-
Notifications
You must be signed in to change notification settings - Fork 507
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add documentation on Kerberos configuration (#7844)
* Add documentation on Kerberos configuration. Signed-off-by: Sokratis Papadopoulos <[email protected]> * Add krb doc Signed-off-by: Sokratis Papadopoulos <[email protected]> * Reorder kerberos in backend list Signed-off-by: Sokratis Papadopoulos <[email protected]> * Reformat Signed-off-by: Sokratis Papadopoulos <[email protected]> * Typo on acceptor_principal Signed-off-by: Sokratis Papadopoulos <[email protected]> * Fix style Signed-off-by: Sokratis Papadopoulos <[email protected]> * Fix style Signed-off-by: Sokratis Papadopoulos <[email protected]> * Typo on acceptor_principal Signed-off-by: Sokratis Papadopoulos <[email protected]> * Add default value for boolean params Signed-off-by: Sokratis Papadopoulos <[email protected]> * Update kerberos.md --------- Signed-off-by: Sokratis Papadopoulos <[email protected]> Co-authored-by: Sokratis Papadopoulos <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]>
- Loading branch information
1 parent
10f4b1e
commit 4388aa0
Showing
2 changed files
with
64 additions
and
62 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
--- | ||
layout: default | ||
title: Kerberos | ||
parent: Authentication backends | ||
nav_order: 75 | ||
--- | ||
|
||
# Kerberos | ||
|
||
Kerberos is a robust and secure method for user authentication that prevents passwords from being sent over the internet by issuing "tickets" for secure identity verification. | ||
|
||
In order to use Kerberos authentication, you must set the following settings in `opensearch.yml` and `config.yml`. | ||
|
||
## OpenSearch node configuration | ||
|
||
In `opensearch.yml`, define the following settings: | ||
|
||
```yml | ||
plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf' | ||
plugins.security.kerberos.acceptor_keytab_filepath: 'opensearch_keytab.tab' | ||
plugins.security.kerberos.acceptor_principal: 'HTTP/localhost' | ||
``` | ||
Name | Description | ||
:--- | :--- | ||
`krb5_filepath` | The path to your Kerberos configuration file. This file contains various settings regarding your Kerberos installation, for example, the `realm` names, `hostnames`, and ports of the Kerberos key distribution center (KDC). | ||
`acceptor_keytab_filepath` | The path to the `keytab` file, which contains the principal that the Security plugin uses to issue requests through Kerberos. | ||
`acceptor_principal` | The principal that the Security plugin uses to issue requests through Kerberos. This value must be present in the `keytab` file. | ||
|
||
Due to security restrictions, the `keytab` file must be placed in `config` or a subdirectory, and the path in `opensearch.yml` must be relative, not absolute. | ||
{: .note } | ||
|
||
## Cluster security configuration | ||
|
||
The following example shows a typical Kerberos authentication domain in `config.yml`: | ||
|
||
```yml | ||
kerberos_auth_domain: | ||
enabled: true | ||
order: 1 | ||
http_authenticator: | ||
type: kerberos | ||
challenge: true | ||
config: | ||
krb_debug: false | ||
strip_realm_from_principal: true | ||
authentication_backend: | ||
type: noop | ||
``` | ||
|
||
Authentication through Kerberos when using a browser on an HTTP level is achieved using SPNEGO. Kerberos/SPNEGO implementations vary, depending on your browser and operating system. This is important when deciding if you need to set the `challenge` flag to `true` or `false`. | ||
|
||
As with [HTTP Basic Authentication]({{site.url}}{{site.baseurl}}/security/authentication-backends/basic-authc/), this flag determines how the Security plugin should react when no `Authorization` header is found in the HTTP request or if this header does not equal `negotiate`. | ||
|
||
If set to `true`, the Security plugin sends a response with status code 401 and a `WWW-Authenticate` header set to `negotiate`. This tells the client (browser) to resend the request with the `Authorization` header set. If set to `false`, the Security plugin cannot extract the credentials from the request, and authentication fails. Setting `challenge` to `false` thus makes sense only if the Kerberos credentials are sent in the initial request. | ||
|
||
Name | Description | ||
:--- | :--- | ||
`krb_debug` | As the name implies, setting it to `true` outputs Kerberos-specific debugging messages to `stdout`. Use this setting if you encounter problems with your Kerberos integration. Default is `false`. | ||
`strip_realm_from_principal` | When set it to `true`, the Security plugin strips the realm from the user name. Default: `true`. | ||
|
||
Because Kerberos/SPNEGO authenticates users on an HTTP level, no additional `authentication_backend` is needed. Set this value to `noop`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters