Skip to content

Add support for Kerberized Elasticsearch #1244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 207 commits into from
Feb 5, 2019
Merged

Add support for Kerberized Elasticsearch #1244

merged 207 commits into from
Feb 5, 2019

Conversation

jbaiera
Copy link
Member

@jbaiera jbaiera commented Feb 5, 2019

Elasticsearch supports using Kerberos to authenticate over HTTP by means of SPNEGO. Since most secure Hadoop environments make use of Kerberos to secure their environments, naturally ES-Hadoop should support Kerberos authentication.

With the recent addition of API Key authentication to Elasticsearch, we now have a stable means for obtaining long lived and stable tokens for worker process authentication when using Kerberos.

This PR contains the following changes:

  1. Extensions to the HTTP library that allow for Negotiate and ApiKey authorization.
  2. Additional mechanisms for managing user subjects, credentials, and authentication.
  3. Integration specific mechanisms for obtaining, transmitting, and cancelling delegation tokens for Elasticsearch.
  4. New test framework code that stands up Hadoop services with a local KDC for testing authentication handling across multiple real service processes.
  5. Tests to ensure correctness.

jbaiera added 30 commits August 20, 2018 11:36
@jbaiera
Add MiniKDC fixture.
a7174e1
@jbaiera
Playing with spnego stuff
788905f
@jbaiera
Add MiniKDC fixture to itest instead of test.
3736174
@jbaiera
Add manager for state of Negotiate based authentication.
5642af9
@jbaiera
Handle token data given in the negotiator's send method better.
9e8820f
@jbaiera
Add SPNEGO based auth scheme for HTTP Client.
1d444c5
@jbaiera
Add suite of Kerberos based tests.
5d9b126
@jbaiera
Add test case for wrong server principal name
b961b69
@jbaiera
Allow for reverse resolution of host names for use in principal names.
d6f7655
@jbaiera
Make sure that host specific principals work with the negotiator.
6e2fe2b
@jbaiera
Bolster the test coverage and clarify some error statements.
793147c
@jbaiera
Add stubs and early classes for Token Authentication.
805ec98
@jbaiera
Add requests to create, refresh, and cancel EsTokens.
a0619ea
@jbaiera
Discard unneeded class
6e44239
@jbaiera
Add deserialization code to EsToken.
c478686
@jbaiera
Add token renewer implementation.
41576c6 
Add renewer to services meta file.
Move token identifier to mr package.
@jbaiera
Refactor TokenCredentials to use EsToken.
ef4ef00 
Wrap the whole token instead of just the access code.
Rename TokenCredentials to EsTokenCredentials.
Mark auth scheme complete after first call. Subsequent calls will
attempt to re-read the authentication token from the provider.
TokenCredentialProvider to deserialize the token data from the hadoop token.
@jbaiera
Prefix TokenAuthScheme and TokenCredentialProvider with ES.
eaddc1b
@jbaiera
Remove prototyping class.
7b27c39
@jbaiera
Add service loader entry for EsTokenIdentifier.
7bd31bc 
Move the token identifier to the security package.
@jbaiera
Wrap the usage of UGI in the connector.
c802ea5 
We do this in case we need to swap out the user facilities for a
different integration.
@jbaiera
Add a service name for Hadoop tokens
5d25afb
@jbaiera
Add user provider registration all over the place.
b07d66a
@jbaiera
Fix comment tags
b2e52a1
@jbaiera
Missed a few spots that should register the user provider.
3888232
@jbaiera
Never pass null as extra config file for the ES Fixture
11d8546
@jbaiera
Use a configuration to provide the MiniKDC version.
58acf0e
@jbaiera
Add an independent MiniKdcFixture to be used with ES.
d76cf62
@jbaiera
Add a QA package for standalone testing.
d08b5c8 
Add a kerberos qa subproject.
@jbaiera
Wire up the SPNEGO authentication code to the client.
cb38ccc 
Test the SPNEGO auth end-to-end.
Add configurations for specifying the user and service principals.
Negotiator should use non-chunked Base64 encoding.
Only set preemptive auth when basic authentication is used.
jbaiera added 19 commits February 4, 2019 10:53
@jbaiera
Add trace statements to JdkUserProvider
9aed7e7
@jbaiera
Discover cluster info in bolt and spout constructors.
5bd40b8 
Will most likely need another pass of determining if this is the best
place to do this. We don't support multiple ES cluster outputs yet, but
Storm is probably the easiest place to do it. That said, our tokens
don't fully support it, and thus, we will have to deal with it.
@jbaiera
Add a Storm Autocredential implementation for ES
084978e
@jbaiera
Add integration test load and store jobs for Storm
afa6b53
@jbaiera
Create a testing uber jar for storm on kerberos
9773452
@jbaiera
Set topology tick tuple settings on itest
a0dc9ac
@jbaiera
Consolidate EsBolt constructors
1aa580c
@jbaiera
Remove unused method and todo
baa8ce9
@jbaiera
Upgrade to Storm 1.0.6
e5bc464
@jbaiera
Check renewal time before getting new ES Token in Storm
33f82ce
@jbaiera
Remove todo in AutoElasticsearch.
5e72a4d
@jbaiera
Remove cluster discovery from bolt and spout constructors.
f12e332 
Instead we'll just grab the cluster info from the token available on
the current subject when the job kicks off.
@jbaiera
Clarify log statement
0064f2e
@jbaiera
Downgrade todo items
8ae4945
@jbaiera
Add user method for initializing credentials for EsTaps.
76bbeb7
@jbaiera
Add load and store jobs for Cascading testing on Kerberos
600d201
@jbaiera
Wire up kerberos based tests for Cascading into the qa cluster
115ed94
@jbaiera
Todo cleanups
9339397
@jbaiera
build file cleanups and add file output verification tests.
582a4c7
@jbaiera
Copy link
Member Author

jbaiera commented Feb 5, 2019

Closes #1175

@jbaiera jbaiera merged commit 995ac2d into elastic:master Feb 5, 2019
@jbaiera jbaiera mentioned this pull request Feb 5, 2019
Closed
@jbaiera jbaiera deleted the feature-kerberos branch February 5, 2019 20:32
jbaiera added a commit that referenced this pull request Feb 5, 2019
@jbaiera
Add support for Kerberized Elasticsearch (#1244)
c9ca8ca 
Elasticsearch supports using Kerberos to authenticate over HTTP by means of SPNEGO.
Since most secure Hadoop environments make use of Kerberos to secure their
environments, naturally ES-Hadoop should support Kerberos authentication.

With the recent addition of API Key authentication to Elasticsearch, we now have a stable
means for obtaining long lived and stable tokens for worker process authentication when
using Kerberos.
This was referenced Oct 19, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
:Core feature v6.7.0 v7.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jbaiera