-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Kerberos support to Elasticsearch output #17927
Add Kerberos support to Elasticsearch output #17927
Conversation
Pinging @elastic/integrations-services (Team:Services) |
73c4256
to
03daa15
Compare
1ceba6e
to
f213960
Compare
f213960
to
d88714d
Compare
WDYT about starting a discussion issue about this in https://github.com/elastic/go-elasticsearch? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gave an LGTM too early, sorry! I assume you want to add docs (https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html) and a CHANGELOG entry to this PR as well?
@@ -59,19 +64,21 @@ func (t *AuthType) Unpack(value string) error { | |||
} | |||
|
|||
func (c *Config) Validate() error { | |||
if c.AuthType == AUTH_PASSWORD { | |||
switch c.AuthType { | |||
case AUTH_PASSWORD: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nits: Do not use C like screaming identifiers for consts. Plus add the actual type to the const if we already have an enum type. Do we need to export the consts or not?
I understand these have not been introduced in this PR, but would be nice to cleanup existing code a little when we touch it :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TIL the all-caps identifiers are also known as screaming identifiers! 😄
How about adding an |
d88714d
to
8b7e959
Compare
LGTM. Can you please add a changelog? |
d765e52
to
89b44b8
Compare
@@ -0,0 +1,85 @@ | |||
[[configuration-kerberos]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like you haven't included this file anywhere. It's not being built, which is why the link here fails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your help!
💔 Build FailedExpand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
Failing tests are unrelated. |
This PR adds support for Kerberos authentication to Elasticsearch output. Users can authenticate using either passwords or keytabs. The option `service_name` is not exposed as in case of ES it has be `HTTP`. Thus, the [SPN](https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html) of the output is always `HTTP/{output.elasticsearch.host}@{output.elasticsearch.kerberos.realm}`. ```yaml ``` (cherry picked from commit f66b079)
…ut (#18080) * Add Kerberos support to Elasticsearch output (#17927) This PR adds support for Kerberos authentication to Elasticsearch output. Users can authenticate using either passwords or keytabs. The option `service_name` is not exposed as in case of ES it has be `HTTP`. Thus, the [SPN](https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html) of the output is always `HTTP/{output.elasticsearch.host}@{output.elasticsearch.kerberos.realm}`. ```yaml ``` (cherry picked from commit f66b079) * "fix" reference template
What does this PR do?
This PR adds support for Kerberos authentication to Elasticsearch output.
Configuration
Users can authenticate using either passwords or keytabs.
The option
service_name
is not exposed as in case of ES it has beHTTP
. Thus, the SPN of the output is alwaysHTTP/{output.elasticsearch.host}@{output.elasticsearch.kerberos.realm}
.Architecture
Kerberos authentication is implemented by using the
spnego.Client
fromgopkg.in/jcmturner/gokrb5/v7.5
. It is an HTTP client which is able to authenticate to a Kerberos KDC and get the required session key to authenticate to Elasticsearch.In order to use the client when communicating with ES, I introduced a new interface named
esHTTPClient
with the following functions:So the newly created
kerberos.Client
andhttp.Client
can be used inConnection
.The only drawback of this solution is that it is not compatible with
github.com/elastic/go-elasticsearch
. The main issue is the constructor of that package only lets us configurehttp.Transport
. However,http.Transport
should be used for authentication according to Golang documentation. For the record, it is possible to implement Kerberos authentication in a specialRoundTripper
, but I am not a huge fan of that approach as the Golang docs advise against it.Reference:
Testing
I am planning to add tests in a follow-up PR. I wanted to raise this first, so we can agree on the selected architecture.
Why is it important?
Users now can authenticate to Kerberos-aware Elasticsearch instances.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.