Dear Graylog developers,

Should I register a bug or a feature request on this issue?

Aleksey


On Thursday, September 8, 2016 at 2:23:00 PM UTC+3, Aleksey Chudov wrote:
>
> Hi,
>
> Thanks for SSO Authentication Plugin for Graylog! 
>
> I'm trying to setup Kerberos Single Sign-On to Graylog 2.1 on my Apache 
> HTTP Server proxy.
>
> My current Apache HTTP Server proxy configuration:
>
>     <Location />
>         SSLRequireSSL
>         RequestHeader set X-Graylog-Server-URL "
> https://graylog.example.com/api/";
>         ProxyPass http://127.0.0.1:9000/
>         ProxyPassReverse http://127.0.0.1:9000/
>     </Location>
>
> First of all I've created user ad...@example.com via Graylog WEB UI 
> /system/authentication/users and configured SSO Plugin 
> /system/authentication/config/sso to trust X-Remote-User HTTP header.
>
> To test SSO plugin works as expected I've added static header to my 
> configuration:
>
>     <Location />
>         SSLRequireSSL
>         RequestHeader set X-Graylog-Server-URL "
> https://graylog.example.com/api/";
>         RequestHeader set X-Remote-User "ad...@example.com"
>         ProxyPass http://127.0.0.1:9000/
>         ProxyPassReverse http://127.0.0.1:9000/
>     </Location>
>
> With the above configuration I always login as ad...@example.com without 
> prompting for password.
>
> So, the Kerberos part uses mod_auth_gssapi 
> https://github.com/modauthgssapi/mod_auth_gssapi
>
>     <Location />
>         SSLRequireSSL
>
>         AuthType GSSAPI
>         AuthName "Kerberos Login"
>         GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab
>         GssapiUseSessions On
>         Require valid-user
>
>         RequestHeader set X-Graylog-Server-URL "
> https://graylog.example.com/api/";
>         RequestHeader set X-Remote-User %{REMOTE_USER}s
>
>         Session On
>         SessionCookieName gssapi_session path=/;httponly;secure;
>
>         ProxyPass http://127.0.0.1:9000/
>         ProxyPassReverse http://127.0.0.1:9000/
>     </Location>
>
> With the above configuration Apache HTTP Server authenticates me as 
> ad...@example.com but Graylog API session is not authorized
>
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET / 
> HTTP/1.1" 200 500 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET 
> /config.js HTTP/1.1" 200 136 "https://graylog.example.com/"; "Mozilla/5.0 
> (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET 
> /assets/polyfill.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" 
> "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:20 +0300] "GET 
> /assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.052c725323b2a784f7b0.js.map
>  
> HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions 
> HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
> x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
> Safari/537.36"
> 192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions 
> HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
> x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
> Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET 
> /assets/plugin/org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin/plugin.org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin.cac9c48526f92b69f0dc.js.map
>  
> HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET 
> /assets/plugin/org.graylog.plugins.map.MapWidgetPlugin/plugin.org.graylog.plugins.map.MapWidgetPlugin.2d9b16670c4a97bedae2.js.map
>  
> HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:22 +0300] "GET 
> /api/system/cluster/node HTTP/1.1" 200 223 "https://graylog.example.com/"; 
> "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions 
> HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
> x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
> Safari/537.36"
> 192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions 
> HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
> x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
> Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:22 +0300] "GET 
> /assets/f9a25466e5ac752f14dfa013fad9730a.jpg HTTP/1.1" 304 - "
> https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) 
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
> /assets/plugin/org.graylog.plugins.auth.sso.SsoAuthPlugin/plugin.org.graylog.plugins.auth.sso.SsoAuthPlugin.2b841b0e8c062b58a186.js.map
>  
> HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
> /assets/2.LoginPage.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" 
> "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
> /assets/32.32.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 
> (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
> /assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.2d7e15af839c3b19942b.js.map
>  
> HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
> 192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
> /assets/app.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 
> (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/53.0.2785.92 Safari/537.36"
>
> Request headers:
>
> GET /api/system/sessions HTTP/1.1
> Host: graylog.example.com
> Connection: keep-alive
> Authorization: Basic dW5kZWZpbmVkOnNlc3Npb24=
> Accept: application/json
> X-Requested-With: XMLHttpRequest
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, 
> like Gecko) Chrome/53.0.2785.92 Safari/537.36
> Content-Type: application/json
> Referer: https://graylog.example.com/
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: en-US,en;q=0.8,ru;q=0.6
> Cookie: gssapi_session=MagBearerToken=XXXYYY
>
> Response headers:
>
> HTTP/1.1 401 Unauthorized
> Date: Thu, 08 Sep 2016 11:05:20 GMT
> Server: Apache
> Set-Cookie: gssapi_session=MagBearerToken=XXXYYY;path=/;httponly;secure;
> WWW-Authenticate: Negotiate
> Cache-Control: no-cache
> Content-Length: 381
> Keep-Alive: timeout=5, max=99
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> Seems like request to /api/system/sessions breaks Kerberos auth (header 
> WWW-Authenticate: Negotiate) by adding HTTP header "Authorization: Basic 
> dW5kZWZpbmVkOnNlc3Npb24=".
>
> Does anyone use Kerberos Single Sign-On to Graylog? Do you have any idea 
> how to setup this?
>
> Regards,
> Aleksey
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5a1445ac-b255-4edc-885e-27520850e80c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to