2018-05-14 18:35:02 -04:00
[role="xpack"]
2017-04-06 21:29:29 -04:00
[[custom-realms]]
2018-05-14 18:35:02 -04:00
=== Integrating with other authentication systems
2017-04-06 21:29:29 -04:00
If you are using an authentication system that is not supported out-of-the-box
2018-12-19 17:53:37 -05:00
by the {es} {security-features}, you can create a custom realm to interact with
it to authenticate users. You implement a custom realm as an SPI loaded security
extension as part of an ordinary elasticsearch plugin.
2017-04-06 21:29:29 -04:00
[[implementing-custom-realm]]
2018-05-14 18:35:02 -04:00
==== Implementing a custom realm
2017-04-06 21:29:29 -04:00
Sample code that illustrates the structure and implementation of a custom realm
2020-03-11 12:13:25 -04:00
is provided in https://github.com/elastic/elasticsearch/tree/{branch}/x-pack/qa/security-example-spi-extension. You can use this code as a starting point for creating your
2017-04-06 21:29:29 -04:00
own realm.
To create a custom realm, you need to:
. Extend `org.elasticsearch.xpack.security.authc.Realm` to communicate with your
authentication system to authenticate users.
. Implement the `org.elasticsearch.xpack.security.authc.Realm.Factory` interface in
a class that will be used to create the custom realm.
. Extend `org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler` to
handle authentication failures when using your custom realm.
To package your custom realm as a plugin:
. Implement an extension class for your realm that extends
2018-01-26 10:14:11 -05:00
`org.elasticsearch.xpack.core.security.SecurityExtension`. There you need to
2017-04-06 21:29:29 -04:00
override one or more of the following methods:
+
[source,java]
----------------------------------------------------
@Override
public Map<String, Factory> getRealms() {
...
}
----------------------------------------------------
+
The `getRealms` method is used to provide a map of type names to the `Factory` that
will be used to create the realm.
+
[source,java]
----------------------------------------------------
@Override
public AuthenticationFailureHandler getAuthenticationFailureHandler() {
...
}
----------------------------------------------------
+
The `getAuthenticationFailureHandler` method is used to optionally provide a
2018-12-19 17:53:37 -05:00
custom `AuthenticationFailureHandler`, which will control how the
{es} {security-features} respond in certain authentication failure events.
2017-04-06 21:29:29 -04:00
+
[source,java]
----------------------------------------------------
@Override
public List<String> getSettingsFilter() {
...
}
----------------------------------------------------
+
2018-01-26 10:14:11 -05:00
The `Plugin#getSettingsFilter` method returns a list of setting names that should be
filtered from the settings APIs as they may contain sensitive credentials. Note this method is not
part of the `SecurityExtension` interface, it's available as part of the elasticsearch plugin main class.
2017-04-06 21:29:29 -04:00
. Create a build configuration file for the plugin; Gradle is our recommendation.
2018-01-26 10:14:11 -05:00
. Create a `META-INF/services/org.elasticsearch.xpack.core.security.SecurityExtension` descriptor file for the
extension that contains the fully qualified class name of your `org.elasticsearch.xpack.core.security.SecurityExtension` implementation
2017-04-06 21:29:29 -04:00
. Bundle all in a single zip file.
[[using-custom-realm]]
2018-05-14 18:35:02 -04:00
==== Using a custom realm to authenticate users
2017-04-06 21:29:29 -04:00
To use a custom realm:
. Install the realm extension on each node in the cluster. You run
2018-01-26 10:14:11 -05:00
`bin/elasticsearch-plugin` with the `install` sub-command and specify the URL
2017-04-06 21:29:29 -04:00
pointing to the zip file that contains the extension. For example:
+
[source,shell]
----------------------------------------
2018-01-26 10:14:11 -05:00
bin/elasticsearch-plugin install file:///<path>/my-realm-1.0.zip
2017-04-06 21:29:29 -04:00
----------------------------------------
. Add a realm configuration of the appropriate realm type to `elasticsearch.yml`
2018-11-05 22:56:50 -05:00
under the `xpack.security.authc.realms` namespace.
2020-03-11 12:13:25 -04:00
You must define your realm within the namespace that matches the type defined
2018-11-05 22:56:50 -05:00
by the extension.
The options you can set depend on the settings exposed by the custom realm.
If you are configuring multiple realms, you should also explicitly set the
`order` attribute to control the order in which the realms are consulted during
authentication. You should make sure each configured realm has a distinct
`order` setting. In the event that two or more realms have the same `order`,
they will be processed in realm `name` order.
2017-04-06 21:29:29 -04:00
+
2018-01-16 18:29:00 -05:00
IMPORTANT: When you configure realms in `elasticsearch.yml`, only the
realms you specify are used for authentication. If you also want to use the
`native` or `file` realms, you must include them in the realm chain.
2017-04-06 21:29:29 -04:00
. Restart Elasticsearch.
