[Backport] Add kerberos grant_type to get token in exchange for Kerberos ticket … #43355
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…(#42847)
Kibana wants to create access_token/refresh_token pair using Token
management APIs in exchange for kerberos tickets.
client_credentials
grant_type requires every user to have
cluster:admin/xpack/security/token/create
cluster privilege.
This commit introduces
_kerberos
grant_type for generatingaccess_token
and
refresh_token
in exchange for a valid base64 encoded kerberos ticket.In addition,
kibana_user
role now has cluster privilege to create tokens.This allows Kibana to create access_token/refresh_token pair in exchange for
kerberos tickets.
Note:
The lifetime from the kerberos ticket is not used in ES and so even after it expires
the access_token/refresh_token pair will be valid. Care must be taken to invalidate
such tokens using token management APIs if required.
Closes #41943