Dear Aleksey,

please open a bug report for this: 
https://github.com/Graylog2/graylog-plugin-auth-sso/issues

thank you


Von: Aleksey Chudov <aleksey.chu...@gmail.com>
Antworten: graylog2@googlegroups.com <graylog2@googlegroups.com>
Datum: 15. September 2016 at 09:32:52
An: Graylog Users <graylog2@googlegroups.com>
Betreff:  [graylog2] Re: Graylog Kerberos Single Sign-On Configuration  

Dear Graylog developers,

Should I register a bug or a feature request on this issue?

Aleksey


On Thursday, September 8, 2016 at 2:23:00 PM UTC+3, Aleksey Chudov wrote:
Hi,

Thanks for SSO Authentication Plugin for Graylog! 

I'm trying to setup Kerberos Single Sign-On to Graylog 2.1 on my Apache HTTP 
Server proxy.

My current Apache HTTP Server proxy configuration:

    <Location />
        SSLRequireSSL
        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/";
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    </Location>

First of all I've created user ad...@example.com via Graylog WEB UI 
/system/authentication/users and configured SSO Plugin 
/system/authentication/config/sso to trust X-Remote-User HTTP header.

To test SSO plugin works as expected I've added static header to my 
configuration:

    <Location />
        SSLRequireSSL
        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/";
        RequestHeader set X-Remote-User "ad...@example.com"
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    </Location>

With the above configuration I always login as ad...@example.com without 
prompting for password.

So, the Kerberos part uses mod_auth_gssapi 
https://github.com/modauthgssapi/mod_auth_gssapi

    <Location />
        SSLRequireSSL

        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab
        GssapiUseSessions On
        Require valid-user

        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/";
        RequestHeader set X-Remote-User %{REMOTE_USER}s

        Session On
        SessionCookieName gssapi_session path=/;httponly;secure;

        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    </Location>

With the above configuration Apache HTTP Server authenticates me as 
ad...@example.com but Graylog API session is not authorized

192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET / HTTP/1.1" 
200 500 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET /config.js 
HTTP/1.1" 200 136 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET 
/assets/polyfill.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:20 +0300] "GET 
/assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.052c725323b2a784f7b0.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET 
/assets/plugin/org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin/plugin.org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin.cac9c48526f92b69f0dc.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET 
/assets/plugin/org.graylog.plugins.map.MapWidgetPlugin/plugin.org.graylog.plugins.map.MapWidgetPlugin.2d9b16670c4a97bedae2.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:22 +0300] "GET 
/api/system/cluster/node HTTP/1.1" 200 223 "https://graylog.example.com/"; 
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:22 +0300] "GET 
/assets/f9a25466e5ac752f14dfa013fad9730a.jpg HTTP/1.1" 304 - 
"https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
/assets/plugin/org.graylog.plugins.auth.sso.SsoAuthPlugin/plugin.org.graylog.plugins.auth.sso.SsoAuthPlugin.2b841b0e8c062b58a186.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
/assets/2.LoginPage.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" 
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
/assets/32.32.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
/assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.2d7e15af839c3b19942b.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:23 +0300] "GET 
/assets/app.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; 
Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"

Request headers:

GET /api/system/sessions HTTP/1.1
Host: graylog.example.com
Connection: keep-alive
Authorization: Basic dW5kZWZpbmVkOnNlc3Npb24=
Accept: application/json
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/53.0.2785.92 Safari/537.36
Content-Type: application/json
Referer: https://graylog.example.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,ru;q=0.6
Cookie: gssapi_session=MagBearerToken=XXXYYY

Response headers:

HTTP/1.1 401 Unauthorized
Date: Thu, 08 Sep 2016 11:05:20 GMT
Server: Apache
Set-Cookie: gssapi_session=MagBearerToken=XXXYYY;path=/;httponly;secure;
WWW-Authenticate: Negotiate
Cache-Control: no-cache
Content-Length: 381
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Seems like request to /api/system/sessions breaks Kerberos auth (header 
WWW-Authenticate: Negotiate) by adding HTTP header "Authorization: Basic 
dW5kZWZpbmVkOnNlc3Npb24=".

Does anyone use Kerberos Single Sign-On to Graylog? Do you have any idea how to 
setup this?

Regards,
Aleksey
--
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5a1445ac-b255-4edc-885e-27520850e80c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http://jalogis.ch/bio | W3W sticks.flanks.pulse
| -----------------------------------------------------------------
| get trusted and secure VPN services http://jalogis.ch/vpnsh

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57da518b.3cd7cd12.3a1%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: Message signed with OpenPGP using AMPGpg

Reply via email to