github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-24 23:27:25 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/security/authentication/kerberos-realm.asciidoc
James Rodewig 255c9a7f95
[DOCS] Move x-pack docs to docs/reference dir (#99209) 
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. 

**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security

Rel: https://github.com/elastic/platform-docs-team/issues/208
2023-09-12 14:53:41 -04:00

72 lines
2.6 KiB
Text
Raw Permalink Blame History

[role="xpack"]
[[kerberos-realm]]
=== Kerberos authentication
You can configure the {stack} {security-features} to support Kerberos V5
authentication, an industry standard protocol to authenticate users in {es}.
NOTE: You cannot use the Kerberos realm to authenticate on the transport network layer.
To authenticate users with Kerberos, you need to configure a Kerberos realm and
map users to roles. For more information on realm settings, see
<<ref-kerberos-settings>>.
[[kerberos-terms]]
==== Key concepts
There are a few terms and concepts that you'll encounter when you're setting up
Kerberos realms:
_kdc_::
Key Distribution Center. A service that issues Kerberos tickets.
_principal_::
A Kerberos principal is a unique identity to which Kerberos can assign
tickets. It can be used to identify a user or a service provided by a
server.
+
--
Kerberos V5 principal names are of format `primary/instance@REALM`, where
`primary` is a user name.
`instance` is an optional string that qualifies the primary and is separated
by a slash(`/`) from the primary. For a user, usually it is not used; for
service hosts, it is the fully qualified domain name of the host.
`REALM` is the Kerberos realm. Usually it is the domain name in upper case.
An example of a typical user principal is `user@ES.DOMAIN.LOCAL`. An example of
a typical service principal is `HTTP/es.domain.local@ES.DOMAIN.LOCAL`.
--
_realm_::
Realms define the administrative boundary within which the authentication server
has authority to authenticate users and services.
_keytab_::
A file that stores pairs of principals and encryption keys.
IMPORTANT: Anyone with read permissions to this file can use the
credentials in the network to access other services so it is important
to protect it with proper file permissions.
_krb5.conf_::
A file that contains Kerberos configuration information such as the default realm
name, the location of Key distribution centers (KDC), realms information,
mappings from domain names to Kerberos realms, and default configurations for
realm session key encryption types.
_ticket granting ticket (TGT)_::
A TGT is an authentication ticket generated by the Kerberos authentication
server. It contains an encrypted authenticator.
[[kerberos-realm-configuration]]
==== Configuring a Kerberos realm
include::configuring-kerberos-realm.asciidoc[]
[[kerberos-realm-kibana]]
===== Configure Kibana for Kerberos
If you want to use Kerberos to authenticate via your browser and {kib}, you
need to enable the relevant authentication provider in {kib} configuration. See
{kibana-ref}/kibana-authentication.html#kerberos[kerberos single sign-on]
Reference in a new issue View git blame Copy permalink