Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add kerberos grant_type to get token in exchange for Kerberos ticket #42847

Merged
merged 24 commits into from
Jun 18, 2019
Merged

Add kerberos grant_type to get token in exchange for Kerberos ticket #42847

merged 24 commits into from
Jun 18, 2019

Conversation

bizybot
Copy link
Contributor

@bizybot bizybot commented Jun 4, 2019
edited
Loading

Kibana wants to create access_token/refresh_token pair using Token
management APIs in exchange for Kerberos tickets. client_credentials
grant_type requires every user to have cluster:admin/xpack/security/token/create
cluster privilege.

This commit introduces _kerberos grant_type for generating access_token
and refresh_token in exchange for a valid base64 encoded Kerberos ticket.
This allows the Kibana system user to create access_token/refresh_token pair in exchange for
kerberos tickets.

Note:
The lifetime from the kerberos ticket is not used in ES and so even after it expires
the access_token/refresh_token pair will be valid. Care must be taken to invalidate
such tokens using token management APIs if required.

Closes #41943

Add kerberos grant_type to exchange Kerberos credentials for token
b5d0010 
Kibana wants to create access_token/refresh_token pair using Token
management APIs in exchange for kerberos tickets. `client_credentials`
grant_type requires every user to have `cluster:admin/xpack/security/token/create`
cluster privilege.

This commit introduces `kerberos` grant_type for generating `access_token`
and `refresh_token` in exchange for a valid base64 encoded kerberos ticket.
In addition, `kibana_user` role now has cluster privilege to create tokens.
This allows Kibana to create access_token/refresh_token pair in exchange for
kerberos tickets.

Note:
The lifetime from the kerberos ticket is not used in ES and so even after it expires
the access_token/refresh_token pair will be valid. Care must be taken to invalidate
such tokens using token management APIs if required.

TODO:
- The `KerberosAuthenticationIT` requires krb5-kdc fixture to be enabled, currently it
is disabled. This will be fixed in another commit.
- Documentation
@bizybot bizybot added the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label Jun 4, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@bizybot bizybot added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.3.0 >enhancement labels Jun 4, 2019
@jkakavas
Copy link
Member

jkakavas commented Jun 4, 2019

In addition, kibana_user role now has cluster privilege to create tokens.
This allows the Kibana user to create access_token/refresh_token pair in exchange for
kerberos tickets.

I don't think this is necessary. The call to the API will be made by the kibana user, not any (end) user with the kibana_user role.

@bizybot bizybot changed the title Add kerberos grant_type to exchange Kerberos credentials for token Add kerberos grant_type to get token in exchange for Kerberos ticket Jun 5, 2019
@bizybot bizybot changed the title Add kerberos grant_type to get token in exchange for Kerberos ticket [WIP] Add kerberos grant_type to get token in exchange for Kerberos ticket Jun 5, 2019
@bizybot bizybot requested a review from jkakavas June 5, 2019 02:18
@bizybot bizybot marked this pull request as ready for review June 6, 2019 07:35
@bizybot bizybot changed the title [WIP] Add kerberos grant_type to get token in exchange for Kerberos ticket Add kerberos grant_type to get token in exchange for Kerberos ticket Jun 6, 2019
jkakavas
jkakavas reviewed Jun 7, 2019
View reviewed changes
Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good Yogesh ! Just a few comments/suggestions, and I'll take a final look on Monday morning

...ore/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenRequest.java Outdated Show resolved Hide resolved
...ore/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenRequest.java Outdated Show resolved Hide resolved
x-pack/docs/en/rest-api/security/get-tokens.asciidoc Outdated Show resolved Hide resolved
x-pack/docs/en/rest-api/security/get-tokens.asciidoc Outdated Show resolved Hide resolved
...a/org/elasticsearch/xpack/security/authc/kerberos/SpnegoHttpClientConfigCallbackHandler.java Show resolved Hide resolved
.../src/main/java/org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction.java Show resolved Hide resolved
...ty/src/main/java/org/elasticsearch/xpack/security/rest/action/oauth2/RestGetTokenAction.java Outdated Show resolved Hide resolved
...ty/src/main/java/org/elasticsearch/xpack/security/rest/action/oauth2/RestGetTokenAction.java Outdated Show resolved Hide resolved
@bizybot
Copy link
Contributor Author

bizybot commented Jun 13, 2019

Hi @jkakavas, I have addressed your review comments, please take another look when you get some time. Thank you.

jkakavas
jkakavas approved these changes Jun 14, 2019
View reviewed changes
Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

x-pack/docs/en/rest-api/security/get-tokens.asciidoc Outdated Show resolved Hide resolved
x-pack/docs/en/rest-api/security/get-tokens.asciidoc Outdated Show resolved Hide resolved
@bizybot bizybot merged commit 4422c0e into elastic:master Jun 18, 2019
@bizybot bizybot mentioned this pull request Jun 19, 2019
Merged
bizybot added a commit to bizybot/elasticsearch that referenced this pull request Jun 19, 2019
@bizybot
Add kerberos grant_type to get token in exchange for Kerberos ticket (e…
9f9a2c3 
…lastic#42847)

Kibana wants to create access_token/refresh_token pair using Token
management APIs in exchange for kerberos tickets. `client_credentials`
grant_type requires every user to have `cluster:admin/xpack/security/token/create`
cluster privilege.

This commit introduces `_kerberos` grant_type for generating `access_token`
and `refresh_token` in exchange for a valid base64 encoded kerberos ticket.
In addition, `kibana_user` role now has cluster privilege to create tokens.
This allows Kibana to create access_token/refresh_token pair in exchange for
kerberos tickets.

Note:
The lifetime from the kerberos ticket is not used in ES and so even after it expires
the access_token/refresh_token pair will be valid. Care must be taken to invalidate
such tokens using token management APIs if required.

Closes elastic#41943
bizybot added a commit that referenced this pull request Jun 19, 2019
@bizybot
Add kerberos grant_type to get token in exchange for Kerberos ticket (#…
2f17340 
…42847) (#43355)

Kibana wants to create access_token/refresh_token pair using Token
management APIs in exchange for kerberos tickets. `client_credentials`
grant_type requires every user to have `cluster:admin/xpack/security/token/create`
cluster privilege.

This commit introduces `_kerberos` grant_type for generating `access_token`
and `refresh_token` in exchange for a valid base64 encoded kerberos ticket.
In addition, `kibana_user` role now has cluster privilege to create tokens.
This allows Kibana to create access_token/refresh_token pair in exchange for
kerberos tickets.

Note:
The lifetime from the kerberos ticket is not used in ES and so even after it expires
the access_token/refresh_token pair will be valid. Care must be taken to invalidate
such tokens using token management APIs if required.

Closes #41943
@azasypkin azasypkin mentioned this pull request Jun 20, 2019
Merged
@jpountz jpountz removed the :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC label Jul 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum left review comments

@jkakavas jkakavas jkakavas approved these changes

Assignees
No one assigned
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.3.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Don't require cluster:admin/xpack/security/token/create privilege when client_credentials grant is used
6 participants
@bizybot @elasticmachine @jkakavas @tvernum @jpountz @jakelandis