Add kerberos grant_type to get token in exchange for Kerberos ticket #42847
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Kibana wants to create access_token/refresh_token pair using Token management APIs in exchange for kerberos tickets. `client_credentials` grant_type requires every user to have `cluster:admin/xpack/security/token/create` cluster privilege. This commit introduces `kerberos` grant_type for generating `access_token` and `refresh_token` in exchange for a valid base64 encoded kerberos ticket. In addition, `kibana_user` role now has cluster privilege to create tokens. This allows Kibana to create access_token/refresh_token pair in exchange for kerberos tickets. Note: The lifetime from the kerberos ticket is not used in ES and so even after it expires the access_token/refresh_token pair will be valid. Care must be taken to invalidate such tokens using token management APIs if required. TODO: - The `KerberosAuthenticationIT` requires krb5-kdc fixture to be enabled, currently it is disabled. This will be fixed in another commit. - Documentation
bizybot
added
the
:Security/Authentication
|
Pinging @elastic/es-security |
bizybot
added
:Security/Authorization
I don't think this is necessary. The call to the API will be made by the |
bizybot
changed the title
bizybot
changed the title
tvernum
reviewed
Jun 5, 2019
...ore/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenRequest.java
Outdated
Show resolved
Hide resolved
tvernum
reviewed
Jun 5, 2019
...ore/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenRequest.java
Outdated
Show resolved
Hide resolved
…security/action/token/CreateTokenRequest.java Co-Authored-By: Tim Vernum <tim@adjective.org>
…h into kerberos-grant-type
added 2 commits
June 5, 2019 12:20
bizybot
commented
Jun 5, 2019
.../src/main/java/org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction.java
Show resolved
Hide resolved
bizybot
changed the title
jkakavas
reviewed
Jun 7, 2019
...ore/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenRequest.java
Outdated
Show resolved
Hide resolved
...ore/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenRequest.java
Outdated
Show resolved
Hide resolved
...a/org/elasticsearch/xpack/security/authc/kerberos/SpnegoHttpClientConfigCallbackHandler.java
Show resolved
Hide resolved
.../src/main/java/org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction.java
Show resolved
Hide resolved
...ty/src/main/java/org/elasticsearch/xpack/security/rest/action/oauth2/RestGetTokenAction.java
Outdated
Show resolved
Hide resolved
...ty/src/main/java/org/elasticsearch/xpack/security/rest/action/oauth2/RestGetTokenAction.java
Outdated
Show resolved
Hide resolved
added 2 commits
June 12, 2019 10:56
|
Hi @jkakavas, I have addressed your review comments, please take another look when you get some time. Thank you. |
added 6 commits
June 14, 2019 17:10
bizybot
added a commit
to bizybot/elasticsearch
that referenced
this pull request
Jun 19, 2019
…lastic#42847) Kibana wants to create access_token/refresh_token pair using Token management APIs in exchange for kerberos tickets. `client_credentials` grant_type requires every user to have `cluster:admin/xpack/security/token/create` cluster privilege. This commit introduces `_kerberos` grant_type for generating `access_token` and `refresh_token` in exchange for a valid base64 encoded kerberos ticket. In addition, `kibana_user` role now has cluster privilege to create tokens. This allows Kibana to create access_token/refresh_token pair in exchange for kerberos tickets. Note: The lifetime from the kerberos ticket is not used in ES and so even after it expires the access_token/refresh_token pair will be valid. Care must be taken to invalidate such tokens using token management APIs if required. Closes elastic#41943
bizybot
added a commit
that referenced
this pull request
Jun 19, 2019
…42847) (#43355) Kibana wants to create access_token/refresh_token pair using Token management APIs in exchange for kerberos tickets. `client_credentials` grant_type requires every user to have `cluster:admin/xpack/security/token/create` cluster privilege. This commit introduces `_kerberos` grant_type for generating `access_token` and `refresh_token` in exchange for a valid base64 encoded kerberos ticket. In addition, `kibana_user` role now has cluster privilege to create tokens. This allows Kibana to create access_token/refresh_token pair in exchange for kerberos tickets. Note: The lifetime from the kerberos ticket is not used in ES and so even after it expires the access_token/refresh_token pair will be valid. Care must be taken to invalidate such tokens using token management APIs if required. Closes #41943
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Kibana wants to create access_token/refresh_token pair using Token
management APIs in exchange for Kerberos tickets.
client_credentialsgrant_type requires every user to have
cluster:admin/xpack/security/token/createcluster privilege.
This commit introduces
_kerberosgrant_type for generatingaccess_tokenand
refresh_tokenin exchange for a valid base64 encoded Kerberos ticket.This allows the Kibana system user to create access_token/refresh_token pair in exchange for
kerberos tickets.
Note:
The lifetime from the kerberos ticket is not used in ES and so even after it expires
the access_token/refresh_token pair will be valid. Care must be taken to invalidate
such tokens using token management APIs if required.
Closes #41943