[Backport] Add kerberos grant_type to get token in exchange for Kerberos ticket … #43355

bizybot · 2019-06-19T03:23:32Z

Kibana wants to create access_token/refresh_token pair using Token
management APIs in exchange for kerberos tickets. client_credentials
grant_type requires every user to have cluster:admin/xpack/security/token/create
cluster privilege.

This commit introduces _kerberos grant_type for generating access_token
and refresh_token in exchange for a valid base64 encoded kerberos ticket.
In addition, kibana_user role now has cluster privilege to create tokens.
This allows Kibana to create access_token/refresh_token pair in exchange for
kerberos tickets.

Note:
The lifetime from the kerberos ticket is not used in ES and so even after it expires
the access_token/refresh_token pair will be valid. Care must be taken to invalidate
such tokens using token management APIs if required.

Closes #41943

…lastic#42847) Kibana wants to create access_token/refresh_token pair using Token management APIs in exchange for kerberos tickets. `client_credentials` grant_type requires every user to have `cluster:admin/xpack/security/token/create` cluster privilege. This commit introduces `_kerberos` grant_type for generating `access_token` and `refresh_token` in exchange for a valid base64 encoded kerberos ticket. In addition, `kibana_user` role now has cluster privilege to create tokens. This allows Kibana to create access_token/refresh_token pair in exchange for kerberos tickets. Note: The lifetime from the kerberos ticket is not used in ES and so even after it expires the access_token/refresh_token pair will be valid. Care must be taken to invalidate such tokens using token management APIs if required. Closes elastic#41943

bizybot added the backport label Jun 19, 2019

bizybot force-pushed the 42847-backport-7x branch from f19bcdf to 9f9a2c3 Compare June 19, 2019 04:04

bizybot merged commit 2f17340 into elastic:7.x Jun 19, 2019

bizybot deleted the 42847-backport-7x branch June 19, 2019 08:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Backport] Add kerberos grant_type to get token in exchange for Kerberos ticket … #43355

[Backport] Add kerberos grant_type to get token in exchange for Kerberos ticket … #43355

bizybot commented Jun 19, 2019

[Backport] Add kerberos grant_type to get token in exchange for Kerberos ticket … #43355

[Backport] Add kerberos grant_type to get token in exchange for Kerberos ticket … #43355

Conversation

bizybot commented Jun 19, 2019