|
| 1 | +[role="xpack"] |
| 2 | +[[kerberos-realm]] |
| 3 | +=== Kerberos authentication |
| 4 | + |
| 5 | +You can configure {security} to support Kerberos V5 authentication, |
| 6 | +an industry standard protocol to authenticate users in {es}. |
| 7 | + |
| 8 | +NOTE: You cannot use the Kerberos realm to authenticate users in {kib} |
| 9 | +and on the transport network layer. |
| 10 | + |
| 11 | +To authenticate users with Kerberos, you need to |
| 12 | +{ref}/configuring-kerberos-realm.html[configure a Kerberos realm] and |
| 13 | +<<mapping-roles, map users to {security} roles>>. |
| 14 | +For more information on realm settings, see |
| 15 | +{ref}/security-settings.html#ref-kerberos-settings[Kerberos realm settings]. |
| 16 | + |
| 17 | +[[kerberos-terms]] |
| 18 | +==== Key concepts |
| 19 | + |
| 20 | +There are a few terms and concepts that you'll encounter when you're setting up |
| 21 | +Kerberos realms: |
| 22 | + |
| 23 | +_kdc_:: |
| 24 | +Key Distribution Center. A service that issues Kerberos tickets. |
| 25 | + |
| 26 | +_principal_:: |
| 27 | +A Kerberos principal is a unique identity to which Kerberos can assign |
| 28 | +tickets. It can be used to identify a user or a service provided by a |
| 29 | +server. |
| 30 | ++ |
| 31 | +-- |
| 32 | +Kerberos V5 principal names are of format `primary/instance@REALM`, where |
| 33 | +`primary` is a user name. |
| 34 | + |
| 35 | +`instance` is an optional string that qualifies the primary and is separated |
| 36 | +by a slash(`/`) from the primary. For a user, usually it is not used; for |
| 37 | +service hosts, it is the fully qualified domain name of the host. |
| 38 | + |
| 39 | +`REALM` is the Kerberos realm. Usually it is is the domain name in upper case. |
| 40 | +An example of a typical user principal is ` [email protected]`. An example of |
| 41 | +a typical service principal is `HTTP/ [email protected]`. |
| 42 | +-- |
| 43 | + |
| 44 | +_realm_:: |
| 45 | +Realms define the administrative boundary within which the authentication server |
| 46 | +has authority to authenticate users and services. |
| 47 | + |
| 48 | +_keytab_:: |
| 49 | +A file that stores pairs of principals and encryption keys. |
| 50 | + |
| 51 | +IMPORTANT: Anyone with read permissions to this file can use the |
| 52 | +credentials in the network to access other services so it is important |
| 53 | +to protect it with proper file permissions. |
| 54 | + |
| 55 | +_krb5.conf_:: |
| 56 | +A file that contains Kerberos configuration information such as the default realm |
| 57 | +name, the location of Key distribution centers (KDC), realms information, |
| 58 | +mappings from domain names to Kerberos realms, and default configurations for |
| 59 | +realm session key encryption types. |
| 60 | + |
| 61 | +_ticket granting ticket (TGT)_:: |
| 62 | +A TGT is an authentication ticket generated by the Kerberos authentication |
| 63 | +server. It contains an encrypted authenticator. |
0 commit comments