Kerberos

Kerberos is a robust and secure method for user authentication that prevents passwords from being sent over the internet by issuing “tickets” for secure identity verification.

In order to use Kerberos authentication, you must set the following settings in opensearch.yml and config.yml.

OpenSearch node configuration

In opensearch.yml, define the following settings:

  1. plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf'
  2. plugins.security.kerberos.acceptor_keytab_filepath: 'opensearch_keytab.tab'
  3. plugins.security.kerberos.acceptor_principal: 'HTTP/localhost'
NameDescription
krb5_filepathThe path to your Kerberos configuration file. This file contains various settings regarding your Kerberos installation, for example, the realm names, hostnames, and ports of the Kerberos key distribution center (KDC).
acceptor_keytab_filepathThe path to the keytab file, which contains the principal that the Security plugin uses to issue requests through Kerberos.
acceptor_principalThe principal that the Security plugin uses to issue requests through Kerberos. This value must be present in the keytab file.

Due to security restrictions, the keytab file must be placed in config or a subdirectory, and the path in opensearch.yml must be relative, not absolute.

Cluster security configuration

The following example shows a typical Kerberos authentication domain in config.yml:

  1. kerberos_auth_domain:
  2. enabled: true
  3. order: 1
  4. http_authenticator:
  5. type: kerberos
  6. challenge: true
  7. config:
  8. krb_debug: false
  9. strip_realm_from_principal: true
  10. authentication_backend:
  11. type: noop

Authentication through Kerberos when using a browser on an HTTP level is achieved using SPNEGO. Kerberos/SPNEGO implementations vary, depending on your browser and operating system. This is important when deciding if you need to set the challenge flag to true or false.

As with HTTP Basic Authentication, this flag determines how the Security plugin should react when no Authorization header is found in the HTTP request or if this header does not equal negotiate.

If set to true, the Security plugin sends a response with status code 401 and a WWW-Authenticate header set to negotiate. This tells the client (browser) to resend the request with the Authorization header set. If set to false, the Security plugin cannot extract the credentials from the request, and authentication fails. Setting challenge to false thus makes sense only if the Kerberos credentials are sent in the initial request.

NameDescription
krb_debugAs the name implies, setting it to true outputs Kerberos-specific debugging messages to stdout. Use this setting if you encounter problems with your Kerberos integration. Default is false.
strip_realm_from_principalWhen set it to true, the Security plugin strips the realm from the user name. Default: true.

Because Kerberos/SPNEGO authenticates users on an HTTP level, no additional authentication_backend is needed. Set this value to noop.