I'm pretty much seeing the same behavior. Difference is that I'm using mod_auth_kerb on Apache 2.2.
-Monty. On Thursday, September 8, 2016 at 6:23:00 AM UTC-5, Aleksey Chudov wrote: > > Hi, > > Thanks for SSO Authentication Plugin for Graylog! > > I'm trying to setup Kerberos Single Sign-On to Graylog 2.1 on my Apache > HTTP Server proxy. > > My current Apache HTTP Server proxy configuration: > > <Location /> > SSLRequireSSL > RequestHeader set X-Graylog-Server-URL " > https://graylog.example.com/api/"; > ProxyPass http://127.0.0.1:9000/ > ProxyPassReverse http://127.0.0.1:9000/ > </Location> > > First of all I've created user [email protected] <javascript:> via > Graylog WEB UI /system/authentication/users and configured SSO Plugin > /system/authentication/config/sso to trust X-Remote-User HTTP header. > > To test SSO plugin works as expected I've added static header to my > configuration: > > <Location /> > SSLRequireSSL > RequestHeader set X-Graylog-Server-URL " > https://graylog.example.com/api/"; > RequestHeader set X-Remote-User "[email protected] <javascript:>" > ProxyPass http://127.0.0.1:9000/ > ProxyPassReverse http://127.0.0.1:9000/ > </Location> > > With the above configuration I always login as [email protected] > <javascript:> without prompting for password. > > So, the Kerberos part uses mod_auth_gssapi > https://github.com/modauthgssapi/mod_auth_gssapi > > <Location /> > SSLRequireSSL > > AuthType GSSAPI > AuthName "Kerberos Login" > GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab > GssapiUseSessions On > Require valid-user > > RequestHeader set X-Graylog-Server-URL " > https://graylog.example.com/api/"; > RequestHeader set X-Remote-User %{REMOTE_USER}s > > Session On > SessionCookieName gssapi_session path=/;httponly;secure; > > ProxyPass http://127.0.0.1:9000/ > ProxyPassReverse http://127.0.0.1:9000/ > </Location> > > With the above configuration Apache HTTP Server authenticates me as > [email protected] <javascript:> but Graylog API session is not authorized > > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:19 > +0300] "GET / HTTP/1.1" 200 500 "-" "Mozilla/5.0 (X11; Linux x86_64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:19 > +0300] "GET /config.js HTTP/1.1" 200 136 "https://graylog.example.com/"; > "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:19 > +0300] "GET /assets/polyfill.6469f06d961e83d45607.js.map HTTP/1.1" 304 - > "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:20 > +0300] "GET > /assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.052c725323b2a784f7b0.js.map > > HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions > HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux > x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 > Safari/537.36" > 192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions > HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux > x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 > Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:21 > +0300] "GET > /assets/plugin/org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin/plugin.org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin.cac9c48526f92b69f0dc.js.map > > HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:21 > +0300] "GET > /assets/plugin/org.graylog.plugins.map.MapWidgetPlugin/plugin.org.graylog.plugins.map.MapWidgetPlugin.2d9b16670c4a97bedae2.js.map > > HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:22 > +0300] "GET /api/system/cluster/node HTTP/1.1" 200 223 " > https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions > HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux > x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 > Safari/537.36" > 192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions > HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux > x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 > Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:22 > +0300] "GET /assets/f9a25466e5ac752f14dfa013fad9730a.jpg HTTP/1.1" 304 - " > https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:23 > +0300] "GET > /assets/plugin/org.graylog.plugins.auth.sso.SsoAuthPlugin/plugin.org.graylog.plugins.auth.sso.SsoAuthPlugin.2b841b0e8c062b58a186.js.map > > HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:23 > +0300] "GET /assets/2.LoginPage.6469f06d961e83d45607.js.map HTTP/1.1" 304 - > "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:23 > +0300] "GET /assets/32.32.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" > "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:23 > +0300] "GET > /assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.2d7e15af839c3b19942b.js.map > > HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" > 192.168.0.133 - [email protected] <javascript:> [08/Sep/2016:14:05:23 > +0300] "GET /assets/app.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" > "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/53.0.2785.92 Safari/537.36" > > Request headers: > > GET /api/system/sessions HTTP/1.1 > Host: graylog.example.com > Connection: keep-alive > Authorization: Basic dW5kZWZpbmVkOnNlc3Npb24= > Accept: application/json > X-Requested-With: XMLHttpRequest > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, > like Gecko) Chrome/53.0.2785.92 Safari/537.36 > Content-Type: application/json > Referer: https://graylog.example.com/ > Accept-Encoding: gzip, deflate, sdch, br > Accept-Language: en-US,en;q=0.8,ru;q=0.6 > Cookie: gssapi_session=MagBearerToken=XXXYYY > > Response headers: > > HTTP/1.1 401 Unauthorized > Date: Thu, 08 Sep 2016 11:05:20 GMT > Server: Apache > Set-Cookie: gssapi_session=MagBearerToken=XXXYYY;path=/;httponly;secure; > WWW-Authenticate: Negotiate > Cache-Control: no-cache > Content-Length: 381 > Keep-Alive: timeout=5, max=99 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 > > Seems like request to /api/system/sessions breaks Kerberos auth (header > WWW-Authenticate: Negotiate) by adding HTTP header "Authorization: Basic > dW5kZWZpbmVkOnNlc3Npb24=". > > Does anyone use Kerberos Single Sign-On to Graylog? Do you have any idea > how to setup this? > > Regards, > Aleksey > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/718c4f46-48ee-40ba-a856-98cbd663e5dd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
