Add Kerberos Realm #18188
Comments
elasticmachine
added
Team:Security
|
@tvernum was kind enough to bring up via Slack that we'll also want to make sure that this workflow works when Kibana itself is in an iframe. Given the nature of the url redirects and the url based state handlers, we'll want to make sure these don't break iframe usage. |
|
For those watching, the original description has been updated given additional exploration. |
|
/cc @elastic/es-security NodeJS has quite poor support for Kerberos, and it's rather complex to use a live KDC to get a SPNEGO ticket to submit to Elasticsearch. Are you all aware of any way around this necessity for the sake of our API integration tests? |
|
@kobelb I think one method for testing would be to launch an instance of the KDC provided by Apache Kerby with some sort of user data and point Elasticsearch at that? I'm sure it sounds a lot easier than it really will be but it will avoid the need for vagrant or code that uses native libs. |
|
Hi @kobelb, As what I understood you would want some easy way to generate SPNEGO ticket that can be used during integration testing and the support for Kerberos NodeJS is not good requires jugglery around system dependencies. As I am not much aware of NodeJS, I may not be able to see what other alternatives might exist or are good. For ES integration testing, we used SpnegoClient(based on Java GSS support). We could extract that out into a simple standalone web app with APIs like |
|
Thanks for the input @jaymode and @bizybot. There's potential that I was overreacting earlier with regard to the complications that using the NodeJS node module will entail if we're able to treat it as an optional dependency that only must exist on CI, which matches with the plan of only forcing these tests to be run as part of CI because of the dependency on Vagrant. Apache Kerby does sounds appealing, I'll give this some investigation to see if it's any less effort than the Vagrant fixture you all use in Elasticsearch. |
azasypkin
added
the
Feature:Security/Authentication
|
Pinging @elastic/kibana-security |
Authentication Provider
WWW-Authenticate: Negotiate, we'll add this header to the response to the end-user initiated requestWWW-Authenticate: Negotiateheader, get the Kerberos ticket, and respond with aAuthorization: Negotiateheader.Authorization: Negotiateheader and use the Elasticsearch Token API to generate a client credentials grantAuthorization: Bearerheader and present this on subsequent requests to authenticate the user403WWW-Authenticate: Negotiateresponse, and we'll perform the aforementioned process again.Automated Testing
A few changes will have to be made to Kibana functional test server to allow us to run a KDC within a virtual machine along-side the Kibana and Elasticsearch servers. We should only force these tests to be run as part of CI, and allow them to be skipped when running locally and the user doesn't have Vagrant/Virtualbox installed. Elasticsearch has a Kerberos test fixture that we should be able to base most of these on: https://github.com/elastic/elasticsearch/tree/master/test/fixtures/krb5kdc-fixture
In order to generate the SPNEGO token to use for the client credentials grant mentioned above we will use https://www.npmjs.com/package/kerberos. This module has a number of system specific dependencies that we will have to either require on every machine that runs the API integration tests, or we will have to use
node-pre-gypto precompile these dependencies.The text was updated successfully, but these errors were encountered: