mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-01 16:39:11 +00:00
2f173402ec
Kibana wants to create access_token/refresh_token pair using Token management APIs in exchange for kerberos tickets. `client_credentials` grant_type requires every user to have `cluster:admin/xpack/security/token/create` cluster privilege. This commit introduces `_kerberos` grant_type for generating `access_token` and `refresh_token` in exchange for a valid base64 encoded kerberos ticket. In addition, `kibana_user` role now has cluster privilege to create tokens. This allows Kibana to create access_token/refresh_token pair in exchange for kerberos tickets. Note: The lifetime from the kerberos ticket is not used in ES and so even after it expires the access_token/refresh_token pair will be valid. Care must be taken to invalidate such tokens using token management APIs if required. Closes #41943
67 lines
3.0 KiB
Groovy
67 lines
3.0 KiB
Groovy
import java.nio.file.Path
|
|
import java.nio.file.Paths
|
|
import java.nio.file.Files
|
|
|
|
apply plugin: 'elasticsearch.testclusters'
|
|
apply plugin: 'elasticsearch.standalone-rest-test'
|
|
apply plugin: 'elasticsearch.rest-test'
|
|
apply plugin: 'elasticsearch.test.fixtures'
|
|
|
|
testFixtures.useFixture ":test:fixtures:krb5kdc-fixture"
|
|
|
|
dependencies {
|
|
testCompile project(':x-pack:plugin:core')
|
|
testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
|
|
testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
|
|
}
|
|
|
|
testClusters.integTest {
|
|
distribution = 'DEFAULT'
|
|
// force localhost IPv4 otherwise it is a chicken and egg problem where we need the keytab for the hostname when starting the cluster
|
|
// but do not know the exact address that is first in the http ports file
|
|
setting 'http.host', '127.0.0.1'
|
|
setting 'xpack.license.self_generated.type', 'trial'
|
|
setting 'xpack.security.enabled', 'true'
|
|
setting 'xpack.security.authc.realms.file.file1.order', '0'
|
|
setting 'xpack.ml.enabled', 'false'
|
|
setting 'xpack.security.audit.enabled', 'true'
|
|
setting 'xpack.security.authc.token.enabled', 'true'
|
|
// Kerberos realm
|
|
setting 'xpack.security.authc.realms.kerberos.kerberos.order', '1'
|
|
setting 'xpack.security.authc.realms.kerberos.kerberos.keytab.path', 'es.keytab'
|
|
setting 'xpack.security.authc.realms.kerberos.kerberos.krb.debug', 'true'
|
|
setting 'xpack.security.authc.realms.kerberos.kerberos.remove_realm_name', 'false'
|
|
|
|
|
|
systemProperty "java.security.krb5.conf", { project(':test:fixtures:krb5kdc-fixture').ext.krb5Conf("peppa").toString() }
|
|
systemProperty "sun.security.krb5.debug", "true"
|
|
|
|
extraConfigFile "es.keytab", project(':test:fixtures:krb5kdc-fixture').ext.krb5Keytabs("peppa", "HTTP_localhost.keytab")
|
|
|
|
user username: "test_admin", password: "x-pack-test-password"
|
|
user username: "test_kibana_user", password: "x-pack-test-password", role: "kibana_system"
|
|
}
|
|
|
|
String realm = "BUILD.ELASTIC.CO"
|
|
integTest.runner {
|
|
Path peppaKeytab = Paths.get("${project.buildDir}", "generated-resources", "keytabs", "peppa.keytab")
|
|
nonInputProperties.systemProperty 'test.userkt', "peppa@${realm}"
|
|
nonInputProperties.systemProperty 'test.userkt.keytab', "${peppaKeytab}"
|
|
nonInputProperties.systemProperty 'test.userpwd', "george@${realm}"
|
|
systemProperty 'test.userpwd.password', "dino"
|
|
systemProperty 'tests.security.manager', 'true'
|
|
jvmArgs([
|
|
"-Djava.security.krb5.conf=${project(':test:fixtures:krb5kdc-fixture').ext.krb5Conf("peppa")}",
|
|
"-Dsun.security.krb5.debug=true"
|
|
])
|
|
}
|
|
|
|
def generatedResources = "$buildDir/generated-resources/keytabs"
|
|
task copyKeytabToGeneratedResources(type: Copy) {
|
|
from project(':test:fixtures:krb5kdc-fixture').ext.krb5Keytabs("peppa", "peppa.keytab")
|
|
into generatedResources
|
|
dependsOn project(':test:fixtures:krb5kdc-fixture').postProcessFixture
|
|
}
|
|
project.sourceSets.test.output.dir(generatedResources, builtBy:copyKeytabToGeneratedResources)
|
|
|