From 7aa23a51ed7ab74cf681378d952e8756cf46655e Mon Sep 17 00:00:00 2001 From: Yogesh Gaikwad Date: Fri, 31 Aug 2018 19:09:58 +1000 Subject: [PATCH 1/4] [Kerberos] Add realm name & UPN to user metadata We have a Kerberos setting to remove realm part from the user principal name (`remove_realm_name`). If this is true then the realm name is removed to form username but in the process, the realm name is lost. For scenarios like Kerberos cross-realm authentication, one could make use of the realm name to determine role mapping for users coming from different realms. This commit adds user metadata for `realm` and `user_principal_name`. --- .../configuring-kerberos-realm.asciidoc | 6 +++ .../authc/kerberos/KerberosRealm.java | 45 +++++++++---------- .../KerberosRealmAuthenticateFailedTests.java | 7 ++- .../kerberos/KerberosRealmCacheTests.java | 17 +++++-- .../authc/kerberos/KerberosRealmTestCase.java | 14 ++++++ .../authc/kerberos/KerberosRealmTests.java | 10 +++-- 6 files changed, 68 insertions(+), 31 deletions(-) diff --git a/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc index 9e7ed4762728a..336a4609bbb11 100644 --- a/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc @@ -165,6 +165,12 @@ POST _xpack/security/role_mapping/kerbrolemapping -------------------------------------------------- // CONSOLE +In case you want to support Kerberos cross realm authentication you may +need to map roles based on the Kerberos realm name. For such scenarios +following are the additional user metadata available for role mapping: +- `realm` will be set to Kerberos realm name. +- `user_principal_name` will be set to user principal name from the Kerberos ticket. + For more information, see {stack-ov}/mapping-roles.html[Mapping users and groups to roles]. NOTE: The Kerberos realm supports diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java index 9c531d3159f1b..2b9f2b29d7e62 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java @@ -30,6 +30,7 @@ import java.nio.file.Files; import java.nio.file.Path; import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; @@ -151,8 +152,7 @@ public void authenticate(final AuthenticationToken token, final ActionListener { if (userPrincipalNameOutToken.v1() != null) { - final String username = maybeRemoveRealmName(userPrincipalNameOutToken.v1()); - resolveUser(username, userPrincipalNameOutToken.v2(), listener); + resolveUser(userPrincipalNameOutToken.v1(), userPrincipalNameOutToken.v2(), listener); } else { /** * This is when security context could not be established may be due to ongoing @@ -171,23 +171,8 @@ public void authenticate(final AuthenticationToken token, final ActionListener handleException(e, listener))); } - /** - * Usually principal names are in the form 'user/instance@REALM'. This method - * removes '@REALM' part from the principal name if - * {@link KerberosRealmSettings#SETTING_REMOVE_REALM_NAME} is {@code true} else - * will return the input string. - * - * @param principalName user principal name - * @return username after removal of realm - */ - protected String maybeRemoveRealmName(final String principalName) { - if (this.removeRealmName) { - int foundAtIndex = principalName.indexOf('@'); - if (foundAtIndex > 0) { - return principalName.substring(0, foundAtIndex); - } - } - return principalName; + private String[] splitUserPrincipalName(final String userPrincipalName) { + return userPrincipalName.split("@"); } private void handleException(Exception e, final ActionListener listener) { @@ -205,13 +190,21 @@ private void handleException(Exception e, final ActionListener listener) { + private void resolveUser(final String userPrincipalName, final String outToken, final ActionListener listener) { // if outToken is present then it needs to be communicated with peer, add it to // response header in thread context. if (Strings.hasText(outToken)) { threadPool.getThreadContext().addResponseHeader(WWW_AUTHENTICATE, NEGOTIATE_AUTH_HEADER_PREFIX + outToken); } + final String[] userAndRealmName = splitUserPrincipalName(userPrincipalName); + /* + * Usually principal names are in the form 'user/instance@REALM'. If + * KerberosRealmSettings#SETTING_REMOVE_REALM_NAME is true then remove + * '@REALM' part from the user principal name to get username. + */ + final String username = (this.removeRealmName) ? userAndRealmName[0] : userPrincipalName; + if (delegatedRealms.hasDelegation()) { delegatedRealms.resolve(username, listener); } else { @@ -219,15 +212,19 @@ private void resolveUser(final String username, final String outToken, final Act if (user != null) { listener.onResponse(AuthenticationResult.success(user)); } else { - buildUser(username, listener); + final String realmName = (userAndRealmName.length > 1) ? userAndRealmName[1] : null; + final Map metadata = new HashMap<>(); + metadata.put("realm", realmName); + metadata.put("user_principal_name", userPrincipalName); + buildUser(username, metadata, listener); } } } - private void buildUser(final String username, final ActionListener listener) { - final UserRoleMapper.UserData userData = new UserRoleMapper.UserData(username, null, Collections.emptySet(), null, this.config); + private void buildUser(final String username, final Map metadata, final ActionListener listener) { + final UserRoleMapper.UserData userData = new UserRoleMapper.UserData(username, null, Collections.emptySet(), metadata, this.config); userRoleMapper.resolveRoles(userData, ActionListener.wrap(roles -> { - final User computedUser = new User(username, roles.toArray(new String[roles.size()]), null, null, null, true); + final User computedUser = new User(username, roles.toArray(new String[roles.size()]), null, null, userData.getMetadata(), true); if (userPrincipalNameToUserCache != null) { userPrincipalNameToUserCache.put(username, computedUser); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java index 7c5904d048a63..761e2e609f5c2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java @@ -25,7 +25,9 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Path; import java.util.Collections; +import java.util.HashMap; import java.util.List; +import java.util.Map; import javax.security.auth.login.LoginException; @@ -86,7 +88,10 @@ public void testAuthenticateDifferentFailureScenarios() throws LoginException, G assertThat(result, is(notNullValue())); if (validTicket) { final String expectedUsername = maybeRemoveRealmName(username); - final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true); + final Map metadata = new HashMap<>(); + metadata.put("realm", realmName(username)); + metadata.put("user_principal_name", username); + final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); assertSuccessAuthenticationResult(expectedUser, outToken, result); } else { assertThat(result.getStatus(), is(equalTo(AuthenticationResult.Status.TERMINATE))); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java index 69ebe15c5d74b..d67183831a3c0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java @@ -18,7 +18,9 @@ import java.io.IOException; import java.nio.file.Path; import java.util.Arrays; +import java.util.HashMap; import java.util.List; +import java.util.Map; import javax.security.auth.login.LoginException; @@ -40,7 +42,10 @@ public void testAuthenticateWithCache() throws LoginException, GSSException { final KerberosRealm kerberosRealm = createKerberosRealm(username); final String expectedUsername = maybeRemoveRealmName(username); - final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true); + final Map metadata = new HashMap<>(); + metadata.put("realm", realmName(username)); + metadata.put("user_principal_name", username); + final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); final byte[] decodedTicket = randomByteArrayOfLength(10); final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings())); final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings()); @@ -72,7 +77,10 @@ public void testCacheInvalidationScenarios() throws LoginException, GSSException final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings()); mockKerberosTicketValidator(decodedTicket, keytabPath, krbDebug, new Tuple<>(authNUsername, outToken), null); final String expectedUsername = maybeRemoveRealmName(authNUsername); - final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true); + final Map metadata = new HashMap<>(); + metadata.put("realm", realmName(authNUsername)); + metadata.put("user_principal_name", authNUsername); + final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); final KerberosAuthenticationToken kerberosAuthenticationToken = new KerberosAuthenticationToken(decodedTicket); final User user1 = authenticateAndAssertResult(kerberosRealm, expectedUser, kerberosAuthenticationToken, outToken); @@ -110,7 +118,10 @@ public void testAuthenticateWithValidTicketSucessAuthnWithUserDetailsWhenCacheDi final KerberosRealm kerberosRealm = createKerberosRealm(username); final String expectedUsername = maybeRemoveRealmName(username); - final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true); + final Map metadata = new HashMap<>(); + metadata.put("realm", realmName(username)); + metadata.put("user_principal_name", username); + final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); final byte[] decodedTicket = randomByteArrayOfLength(10); final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings())); final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings()); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java