Add the capability for the LDAP and AD realms to bind using Kerberos credentials

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/ldap/PoolingSessionFactorySettings.java

@@ -7,6 +7,7 @@
 
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 
@@ -35,6 +36,26 @@ public final class PoolingSessionFactorySettings {
                     key -> secureString(key, null)
             );
 
+    public static final Function<String, Setting.AffixSetting<String>> BIND_MODE = RealmSettings.affixSetting("bind.mode",
+            key -> new Setting<>(key, "simple", Function.identity(), v -> {
+                switch (v) {
+                case "simple":
+                case "sasl_gssapi":
+                    break;
+                default:
+                    throw new IllegalArgumentException("only [simple] and [sasl_gssapi] bind mode are allowed, [" + v + "] is invalid");
+                }
+            }, Setting.Property.NodeScope));
+
+    public static final Function<String, Setting.AffixSetting<String>> SASL_GSSAPI_PRINCIPAL = RealmSettings
+            .affixSetting("sasl_gssapi.bind.principal", key -> Setting.simpleString(key, Setting.Property.NodeScope, Property.Filtered));
+    public static final Function<String, Setting.AffixSetting<Boolean>> SASL_GSSAPI_USE_KEYTAB = RealmSettings
+            .affixSetting("sasl_gssapi.bind.use_keytab", key -> Setting.boolSetting(key, false, Setting.Property.NodeScope));
+    public static final Function<String, Setting.AffixSetting<String>> SASL_GSSAPI_KEYTAB_PATH = RealmSettings
+            .affixSetting("sasl_gssapi.bind.keytab.path", key -> Setting.simpleString(key, Setting.Property.NodeScope, Property.Filtered));
+    public static final Function<String, Setting.AffixSetting<Boolean>> SASL_GSSAPI_DEBUG = RealmSettings
+            .affixSetting("sasl_gssapi.bind.debug", key -> Setting.boolSetting(key, false, Setting.Property.NodeScope));
+
     public static final int DEFAULT_CONNECTION_POOL_INITIAL_SIZE = 0;
     public static final Function<String, Setting.AffixSetting<Integer>> POOL_INITIAL_SIZE = RealmSettings.affixSetting(
             "user_search.pool.initial_size",
@@ -63,7 +84,8 @@ private PoolingSessionFactorySettings() {
     public static Set<Setting.AffixSetting<?>> getSettings(String realmType) {
         return Stream.of(
             POOL_INITIAL_SIZE, POOL_SIZE, HEALTH_CHECK_ENABLED, HEALTH_CHECK_INTERVAL, HEALTH_CHECK_DN, BIND_DN,
-            LEGACY_BIND_PASSWORD, SECURE_BIND_PASSWORD
+            LEGACY_BIND_PASSWORD, SECURE_BIND_PASSWORD, BIND_MODE, SASL_GSSAPI_PRINCIPAL, SASL_GSSAPI_USE_KEYTAB, SASL_GSSAPI_KEYTAB_PATH,
+            SASL_GSSAPI_DEBUG
         ).map(f -> f.apply(realmType)).collect(Collectors.toSet());
     }
 }

x-pack/plugin/core/src/main/plugin-metadata/plugin-security.policy

@@ -9,7 +9,24 @@ grant {
   permission java.util.PropertyPermission "*", "read,write";
 
   // needed for multiple server implementations used in tests
-  permission java.net.SocketPermission "*", "accept,connect";
+  permission java.net.SocketPermission "*", "accept,connect,resolve";
+
+  // needed for GSSAPI bind to LDAP
+  permission javax.security.auth.AuthPermission "modifyPrincipals";
+  permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
+  permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosKey * \"*\"", "read";
+  permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
+  permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
+  permission javax.security.auth.AuthPermission "doAs";
+  permission javax.security.auth.kerberos.ServicePermission "*","initiate,accept";
+
+  permission java.util.PropertyPermission "javax.security.auth.useSubjectCredsOnly","write";
+  permission java.util.PropertyPermission "java.security.krb5.conf","write";
+  permission java.util.PropertyPermission "sun.security.krb5.debug","write";
+  permission java.util.PropertyPermission "java.security.debug","write";
+
+  permission javax.security.auth.AuthPermission "createLoginContext.GSSAPIBindRequest";
+  permission javax.security.auth.AuthPermission "setLoginConfiguration";
 };
 
 grant codeBase "${codebase.netty-common}" {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory.java

@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.xpack.security.authc.ldap;
 
