IMPORTANT: Version 6.6 of Elasticsearch has passed its maintenance date.
This documentation is no longer being updated. For the latest information, see the current release documentation.
You can configure X-Pack security to support Kerberos V5 authentication, an industry standard protocol to authenticate users in Elasticsearch.
You cannot use the Kerberos realm to authenticate users in Kibana and on the transport network layer.
There are a few terms and concepts that you’ll encounter when you’re setting up Kerberos realms:
- Key Distribution Center. A service that issues Kerberos tickets.
A Kerberos principal is a unique identity to which Kerberos can assign tickets. It can be used to identify a user or a service provided by a server.
Kerberos V5 principal names are of format
primaryis a user name.
instanceis an optional string that qualifies the primary and is separated by a slash(
/) from the primary. For a user, usually it is not used; for service hosts, it is the fully qualified domain name of the host.
REALMis the Kerberos realm. Usually it is is the domain name in upper case. An example of a typical user principal is
user@ES.DOMAIN.LOCAL. An example of a typical service principal is
- Realms define the administrative boundary within which the authentication server has authority to authenticate users and services.
- A file that stores pairs of principals and encryption keys.
Anyone with read permissions to this file can use the credentials in the network to access other services so it is important to protect it with proper file permissions.
- A file that contains Kerberos configuration information such as the default realm name, the location of Key distribution centers (KDC), realms information, mappings from domain names to Kerberos realms, and default configurations for realm session key encryption types.
- ticket granting ticket (TGT)
- A TGT is an authentication ticket generated by the Kerberos authentication server. It contains an encrypted authenticator.