index dd83da49a0bb7..665c3b0bc87c4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java @@ -155,6 +155,7 @@ protected String randomPrincipalName() { if (withInstance) { principalName.append("/").append(randomAlphaOfLength(5)); } + principalName.append("@"); principalName.append(randomAlphaOfLength(5).toUpperCase(Locale.ROOT)); return principalName.toString(); } @@ -177,4 +178,17 @@ protected String maybeRemoveRealmName(final String principalName) { } return principalName; } + + /** + * Extracts and returns realm part from the principal name. + * @param principalName user principal name + * @return realm name if found else returns {@code null} + */ + protected String realmName(final String principalName) { + String[] values = principalName.split("@"); + if (values.length > 1) { + return values[1]; + } + return null; + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java index d35068fd07af2..eaf3121f1dc37 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java @@ -38,7 +38,9 @@ import java.util.Arrays; import java.util.Collections; import java.util.EnumSet; +import java.util.HashMap; import java.util.Locale; +import java.util.Map; import java.util.Set; import javax.security.auth.login.LoginException; @@ -71,7 +73,10 @@ public void testAuthenticateWithValidTicketSucessAuthnWithUserDetails() throws L final String username = randomPrincipalName(); final KerberosRealm kerberosRealm = createKerberosRealm(username); final String expectedUsername = maybeRemoveRealmName(username); - final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true); + final Map metadata = new HashMap<>(); + metadata.put("realm", realmName(username)); + metadata.put("user_principal_name", username); + final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); final byte[] decodedTicket = "base64encodedticket".getBytes(StandardCharsets.UTF_8); final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings())); final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings()); @@ -197,5 +202,4 @@ public void testDelegatedAuthorization() throws Exception { verifyNoMoreInteractions(mockKerberosTicketValidator, mockNativeRoleMappingStore); verify(otherRealm, times(2)).lookupUser(eq(expectedUsername), any(ActionListener.class)); } -} - +} \ No newline at end of file From 264861a0952dd0f7c23c4be40468da6fe62ec6bb Mon Sep 17 00:00:00 2001 From: Yogesh Gaikwad Date: Fri, 7 Sep 2018 08:54:14 +1000 Subject: [PATCH 2/4] Address review comment --- .../xpack/security/authc/kerberos/KerberosRealmTests.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java index eaf3121f1dc37..cc91d64948555 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java @@ -202,4 +202,5 @@ public void testDelegatedAuthorization() throws Exception { verifyNoMoreInteractions(mockKerberosTicketValidator, mockNativeRoleMappingStore); verify(otherRealm, times(2)).lookupUser(eq(expectedUsername), any(ActionListener.class)); } -} \ No newline at end of file +} + From 9f219230407d8d54cb96edbfeb7322ef4ff758d6 Mon Sep 17 00:00:00 2001 From: Yogesh Gaikwad Date: Fri, 7 Sep 2018 11:47:27 +1000 Subject: [PATCH 3/4] Address review comment, add kerberos_ prefix to metadata keys. --- .../xpack/security/authc/kerberos/KerberosRealm.java | 7 +++++-- .../KerberosRealmAuthenticateFailedTests.java | 4 ++-- .../authc/kerberos/KerberosRealmCacheTests.java | 12 ++++++------ .../security/authc/kerberos/KerberosRealmTests.java | 4 ++-- 4 files changed, 15 insertions(+), 12 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java index 2b9f2b29d7e62..0f47b6032f5ab 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java @@ -59,6 +59,9 @@ */ public final class KerberosRealm extends Realm implements CachingRealm { + public static final String KRB_METADATA_REALM_NAME_KEY = "kerberos_realm"; + public static final String KRB_METADATA_UPN_KEY = "kerberos_user_principal_name"; + private final Cache userPrincipalNameToUserCache; private final NativeRoleMappingStore userRoleMapper; private final KerberosTicketValidator kerberosTicketValidator; @@ -214,8 +217,8 @@ private void resolveUser(final String userPrincipalName, final String outToken, } else { final String realmName = (userAndRealmName.length > 1) ? userAndRealmName[1] : null; final Map metadata = new HashMap<>(); - metadata.put("realm", realmName); - metadata.put("user_principal_name", userPrincipalName); + metadata.put(KRB_METADATA_REALM_NAME_KEY, realmName); + metadata.put(KRB_METADATA_UPN_KEY, userPrincipalName); buildUser(username, metadata, listener); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java index 761e2e609f5c2..dcb087ff147c8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java @@ -89,8 +89,8 @@ public void testAuthenticateDifferentFailureScenarios() throws LoginException, G if (validTicket) { final String expectedUsername = maybeRemoveRealmName(username); final Map metadata = new HashMap<>(); - metadata.put("realm", realmName(username)); - metadata.put("user_principal_name", username); + metadata.put(KerberosRealm.KRB_METADATA_REALM_NAME_KEY, realmName(username)); + metadata.put(KerberosRealm.KRB_METADATA_UPN_KEY, username); final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); assertSuccessAuthenticationResult(expectedUser, outToken, result); } else { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java index d67183831a3c0..09be9e23223c3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java @@ -43,8 +43,8 @@ public void testAuthenticateWithCache() throws LoginException, GSSException { final String expectedUsername = maybeRemoveRealmName(username); final Map metadata = new HashMap<>(); - metadata.put("realm", realmName(username)); - metadata.put("user_principal_name", username); + metadata.put(KerberosRealm.KRB_METADATA_REALM_NAME_KEY, realmName(username)); + metadata.put(KerberosRealm.KRB_METADATA_UPN_KEY, username); final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); final byte[] decodedTicket = randomByteArrayOfLength(10); final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings())); @@ -78,8 +78,8 @@ public void testCacheInvalidationScenarios() throws LoginException, GSSException mockKerberosTicketValidator(decodedTicket, keytabPath, krbDebug, new Tuple<>(authNUsername, outToken), null); final String expectedUsername = maybeRemoveRealmName(authNUsername); final Map metadata = new HashMap<>(); - metadata.put("realm", realmName(authNUsername)); - metadata.put("user_principal_name", authNUsername); + metadata.put(KerberosRealm.KRB_METADATA_REALM_NAME_KEY, realmName(authNUsername)); + metadata.put(KerberosRealm.KRB_METADATA_UPN_KEY, authNUsername); final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); final KerberosAuthenticationToken kerberosAuthenticationToken = new KerberosAuthenticationToken(decodedTicket); @@ -119,8 +119,8 @@ public void testAuthenticateWithValidTicketSucessAuthnWithUserDetailsWhenCacheDi final String expectedUsername = maybeRemoveRealmName(username); final Map metadata = new HashMap<>(); - metadata.put("realm", realmName(username)); - metadata.put("user_principal_name", username); + metadata.put(KerberosRealm.KRB_METADATA_REALM_NAME_KEY, realmName(username)); + metadata.put(KerberosRealm.KRB_METADATA_UPN_KEY, username); final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); final byte[] decodedTicket = randomByteArrayOfLength(10); final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings())); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java index cc91d64948555..e4e11c4f5eaae 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java @@ -74,8 +74,8 @@ public void testAuthenticateWithValidTicketSucessAuthnWithUserDetails() throws L final KerberosRealm kerberosRealm = createKerberosRealm(username); final String expectedUsername = maybeRemoveRealmName(username); final Map metadata = new HashMap<>(); - metadata.put("realm", realmName(username)); - metadata.put("user_principal_name", username); + metadata.put(KerberosRealm.KRB_METADATA_REALM_NAME_KEY, realmName(username)); + metadata.put(KerberosRealm.KRB_METADATA_UPN_KEY, username); final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, metadata, true); final byte[] decodedTicket = "base64encodedticket".getBytes(StandardCharsets.UTF_8); final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings())); From 4cee91cf6624b9c753e194af99504278de852db9 Mon Sep 17 00:00:00 2001 From: Yogesh Gaikwad Date: Fri, 7 Sep 2018 11:49:19 +1000 Subject: [PATCH 4/4] Change prefix in the kerberos docs. --- .../authentication/configuring-kerberos-realm.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc index 336a4609bbb11..cc0863112c7e4 100644 --- a/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc @@ -168,8 +168,8 @@ POST _xpack/security/role_mapping/kerbrolemapping In case you want to support Kerberos cross realm authentication you may need to map roles based on the Kerberos realm name. For such scenarios following are the additional user metadata available for role mapping: -- `realm` will be set to Kerberos realm name. -- `user_principal_name` will be set to user principal name from the Kerberos ticket. +- `kerberos_realm` will be set to Kerberos realm name. +- `kerberos_user_principal_name` will be set to user principal name from the Kerberos ticket. For more information, see {stack-ov}/mapping-roles.html[Mapping users and groups to roles].