Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logstash to support SPNEGO + Kerberos authentication to Elasticsearch #9785

Open
jakelandis opened this issue Jun 25, 2018 · 1 comment
Open

Logstash to support SPNEGO + Kerberos authentication to Elasticsearch #9785

jakelandis opened this issue Jun 25, 2018 · 1 comment

Comments

@jakelandis
Copy link
Contributor

Elasticsearch is implementing a Kerberos realm and Logstash should support this authentication via Kerberos.

More specifically Keberos is being implemented as SPNEGO + Keberos, which is a Base64 encoded token sent in the "Negotiate" header of the HTTP request.

At a high level the following changes will be needed for Logstash:

  • Ability to use JAAS to Authenticate against a Kerberos keytab
  • Ability to Generate a SPNEGO token via the GSSAPI
  • Provide a means for the plugins to obtain the token needed for the Negotiate header
  • Update plugins to send the correct header.

Note - the Apache HTTP client offers SPNEGO + Kerberos support, which may be used. However, since there is a mix of Java and Ruby clients, and the access to Apache HTTP client is via Manticore, more research would be needed to see if this would be helpful. Also, the use of the Apache HTTP client wouldn't obviate the need to authenticate via Kerberos and a keytab.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jakelandis @loekvangool