Elasticsearch et al SSO with kerberos/AD and groups doesn't work


(Hakan Carlsson) #1

Following this:
https://www.elastic.co/blog/how-to-secure-your-elasticsearch-clusters-using-kerberos
gets it working with users.
However, the mapping of groups seems not to work.

LDAP

According to the log, with active_directory via LDAP I get groups
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [xxxx] Mapping user [UserData{username:haca01; dn:CN=haca01,OU=Users,OU=People,xxxx; groups:[CN=xxx...]

Kerberos

but using kerberos (type=kerberos) it seems no groups are recognized
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [xxxx] Mapping user [UserData{username:haca01@OUR_REALM; dn:null; groups:[]; metadata:{}; realm=kerb1}] to roles [[monitoring_user, kibana_user]]

Tried with role_mapping to specific group
"groups": "CN=...OU=, OU=..." (works with LDAP)
"groups": "groupname"
"groups": ""
"groups": "S-1-...."
Nothing works, using username, e.g.
"username": "
"
works

Config:

elasticsearch 6.4.0 on Fedora 28

elasticsearch.yml with active_directory LDAP:
active_directory_ldaps:
type: active_directory
order: 1
domain_name: OUR_REALM
url: ldaps://our_realm:636
bind_dn: xxxx
bind_password: xxxx
follow_referrals: false
enabled: true

elasticsearch.yml with kerberos:
kerb1:
type: kerberos
order: 1
keytab.path: xxxx.keytab
krb.debug: true
krb_debug: true
remove_realm_name: false
enabled: true

and a krb5.conf

Also: how to get kerberos debug?

UPDATE

Seems to be limited to username in this release according to:
https://www.elastic.co/guide/en/elasticsearch/reference/6.4/configuring-kerberos-realm.html


(Yogesh Gaikwad) #2

Hi @hakan-carlsson,

Elasticsearch 6.4 adds support for Kerberos but it does not fetch group information to be used in role mapping. For 6.4, the only way to map users to roles is using the information available in the user metadata and using native role mapping.

In the upcoming release, we will be adding a feature to support authorizing realms where AD/LDAP realms can act as authorizing realms for the given user. For more details see, https://github.com/elastic/elasticsearch/issues/31267.
This would allow you to configure the Kerberos realm for authentication and the roles can be managed by the AD/LDAP realms.

In case you need to enable debug logs for Kerberos, you can refer following documentation:
https://www.elastic.co/guide/en/elastic-stack-overview/6.4/trb-security-kerberos.html

Hope this is helpful.

Thanks and Regards,
Yogesh Gaikwad


(Hakan Carlsson) #3

I find it strange that it seems that elasticsearch doesn't look at the Authorization Header sent by e.g. web browser. It contains both the user and all the groups that the user has membership in, e.g.

Authorization: Negotiate YIIxxxxxxxxx...long.string...

If you look at the content, it has all the SID-s of the groups the user has membership in (encrypted by the service ticket keytab the server has).

According to the logs I described it seems that the active_direcory authc realm looks at these
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [xxxx] Mapping user [UserData{username:haca01; dn:CN=haca01,OU=Users,OU=People,xxxx; groups:[CN=xxx...]

but not the kerberos authc realm
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [xxxx] Mapping user [UserData{username:haca01@OUR_REALM; dn:null; groups:[];

About kerberos debug: I followed the instruction in the link,

jvm.options:
-Dsun.security.krb5.debug=true
-Dsun.security.spnego.debug=true
-Djava.security.krb5.conf=/etc/krb5.conf
-Djava.security.debug=all

elasticsearch.yml
xpack.security.authc.realms:
kerb1:
type: kerberos
krb.debug: true

log4j2.properties:
rootLogger.level: debug

But I fail to find any kerberos debug...


(Yogesh Gaikwad) #4

Hi @hakan-carlsson,

You are right the information is there in the ticket, known as Kerberos Privilege Attribute Certificate ( PAC ) carrying authorisation information. ES 6.4 does not have support for PAC and its on the roadmap for future releases.

Not much gets logged for Kerberos authentication from Elasticsearch other than authentication information as the implementation is catering towards more on authentication, for authorization the only information required is user principal name and the role mapping is based on that.

The debug settings that I pointed earlier and the ones you enabled, are helpful when you want to troubleshoot problems with Kerberos authentication. They are the JVM logs for debugging Kerberos as Elasticsearch implementation uses JAAS Kerberos login module.

Hope this is helpful.

Thanks and Regards,
Yogesh Gaikwad


(Hakan Carlsson) #5

Ok. Thanks for the info.

Is there a ticket/issue on PAC for ES that we could follow?
Is there any release for which you aim to include this support?

Can't get Kerberos SSO to work with Kibana.
Is there support for Kerberos SSO in Kibana (I can't seem to find any info about this). Or is the Kerberos SSO only for direct access to elasticsearch?


(Yogesh Gaikwad) #6

Hi @hakan-carlsson,

As mentioned in 6.4 Kerberos blog, we have started with Kerberos in ES and the support for other stack components are being planned.

Kibana SSO support for Kerberos is work in progress though not decided on the timelines, rest assured that the feature will be coming.

PAC Support is under consideration but we do not know of any timelines for the same. As an alternative

Hope this helps.

Thanks and Regards,
Yogesh Gaikwad


(Hakan Carlsson) #7

Thanks for clarifying Kerberos SSO, hope this will be high priority to release :slight_smile:


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.