Secure your clusters with Kerberosedit

You can secure your Elasticsearch clusters and Kibana instances in a deployment by using the Kerberos-5 protocol to authenticate users.

Before you beginedit

Elasticsearch Add-On for Heroku supports Kerberos with Elastic Stack version 7.3 and later.

The steps in this section require an understanding of Kerberos. To learn more about Kerberos, see our documentation on configuring Elasticsearch for Kerberos authentication.

Configure the cluster to use Kerberosedit

With a custom bundle containing the Kerberos files and changes to the cluster configuration, you can enforce user authentication through the Kerberos protocol.

  1. Create or use an existing deployment that includes a Kibana instance version 7.3 or later.
  2. Create a custom bundle that contains your krb5.conf and keytab files, and add it to your cluster.

    You should use these exact filenames for Elasticsearch Add-On for Heroku to recognize the file in the bundle.

  3. Edit your cluster configuration, sometimes also referred to as the deployment plan, to define Kerberos settings as described in Elasticsearch documentation.

    xpack.security.authc.realms.kerberos.cloud-krb:
       order: 2
       keytab.path: es.keytab
       remove_realm_name: false

    The name of the realm must be cloud-krb, and the order must be 2: xpack.security.authc.realms.kerberos.cloud-krb.order: 2

  4. Update Kibana in the user settings configuration to use Kerberos as the authentication provider:

    • If you are using a Kibana instance of version 7.7 or later:

      xpack.security.authc.providers:
        kerberos.kerberos1:
          order: 0

      This configuration disables all other realms and only allows users to authenticate with Kerberos. If you wish to allow your native realm users to authenticate, you need to also enable the basic provider like this:

      xpack.security.authc.providers:
        kerberos.kerberos1:
          order: 0
          description: "Log in with Kerberos" 
        basic.basic1:
          order: 1

      This arbitrary string defines how Kerberos login is titled in the Login Selector UI that is shown when you enable multiple authentication providers in Kibana. If you have a Kibana instance of version 7.8 or later, you can also configure the optional icon and hint settings for any authentication provider.

    • If you are using a Kibana instance of version 7.6 or earlier:

      xpack.security.authc.providers: ['kerberos']

      This configuration disables all other realms and only allows users to authenticate with Kerberos. If you wish to allow your native realm users to authenticate, you need to also enable the basic authProvider by setting xpack.security.authc.providers: [kerberos, basic] in the configuration of Kibana.

  5. Use the Kibana endpoint URL to log in.