Class KerberosTicketValidator

java.lang.Object
org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator

public class KerberosTicketValidator extends Object
Utility class that validates kerberos ticket for peer authentication.

This class takes care of login by ES service credentials using keytab, GSSContext establishment, and then validating the incoming token.

It may respond with token which needs to be communicated with the peer.

  • Constructor Details

    • KerberosTicketValidator

      public KerberosTicketValidator()
  • Method Details

    • validateTicket

      public void validateTicket(byte[] decodedToken, Path keytabPath, boolean krbDebug, ActionListener<org.elasticsearch.core.Tuple<String,String>> actionListener)
      Validates client kerberos ticket received from the peer.

      First performs service login using keytab, supports multiple principals in keytab and the principal is selected based on the request.

      The GSS security context establishment state is handled as follows:
      If the context is established it will call ActionListener.onResponse(Response) with a Tuple of username and outToken for peer reply.
      If the context is not established then it will call ActionListener.onResponse(Response) with a Tuple where username is null but with a outToken that needs to be sent to peer for further negotiation.
      Never calls ActionListener.onResponse(Response) with a null tuple.
      On failure, it will call ActionListener.onFailure(Exception)

      Parameters:
      decodedToken - base64 decoded kerberos ticket bytes
      keytabPath - Path to Service key tab file containing credentials for ES service.
      krbDebug - if true enables jaas krb5 login module debug logs.