricIT test cases against failures on 0-doc shards (#32959) (#32968) [Kerberos] Add documentation for Kerberos realm (#32662) Watcher: Properly find next valid date in cron expressions (#32734) Fix some small issues in the getting started docs (#30346) Set forbidden APIs target compatibility to compiler java version (#32935) Move connection listener to ConnectionManager (#32956)
This commit adds documentation for configuring Kerberos realm. Configuring Kerberos realm documentation highlights important terminology and requirements before creating Kerberos realm. Most of the documentation is centered around configuration from Elasticsearch rather than go deep into Kerberos implementation. Kerberos realm settings are mentioned in the security settings for Kerberos realm.
This commit adds documentation for configuring Kerberos realm. Configuring Kerberos realm documentation highlights important terminology and requirements before creating Kerberos realm. Most of the documentation is centered around configuration from Elasticsearch rather than go deep into Kerberos implementation. Kerberos realm settings are mentioned in the security settings for Kerberos realm.
…e-types * elastic/master: (89 commits) Fix assertion in AbstractSimpleTransportTestCase (elastic#32991) [DOC] Splits role mapping APIs into separate pages (elastic#32797) HLRC: ML Close Job (elastic#32943) Generalize remote license checker (elastic#32971) Trim translog when safe commit advanced (elastic#32967) Fix an inaccuracy in the dynamic templates documentation. (elastic#32890) Logging: Use settings when building daemon threads (elastic#32751) All Translog inner closes should happen after tragedy exception is set (elastic#32674) HLREST: AwaitsFix ML Test Pass DiscoveryNode to initiateChannel (elastic#32958) Add mzn and dz to unsupported locales (elastic#32957) Use settings from the context in BootstrapChecks (elastic#32908) Update docs for node specifications (elastic#30468) HLRC: Forbid all Elasticsearch logging infra (elastic#32784) Only configure publishing if it's applied externally (elastic#32351) Fixes libs:dissect when in eclipse Protect ScriptedMetricIT test cases against failures on 0-doc shards (elastic#32959) (elastic#32968) [Kerberos] Add documentation for Kerberos realm (elastic#32662) Watcher: Properly find next valid date in cron expressions (elastic#32734) Fix some small issues in the getting started docs (elastic#30346) ...
This commit adds documentation for configuring Kerberos realm.
Configuring Kerberos realm documentation highlights important
terminology and requirements before creating Kerberos realm.
Most of the documentation is centered around configuration from
Elasticsearch rather than go deep into Kerberos implementation.
Kerberos realm settings are mentioned in the security settings
for Kerberos realm.