+import com.unboundid.ldap.sdk.BindRequest;
 import com.unboundid.ldap.sdk.Filter;
 import com.unboundid.ldap.sdk.LDAPConnection;
 import com.unboundid.ldap.sdk.LDAPConnectionPool;
@@ -14,10 +15,12 @@
 import com.unboundid.ldap.sdk.ServerSet;
 import com.unboundid.ldap.sdk.SimpleBindRequest;
 import com.unboundid.ldap.sdk.controls.AuthorizationIdentityRequestControl;
+
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.ActionRunnable;
+import org.elasticsearch.common.CharArrays;
 import org.elasticsearch.common.cache.Cache;
 import org.elasticsearch.common.cache.CacheBuilder;
 import org.elasticsearch.common.logging.DeprecationLogger;
@@ -32,8 +35,8 @@
 import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings;
 import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings;
 import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
-import org.elasticsearch.common.CharArrays;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.security.authc.ldap.bind.BindRequestBuilder;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapMetaDataResolver;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver;
@@ -66,7 +69,7 @@ class ActiveDirectorySessionFactory extends PoolingSessionFactory {
     ActiveDirectorySessionFactory(RealmConfig config, SSLService sslService, ThreadPool threadPool) throws LDAPException {
         super(config, sslService, new ActiveDirectoryGroupsResolver(config),
                 ActiveDirectorySessionFactorySettings.POOL_ENABLED,
-                config.hasSetting(PoolingSessionFactorySettings.BIND_DN) ? getBindDN(config) : null,
+                new BindRequestBuilder(config, c -> c.hasSetting(PoolingSessionFactorySettings.BIND_DN) ? getBindDN(config) : null).build(),
                 () -> {
                     if (config.hasSetting(PoolingSessionFactorySettings.BIND_DN)) {
                         final String healthCheckDn = config.getSetting(PoolingSessionFactorySettings.BIND_DN);
@@ -149,7 +152,7 @@ void getUnauthenticatedSessionWithoutPool(String user, ActionListener<LdapSessio
         }
         try {
             final LDAPConnection connection = LdapUtils.privilegedConnect(serverSet::getConnection);
-            LdapUtils.maybeForkThenBind(connection, bindCredentials, threadPool, new AbstractRunnable() {
+            LdapUtils.maybeForkThenBind(connection, bindRequestCredentials, threadPool, new AbstractRunnable() {
 
                 @Override
                 public void onFailure(Exception e) {
@@ -190,12 +193,17 @@ static String buildDnFromDomain(String domain) {
 
     static String getBindDN(RealmConfig config) {
         String bindDN = config.getSetting(PoolingSessionFactorySettings.BIND_DN);
-        if (bindDN.isEmpty() == false && bindDN.indexOf('\\') < 0 && bindDN.indexOf('@') < 0 && bindDN.indexOf('=') < 0) {
+        if (bindDN != null && bindDN.isEmpty() == false && bindDN.indexOf('\\') < 0 && bindDN.indexOf('@') < 0 && bindDN.indexOf('=') < 0) {
             bindDN = bindDN + "@" + config.getSetting(ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING);
         }
         return bindDN;
     }
 
+    static boolean isSimpleBind(RealmConfig config) {
+        String mode = config.getSetting(PoolingSessionFactorySettings.BIND_MODE);
+        return "simple".equals(mode);
+    }
+
     // Exposed for testing
     ServerSet getServerSet() {
         return super.serverSet;
@@ -221,8 +229,7 @@ abstract static class ADAuthenticator {
         final String userSearchDN;
         final LdapSearchScope userSearchScope;
         final String userSearchFilter;
-        final String bindDN;
-        final SecureString bindPassword;
+        final BindRequestBuilder bindRequestBuilder;
         final ThreadPool threadPool;
 
         ADAuthenticator(RealmConfig realm, TimeValue timeout, boolean ignoreReferralErrors, Logger logger, GroupsResolver groupsResolver,
@@ -234,9 +241,7 @@ abstract static class ADAuthenticator {
             this.logger = logger;
             this.groupsResolver = groupsResolver;
             this.metaDataResolver = metaDataResolver;
-            this.bindDN = getBindDN(realm);
-            this.bindPassword = realm.getSetting(PoolingSessionFactorySettings.SECURE_BIND_PASSWORD,
-                    () -> realm.getSetting(PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD));
+            this.bindRequestBuilder = new BindRequestBuilder(realm, ActiveDirectorySessionFactory::getBindDN);
             this.threadPool = threadPool;
             userSearchDN = realm.getSetting(ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING, () -> domainDN);
             userSearchScope = LdapSearchScope.resolve(realm.getSetting(ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING),
@@ -268,11 +273,11 @@ protected void doRun() throws Exception {
                             }));
                         }
                     };
-                    if (bindDN.isEmpty()) {
+                    String bindDN = getBindDN(realm);
+                    if (isSimpleBind(realm) && (bindDN == null || bindDN.isEmpty())) {
                         searchRunnable.run();
                     } else {
-                        final SimpleBindRequest bind = new SimpleBindRequest(bindDN, CharArrays.toUtf8Bytes(bindPassword.getChars()));
-                        LdapUtils.maybeForkThenBind(connection, bind, threadPool, searchRunnable);
+                        LdapUtils.maybeForkThenBind(connection, bindRequestBuilder.build(), threadPool, searchRunnable);
                     }
                 }
             });
@@ -434,31 +439,33 @@ void netBiosDomainNameToDn(LDAPInterface ldapInterface, String netBiosDomainName
                                     finalLdapConnection.getConnectedAddress(),
                                     finalLdapConnection.getSSLSession() != null ? ldapsPort : ldapPort));
                     final byte[] passwordBytes = CharArrays.toUtf8Bytes(password.getChars());
-                    final SimpleBindRequest bind = bindDN.isEmpty()
-                            ? new SimpleBindRequest(username, passwordBytes)
-                            : new SimpleBindRequest(bindDN, CharArrays.toUtf8Bytes(bindPassword.getChars()));
-                    LdapUtils.maybeForkThenBind(searchConnection, bind, threadPool, new ActionRunnable<String>(listener) {
-                        @Override
-                        protected void doRun() throws Exception {
-                            search(searchConnection, "CN=Configuration," + domainDN, LdapSearchScope.SUB_TREE.scope(), filter,
-                                    timeLimitSeconds, ignoreReferralErrors,
-                                    ActionListener.wrap(
-                                            results -> {
+                    final BindRequest bind;
+                    String bindDN = getBindDN(config);
+                    if (isSimpleBind(config) && (bindDN == null || bindDN.isEmpty())) {
+                        bind = new SimpleBindRequest(username, passwordBytes);
+                    } else {
+                        bind = bindRequestBuilder.build();
+                    }
+                    LdapUtils.maybeForkThenBind(searchConnection, bind, threadPool,
+                            new ActionRunnable<String>(listener) {
+                                @Override
+                                protected void doRun() throws Exception {
+                                    search(searchConnection, "CN=Configuration," + domainDN, LdapSearchScope.SUB_TREE.scope(), filter,
+                                            timeLimitSeconds, ignoreReferralErrors, ActionListener.wrap(results -> {
                                                 IOUtils.close(searchConnection);
                                                 handleSearchResults(results, netBiosDomainName, domainNameCache, listener);
                                             }, e -> {
                                                 IOUtils.closeWhileHandlingException(searchConnection);
                                                 listener.onFailure(e);
-                                            }),
-                                    "ncname");
-                        }
+                                            }), "ncname");
+                                }
 
