Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #17927 to 7.x: Add Kerberos support to Elasticsearch output #18080

Merged
merged 2 commits into from
Apr 30, 2020
Merged

Cherry-pick #17927 to 7.x: Add Kerberos support to Elasticsearch output #18080

merged 2 commits into from
Apr 30, 2020

Conversation

kvch
Copy link
Contributor

@kvch kvch commented Apr 29, 2020
edited by zube bot
Loading

Cherry-pick of PR #17927 to 7.x branch. Original message:

What does this PR do?

This PR adds support for Kerberos authentication to Elasticsearch output.

Configuration

Users can authenticate using either passwords or keytabs.

The option service_name is not exposed as in case of ES it has be HTTP. Thus, the SPN of the output is always HTTP/{output.elasticsearch.host}@{output.elasticsearch.kerberos.realm}.

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

Architecture

Kerberos authentication is implemented by using the spnego.Client from gopkg.in/jcmturner/gokrb5/v7.5. It is an HTTP client which is able to authenticate to a Kerberos KDC and get the required session key to authenticate to Elasticsearch.

In order to use the client when communicating with ES, I introduced a new interface named esHTTPClient with the following functions:

type esHTTPClient interface {
	Do(req *http.Request) (resp *http.Response, err error)
	CloseIdleConnections()
}

So the newly created kerberos.Client and http.Client can be used in Connection.

The only drawback of this solution is that it is not compatible with github.com/elastic/go-elasticsearch. The main issue is the constructor of that package only lets us configure http.Transport. However, http.Transport should be used for authentication according to Golang documentation. For the record, it is possible to implement Kerberos authentication in a special RoundTripper, but I am not a huge fan of that approach as the Golang docs advise against it.

Reference:

Testing

I am planning to add tests in a follow-up PR. I wanted to raise this first, so we can agree on the selected architecture.

Why is it important?

Users now can authenticate to Kerberos-aware Elasticsearch instances.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@kvch
Add Kerberos support to Elasticsearch output (elastic#17927)
07d1018 
This PR adds support for Kerberos authentication to Elasticsearch output.

Users can authenticate using either passwords or keytabs.

The option `service_name` is not exposed as in case of ES it has be `HTTP`. Thus, the [SPN](https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html) of the output is always `HTTP/{output.elasticsearch.host}@{output.elasticsearch.kerberos.realm}`.

```yaml

```
(cherry picked from commit f66b079)
@kvch kvch requested review from a team as code owners April 29, 2020 07:19
@kvch kvch added [zube]: In Review backport Team:Services (Deprecated) Label for the former Integrations-Services team labels Apr 29, 2020
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 29, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-services (Team:Services)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 29, 2020
edited
Loading

💔 Build Failed

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 5823
Skipped 904
Total 6727

Steps errors

Expand to view the steps failures

  • Name: Make -C generator/_templates/metricbeat test

    • Description: make -C generator/_templates/metricbeat test

    • Result: FAILURE

    • Duration: 1 min 31 sec<

    • Start Time: 2020-04-30T11:19:29.610+0000

Log output

Expand to view the last 100 lines of log output 

[2020-04-30T12:29:59.132Z] 	at java.lang.Thread.run(Thread.java:748)
[2020-04-30T12:29:59.132Z] No artifacts found that match the file pattern "**/build/TEST*.out". Configuration error?
[2020-04-30T12:29:59.599Z] + curl -sSLo codecov https://codecov.io/bash
[2020-04-30T12:29:59.863Z] + FILE=auditbeat/build/coverage/full.cov
[2020-04-30T12:29:59.863Z] + [ -f auditbeat/build/coverage/full.cov ]
[2020-04-30T12:29:59.863Z] + FILE=filebeat/build/coverage/full.cov
[2020-04-30T12:29:59.863Z] + [ -f filebeat/build/coverage/full.cov ]
[2020-04-30T12:29:59.863Z] + FILE=heartbeat/build/coverage/full.cov
[2020-04-30T12:29:59.863Z] + [ -f heartbeat/build/coverage/full.cov ]
[2020-04-30T12:29:59.863Z] + FILE=libbeat/build/coverage/full.cov
[2020-04-30T12:29:59.863Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-04-30T12:29:59.863Z] + FILE=metricbeat/build/coverage/full.cov
[2020-04-30T12:29:59.863Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-04-30T12:29:59.863Z] + FILE=packetbeat/build/coverage/full.cov
[2020-04-30T12:29:59.863Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-04-30T12:29:59.863Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-04-30T12:29:59.863Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-04-30T12:29:59.863Z] + FILE=journalbeat/build/coverage/full.cov
[2020-04-30T12:29:59.863Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-04-30T12:30:01.741Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats
[2020-04-30T12:30:02.161Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-04-30T12:30:02.181Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Lint
[2020-04-30T12:30:02.406Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Dockerlogbeat
[2020-04-30T12:30:02.574Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-04-30T12:30:02.715Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Winlogbeat-oss
[2020-04-30T12:30:02.827Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-04-30T12:30:02.994Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Journalbeat-oss
[2020-04-30T12:30:03.172Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-04-30T12:30:03.309Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-04-30T12:30:03.453Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-04-30T12:30:03.603Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-04-30T12:30:03.734Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Heartbeat-oss
[2020-04-30T12:30:03.849Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-04-30T12:30:04.045Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Libbeat-x-pack
[2020-04-30T12:30:04.206Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-04-30T12:30:04.353Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Filebeat-Windows
[2020-04-30T12:30:04.472Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Packetbeat-oss
[2020-04-30T12:30:04.625Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Auditbeat-Linux
[2020-04-30T12:30:04.739Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-Windows
[2020-04-30T12:30:04.934Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-04-30T12:30:05.087Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-04-30T12:30:05.297Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Filebeat-x-pack
[2020-04-30T12:30:05.506Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Heartbeat-Windows
[2020-04-30T12:30:05.802Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Functionbeat-Windows
[2020-04-30T12:30:05.934Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Filebeat-oss
[2020-04-30T12:30:06.114Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-04-30T12:30:06.345Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-04-30T12:30:06.555Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Libbeat-oss
[2020-04-30T12:30:06.750Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-04-30T12:30:07.033Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Auditbeat-Windows
[2020-04-30T12:30:07.306Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Libbeat-crosscompile
[2020-04-30T12:30:07.595Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Libbeat-stress-tests
[2020-04-30T12:30:08.085Z] + cat
[2020-04-30T12:30:08.085Z] + /usr/local/bin/runbld ./runbld-script
[2020-04-30T12:30:08.085Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-04-30T12:30:14.721Z] runbld>>> runbld started
[2020-04-30T12:30:14.721Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-04-30T12:30:16.141Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-18080' in order of occurrence in the config (last value wins).
[2020-04-30T12:30:17.103Z] runbld>>> Debug logging enabled.
[2020-04-30T12:30:17.103Z] runbld>>> Storing result
[2020-04-30T12:30:17.369Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-04-30T12:30:17.369Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200430123016-AC7893D9
[2020-04-30T12:30:17.369Z] runbld>>> Adding system facts.
[2020-04-30T12:30:18.322Z] runbld>>> Adding vcs info for the latest commit:  c3a0568379875ccdb43677cab7d741776a2dcedc
[2020-04-30T12:30:18.583Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-04-30T12:30:18.583Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-04-30T12:30:18.583Z] Processing JUnit reports with runbld...
[2020-04-30T12:30:18.583Z] + echo 'Processing JUnit reports with runbld...'
[2020-04-30T12:30:18.848Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-04-30T12:30:18.848Z] runbld>>> DURATION: 20ms
[2020-04-30T12:30:18.848Z] runbld>>> STDOUT: 40 bytes
[2020-04-30T12:30:18.848Z] runbld>>> STDERR: 49 bytes
[2020-04-30T12:30:18.848Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-04-30T12:30:18.848Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats
[2020-04-30T12:30:20.232Z] runbld>>> Storing build metadata: 
[2020-04-30T12:30:20.232Z] runbld>>> Adding test report.
[2020-04-30T12:30:20.232Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats
[2020-04-30T12:30:21.610Z] runbld>>> Found 93 test output files
[2020-04-30T12:30:21.904Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-04-30T12:30:22.166Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-04-30T12:30:22.733Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-04-30T12:30:22.733Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-04-30T12:30:22.733Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-cloudfoundry.xml
[2020-04-30T12:30:22.733Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-04-30T12:30:22.733Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-04-30T12:30:22.733Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-04-30T12:30:23.299Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 6577 Skipped: 722
[2020-04-30T12:30:23.299Z] runbld>>> Storing result
[2020-04-30T12:30:23.299Z] runbld>>> FAILURES: 0
[2020-04-30T12:30:23.557Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-04-30T12:30:23.557Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200430123016-AC7893D9
[2020-04-30T12:30:23.557Z] runbld>>> Email notification disabled by environment variable.
[2020-04-30T12:30:23.557Z] runbld>>> Slack notification disabled by environment variable.
[2020-04-30T12:30:29.735Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18080
[2020-04-30T12:30:29.994Z] [INFO] getVaultSecret: Getting secrets
[2020-04-30T12:30:30.046Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-04-30T12:30:30.881Z] + chmod 755 generate-build-data.sh
[2020-04-30T12:30:30.881Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18080/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18080/runs/2 FAILURE 7074442
[2020-04-30T12:30:31.432Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18080/runs/2/steps/?limit=10000 -o steps-info.json
[2020-04-30T12:30:31.983Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18080/runs/2/tests/?status=FAILED -o tests-errors.json

@kvch kvch merged commit 360c14c into elastic:7.x Apr 30, 2020
@andresrc andresrc removed the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@urso urso urso approved these changes

Assignees
No one assigned
Labels
backport Team:Services (Deprecated) Label for the former Integrations-Services team [zube]: Done
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kvch @elasticmachine @urso @andresrc