Authentication via Kerberos


(Marcus Caepio) #1

Hi all,

just testing readonlyrest right now.
Since I am struggling with the “double authenitcation bug” of kibana, I want to ask, if an authentication via kerberos to use single-sign-on is possible.

Regards,
Marcus


(Simone Scarduzio) #2

Look at proxy_auth rule, this makes you map the kerberos users to ROR users via a header injected by a reverse proxy (which may implement Kerberos, for example)


(Priyansha2609) #3

Can i use kerberos auth using external http authentication.
Documentation says the authorization header received will simply be passed authentication rest end point.which will take care of authentication.
But i think since authentication header is of type negotiate it doesn’t seems to be working.
It says no basic auth header found.
Is there a work-around here?


(Simone Scarduzio) #4

I think you refer to WWW-Authenticate: Negotiate response header that comes back from the authentication server to a requesting client.

ROR external authentication is not a full fledged proxy, as it should not. It’s just ROR calling an external service using your credentials and seeing if it goes OK 200.


(Priyansha2609) #5

How can I use kerberos based authentication with ROR? Basically we already have a service in place that reads kerberos credentials and uses them for authentication. I was under the impression that , if I hit elastic search, ROR should simply forward the kerberos credentials received to the rest end point proivded(which in this case, is our service) and the since the rest end point uses kerberos based authentication it will return appropriate status code which will be interpreted by ROR.

Are you saying that there will be multiple interactions between client and server as follows:

  • The client is making a request to server without any credentials.
  • sever responds with WWW-Authenticate: Negotiate.
  • kerberos credentials are now sent by the client to the server.

Which in this case is not happening as elastic search doesn’t respond with WWW-Authenticate header.


(Simone Scarduzio) #6

@priyansha2609 ROR does not support Kerberos authentication natively at this point in time, but it needs a reverse proxy in front of it. I.e. Apache Httpd, Nginx, you name it.