Using Kibana with Kerberos
Once you have set up Kerberos for Elasticsearch, configure it as authentication type in kibana.yml like:
You can use all Search Guard features like multi tenancy and the configuration GUI with Kerberos.
Due to bugs and limitations in Kibana and X-Pack, not all X-Pack features will work however, please see below.
If you’re using HTTP Basic Authentication and the internal user database for the Kibana server user, make sure that only the Kerberos authenticator has set
basic_internal_auth_domain: enabled: true order: 0 http_authenticator: type: basic challenge: false authentication_backend: type: intern kerberos_auth_domain: enabled: true order: 1 http_authenticator: type: kerberos challenge: true config: ...
Depending on the browser you are using, make sure you have configure the Kibana domain correctly for Kerberos authentication. Please refer to the documentation of your browser for further instructions.
Due to a bug regarding handling HTTP error codes 401 and 403 in X-Pack, it is currently not possible to use X-Pack Monitoring with Kerberos.
X-Pack Machine Learning
Due to the way HTTP requests are handled by the machine learning module internally, it is currently not possible to use X-Pack Machine Learning with Kerberos.
Kibana URL shortener
It’s currently not possible to use the Kibana URL shortener together with Kibana/SPNEGO due to technical limitations of the Kibana architecture.
Disabling the replay cache
Kerberos/SPNEGO has a security mechanism called “Replay Cache”. The replay cache makes sure that an Kerberos/SPENGO token can be used only once in a certain timeframe. This conflicts with the Kibana request handling, where one browser request to Kibana can result in multiple requests to Elasticsearch.
These sub-requests will all carry the same Kerberos token and are thus interpreted as replay attack. You will see error messages like:
[com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator] Service login not successful due to java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
At the moment, the only way to make Kerberos work with Kibana is to disable the replay cache. This is of course not optimal, but so far the only known way.
With Oracle JDK, you can set
jvm.options of Elasticsearch.