Class KerberosTicketValidator
This class takes care of login by ES service credentials using keytab, GSSContext establishment, and then validating the incoming token.
It may respond with token which needs to be communicated with the peer.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidvalidateTicket(byte[] decodedToken, Path keytabPath, boolean krbDebug, ActionListener<org.elasticsearch.core.Tuple<String, String>> actionListener) Validates client kerberos ticket received from the peer.
-
Constructor Details
-
KerberosTicketValidator
public KerberosTicketValidator()
-
-
Method Details
-
validateTicket
public void validateTicket(byte[] decodedToken, Path keytabPath, boolean krbDebug, ActionListener<org.elasticsearch.core.Tuple<String, String>> actionListener) Validates client kerberos ticket received from the peer.First performs service login using keytab, supports multiple principals in keytab and the principal is selected based on the request.
The GSS security context establishment state is handled as follows:
If the context is established it will callActionListener.onResponse(Response)with aTupleof username and outToken for peer reply.
If the context is not established then it will callActionListener.onResponse(Response)with a Tuple where username is null but with a outToken that needs to be sent to peer for further negotiation.
Never callsActionListener.onResponse(Response)with anulltuple.
On failure, it will callActionListener.onFailure(Exception)- Parameters:
decodedToken- base64 decoded kerberos ticket byteskeytabPath- Path to Service key tab file containing credentials for ES service.krbDebug- iftrueenables jaas krb5 login module debug logs.
-