2019-10-04 11:19:10 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[kerberos-realm]]
|
|
|
|
=== Kerberos authentication
|
|
|
|
|
|
|
|
You can configure the {stack} {security-features} to support Kerberos V5
|
|
|
|
authentication, an industry standard protocol to authenticate users in {es}.
|
|
|
|
|
|
|
|
NOTE: You cannot use the Kerberos realm to authenticate on the transport network layer.
|
|
|
|
|
2019-11-18 18:19:13 -05:00
|
|
|
To authenticate users with Kerberos, you need to configure a Kerberos realm and
|
|
|
|
map users to roles. For more information on realm settings, see
|
|
|
|
<<ref-kerberos-settings>>.
|
2019-10-04 11:19:10 -04:00
|
|
|
|
|
|
|
[[kerberos-terms]]
|
|
|
|
==== Key concepts
|
|
|
|
|
|
|
|
There are a few terms and concepts that you'll encounter when you're setting up
|
|
|
|
Kerberos realms:
|
|
|
|
|
|
|
|
_kdc_::
|
|
|
|
Key Distribution Center. A service that issues Kerberos tickets.
|
|
|
|
|
|
|
|
_principal_::
|
|
|
|
A Kerberos principal is a unique identity to which Kerberos can assign
|
|
|
|
tickets. It can be used to identify a user or a service provided by a
|
|
|
|
server.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
Kerberos V5 principal names are of format `primary/instance@REALM`, where
|
|
|
|
`primary` is a user name.
|
|
|
|
|
|
|
|
`instance` is an optional string that qualifies the primary and is separated
|
|
|
|
by a slash(`/`) from the primary. For a user, usually it is not used; for
|
|
|
|
service hosts, it is the fully qualified domain name of the host.
|
|
|
|
|
|
|
|
`REALM` is the Kerberos realm. Usually it is is the domain name in upper case.
|
|
|
|
An example of a typical user principal is `user@ES.DOMAIN.LOCAL`. An example of
|
|
|
|
a typical service principal is `HTTP/es.domain.local@ES.DOMAIN.LOCAL`.
|
|
|
|
--
|
|
|
|
|
|
|
|
_realm_::
|
|
|
|
Realms define the administrative boundary within which the authentication server
|
|
|
|
has authority to authenticate users and services.
|
|
|
|
|
|
|
|
_keytab_::
|
|
|
|
A file that stores pairs of principals and encryption keys.
|
|
|
|
|
|
|
|
IMPORTANT: Anyone with read permissions to this file can use the
|
|
|
|
credentials in the network to access other services so it is important
|
|
|
|
to protect it with proper file permissions.
|
|
|
|
|
|
|
|
_krb5.conf_::
|
|
|
|
A file that contains Kerberos configuration information such as the default realm
|
|
|
|
name, the location of Key distribution centers (KDC), realms information,
|
|
|
|
mappings from domain names to Kerberos realms, and default configurations for
|
|
|
|
realm session key encryption types.
|
|
|
|
|
|
|
|
_ticket granting ticket (TGT)_::
|
|
|
|
A TGT is an authentication ticket generated by the Kerberos authentication
|
2019-11-18 18:19:13 -05:00
|
|
|
server. It contains an encrypted authenticator.
|
|
|
|
|
|
|
|
[[kerberos-realm-configuration]]
|
|
|
|
==== Configuring a Kerberos realm
|
|
|
|
|
|
|
|
include::configuring-kerberos-realm.asciidoc[]
|