Shield Kerberos Realm

Build Status Coverage Status License

Kerberos/SPNEGO custom realm for Elasticsearch Shield 2.3.1.
Authenticate HTTP and Transport requests via Kerberos/SPNEGO.

License

Apache License Version 2.0

Features

Community support

Stackoverflow
Twitter @hendrikdev22

Commercial support

Available. Please contact [email protected]

Prerequisites

Install release

Download latest release and store it somewhere. Then execute:

$ bin/plugin install file:///path/to/target/release/elasticsearch-shield-kerberos-realm-2.3.1.zip

Build and install latest

$ git clone https://github.com/codecentric/elasticsearch-shield-kerberos-realm.git
$ mvn package
$ bin/plugin install file:///path/to/target/release/elasticsearch-shield-kerberos-realm-2.3.1.zip

Configuration

Configuration is done in elasticsearch.yml

shield.authc.realms.cc-kerberos.type: cc-kerberos
shield.authc.realms.cc-kerberos.order: 0
shield.authc.realms.cc-kerberos.acceptor_keytab_path: /path/to/server.keytab
shield.authc.realms.cc-kerberos.acceptor_principal: HTTP/[email protected]
shield.authc.realms.cc-kerberos.roles: role1, role2
shield.authc.realms.cc-kerberos.strip_realm_from_principal: true
de.codecentric.realm.cc-kerberos.krb5.file_path: /etc/krb5.conf
de.codecentric.realm.cc-kerberos.krb_debug: false
security.manager.enabled: false

REST/HTTP authentication

$ kinit
$ curl --negotiate -u : "http://localhost:9200/_logininfo?pretty"

Or with a browser that supports SPNEGO like Chrome or Firefox

Transport authentication

try (TransportClient client = TransportClient.builder().settings(settings).build()) {
    client.addTransportAddress(nodes[0].getTransport().address().publishAddress());
        try (KerberizedClient kc = new KerberizedClient(client,
                                        "[email protected]",
                                        "secret",
                                        "HTTP/[email protected]")) {

            ClusterHealthResponse response = kc.admin().cluster().prepareHealth().execute().actionGet();
            assertThat(response.isTimedOut(), is(false));
        }
}

Login with password

KerberizedClient kc = new KerberizedClient(client,
                                        "[email protected]",
                                        "secret",
                                        "HTTP/[email protected]")

Login with (client side) keytab

KerberizedClient kc = new KerberizedClient(client,
                                        Paths.get("client.keytab"),
                                        "[email protected]",
                                        "HTTP/[email protected]")

Login with TGT (Ticket)

KerberizedClient kc = new KerberizedClient(client,
                                        "[email protected]",
                                         Paths.get("ticket.cc"),
                                        "HTTP/[email protected]")    

Login with javax.security.auth.Subject

KerberizedClient kc = new KerberizedClient(client,
                                         subject,
                                        "HTTP/[email protected]")