According to the log, with active_directory via LDAP I get groups
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [xxxx] Mapping user [UserData{username:haca01; dn:CN=haca01,OU=Users,OU=People,xxxx; groups:[CN=xxx...]
Kerberos
but using kerberos (type=kerberos) it seems no groups are recognized
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [xxxx] Mapping user [UserData{username:haca01@OUR_REALM; dn:null; groups:[]; metadata:{}; realm=kerb1}] to roles [[monitoring_user, kibana_user]]
Tried with role_mapping to specific group
"groups": "CN=...OU=, OU=..." (works with LDAP)
"groups": "groupname"
"groups": ""
"groups": "S-1-...."
Nothing works, using username, e.g.
"username": ""
works
Elasticsearch 6.4 adds support for Kerberos but it does not fetch group information to be used in role mapping. For 6.4, the only way to map users to roles is using the information available in the user metadata and using native role mapping.
In the upcoming release, we will be adding a feature to support authorizing realms where AD/LDAP realms can act as authorizing realms for the given user. For more details see, https://github.com/elastic/elasticsearch/issues/31267.
This would allow you to configure the Kerberos realm for authentication and the roles can be managed by the AD/LDAP realms.
I find it strange that it seems that elasticsearch doesn't look at the Authorization Header sent by e.g. web browser. It contains both the user and all the groups that the user has membership in, e.g.
If you look at the content, it has all the SID-s of the groups the user has membership in (encrypted by the service ticket keytab the server has).
According to the logs I described it seems that the active_direcory authc realm looks at these
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [xxxx] Mapping user [UserData{username:haca01; dn:CN=haca01,OU=Users,OU=People,xxxx; groups:[CN=xxx...]
but not the kerberos authc realm
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [xxxx] Mapping user [UserData{username:haca01@OUR_REALM; dn:null; groups:[];
About kerberos debug: I followed the instruction in the link,
You are right the information is there in the ticket, known as Kerberos Privilege Attribute Certificate ( PAC ) carrying authorisation information. ES 6.4 does not have support for PAC and its on the roadmap for future releases.
Not much gets logged for Kerberos authentication from Elasticsearch other than authentication information as the implementation is catering towards more on authentication, for authorization the only information required is user principal name and the role mapping is based on that.
The debug settings that I pointed earlier and the ones you enabled, are helpful when you want to troubleshoot problems with Kerberos authentication. They are the JVM logs for debugging Kerberos as Elasticsearch implementation uses JAAS Kerberos login module.
Is there a ticket/issue on PAC for ES that we could follow?
Is there any release for which you aim to include this support?
Can't get Kerberos SSO to work with Kibana.
Is there support for Kerberos SSO in Kibana (I can't seem to find any info about this). Or is the Kerberos SSO only for direct access to elasticsearch?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
