You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md
+47-17Lines changed: 47 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -67,16 +67,13 @@ In Kerberos, users authenticate with an authentication service and later with a
67
67
68
68
### Prerequisites [kerberos-realm-prereq]
69
69
70
-
* Deploy Kerberos.
71
-
72
-
You must have the Kerberos infrastructure set up in your environment.
73
-
74
-
::::{note}
75
-
Kerberos requires a lot of external services to function properly, such as time synchronization between all machines and working forward and reverse DNS mappings in your domain. Refer to your Kerberos documentation for more details.
76
-
::::
70
+
Before you set up a Kerbberos realm, you must have the Kerberos infrastructure set up in your environment.
77
71
72
+
::::{note}
73
+
Kerberos requires a lot of external services to function properly, such as time synchronization between all machines and working forward and reverse DNS mappings in your domain. Refer to your Kerberos documentation for more details.
74
+
::::
78
75
79
-
These instructions do not cover setting up and configuring your Kerberos deployment. Where examples are provided, they pertain to an MIT Kerberos V5 deployment. For more information, see [MIT Kerberos documentation](http://web.mit.edu/kerberos/www/index.md)
76
+
These instructions do not cover setting up and configuring your Kerberos deployment. Where examples are provided, they pertain to an MIT Kerberos V5 deployment. For more information, see [MIT Kerberos documentation](http://web.mit.edu/kerberos/www/index.md)
80
77
81
78
If you're using a self-managed cluster, then perform the following additional steps:
82
79
@@ -112,7 +109,7 @@ To configure a Kerberos realm in {{es}}:
112
109
{{es}} uses Java GSS framework support for Kerberos authentication. To support Kerberos authentication, {{es}} needs the following files:
113
110
114
111
* `krb5.conf`: The Kerberos configuration file (`krb5.conf`) provides information such as the default realm, the Key Distribution Center (KDC), and other configuration details required for Kerberos authentication. For more information, see [krb5.conf](https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html).
115
-
* **A keytab**: A keytab is a file that stores pairs of principals and encryption keys. {{es}} uses the keys from the keytab to decrypt the tickets presented by the user. You must create a keytab for {{es}} by using the tools provided by your Kerberos implementation. For example, some tools that create keytabs are `ktpass.exe` on Windows and `kadmin` for MIT Kerberos.
112
+
* `keytab`: A keytab is a file that stores pairs of principals and encryption keys. {{es}} uses the keys from the keytab to decrypt the tickets presented by the user. You must create a keytab for {{es}} by using the tools provided by your Kerberos implementation. For example, some tools that create keytabs are `ktpass.exe` on Windows and `kadmin` for MIT Kerberos.
116
113
117
114
The configuration requirements depend on your Kerberos setup. Refer to your Kerberos documentation to configure the `krb5.conf` file.
118
115
@@ -191,18 +188,51 @@ For detailed information of available realm settings, see [Kerberos realm settin
191
188
192
189
::::{tab-item} ECK
193
190
194
-
% TODO: jvm setup
195
-
% podTemplate with a mount that shadows /usr/share/elasticsearch/config/jvm.options.d/
196
-
% set `java.security.krb5.conf`
197
-
% 1. Configure the JVM to find the Kerberos configuration file.
191
+
1. Install your `krb5.conf` and `keytab` files as a [custom configuration file](/deploy-manage/deploy/cloud-on-k8s/custom-configuration-files-plugins#use-a-volume-and-volume-mount-together-with-a-configmap-or-secret).
192
+
193
+
2. Configure the JVM to find the Kerberos configuration file.
198
194
199
-
% {{es}} uses Java GSS and JAAS Krb5LoginModule to support Kerberos authentication using a Simple and Protected GSSAPI Negotiation (SPNEGO) mechanism. When the JVM needs some configuration properties, it tries to find those values by locating and loading the `krb5.conf` file. The JVM system property to configure the file path is `java.security.krb5.conf`. If this system property is not specified, Java tries to locate the file based on the conventions.
195
+
{{es}} uses Java GSS and JAAS Krb5LoginModule to support Kerberos authentication using a Simple and Protected GSSAPI Negotiation (SPNEGO) mechanism. When the JVM needs some configuration properties, it tries to find those values by locating and loading the `krb5.conf` file. The JVM system property to configure the file path is `java.security.krb5.conf`. If this system property is not specified, Java tries to locate the file based on the conventions.
200
196
201
-
1. Install your `krb5.conf` and `keytab` files as a [custom configuration file](/deploy-manage/deploy/cloud-on-k8s/custom-configuration-files-plugins#use-a-volume-and-volume-mount-together-with-a-configmap-or-secret).
197
+
To provide JVM setting overrides to your cluster:
202
198
203
-
2. Edit your cluster configuration to define your Kerberos settings:
199
+
1. Create a new ConfigMap. The source file should contain a key named `java.security.krb5.conf` pointing to your configuration file:
0 commit comments