-                        @Override
-                        public void onFailure(Exception e) {
-                            IOUtils.closeWhileHandlingException(searchConnection);
-                            listener.onFailure(e);
-                        }
-                    });
+                                @Override
+                                public void onFailure(Exception e) {
+                                    IOUtils.closeWhileHandlingException(searchConnection);
+                                    listener.onFailure(e);
+                                }
+                            });
                 }
             } catch (LDAPException e) {
                 listener.onFailure(e);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.java

@@ -25,6 +25,7 @@
 import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
 import org.elasticsearch.common.CharArrays;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.security.authc.ldap.bind.BindRequestBuilder;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
@@ -46,7 +47,7 @@ class LdapUserSearchSessionFactory extends PoolingSessionFactory {
 
     LdapUserSearchSessionFactory(RealmConfig config, SSLService sslService, ThreadPool threadPool) throws LDAPException {
         super(config, sslService, groupResolver(config), LdapUserSearchSessionFactorySettings.POOL_ENABLED,
-                config.getSetting(BIND_DN, () -> null),
+                new BindRequestBuilder(config, c -> c.getSetting(BIND_DN, () -> null)).build(),
                 () -> config.getSetting(BIND_DN, () -> config.getSetting(LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN)),
                 threadPool);
         userSearchBaseDn = config.getSetting(LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN,
@@ -110,7 +111,7 @@ protected void doRun() throws Exception {
     void getSessionWithoutPool(String user, SecureString password, ActionListener<LdapSession> listener) {
         try {
             final LDAPConnection connection = LdapUtils.privilegedConnect(serverSet::getConnection);
-            LdapUtils.maybeForkThenBind(connection, bindCredentials, threadPool, new AbstractRunnable() {
+            LdapUtils.maybeForkThenBind(connection, bindRequestCredentials, threadPool, new AbstractRunnable() {
                 @Override
                 protected void doRun() throws Exception {
                     findUser(user, connection, ActionListener.wrap((entry) -> {
@@ -124,7 +125,7 @@ protected void doRun() throws Exception {
                             LdapUtils.maybeForkThenBind(connection, userBind, threadPool, new AbstractRunnable() {
                                 @Override
                                 protected void doRun() throws Exception {
-                                    LdapUtils.maybeForkThenBind(connection, bindCredentials, threadPool, new AbstractRunnable() {
+                                    LdapUtils.maybeForkThenBind(connection, bindRequestCredentials, threadPool, new AbstractRunnable() {
 
                                         @Override
                                         protected void doRun() throws Exception {
@@ -187,7 +188,7 @@ void getUnauthenticatedSessionWithPool(LDAPConnectionPool connectionPool, String
     void getUnauthenticatedSessionWithoutPool(String user, ActionListener<LdapSession> listener) {
         try {
             final LDAPConnection connection = LdapUtils.privilegedConnect(serverSet::getConnection);
-            LdapUtils.maybeForkThenBind(connection, bindCredentials, threadPool, new AbstractRunnable() {
+            LdapUtils.maybeForkThenBind(connection, bindRequestCredentials, threadPool, new AbstractRunnable() {
                 @Override
                 protected void doRun() throws Exception {
                     findUser(user, connection, ActionListener.wrap((entry) -> {