Dear Aleksey, please open a bug report for this: https://github.com/Graylog2/graylog-plugin-auth-sso/issues
thank you Von: Aleksey Chudov <[email protected]> Antworten: [email protected] <[email protected]> Datum: 15. September 2016 at 09:32:52 An: Graylog Users <[email protected]> Betreff: [graylog2] Re: Graylog Kerberos Single Sign-On Configuration Dear Graylog developers, Should I register a bug or a feature request on this issue? Aleksey On Thursday, September 8, 2016 at 2:23:00 PM UTC+3, Aleksey Chudov wrote: Hi, Thanks for SSO Authentication Plugin for Graylog! I'm trying to setup Kerberos Single Sign-On to Graylog 2.1 on my Apache HTTP Server proxy. My current Apache HTTP Server proxy configuration: <Location /> SSLRequireSSL RequestHeader set X-Graylog-Server-URL "https://graylog.example.com/api/"; ProxyPass http://127.0.0.1:9000/ ProxyPassReverse http://127.0.0.1:9000/ </Location> First of all I've created user [email protected] via Graylog WEB UI /system/authentication/users and configured SSO Plugin /system/authentication/config/sso to trust X-Remote-User HTTP header. To test SSO plugin works as expected I've added static header to my configuration: <Location /> SSLRequireSSL RequestHeader set X-Graylog-Server-URL "https://graylog.example.com/api/"; RequestHeader set X-Remote-User "[email protected]" ProxyPass http://127.0.0.1:9000/ ProxyPassReverse http://127.0.0.1:9000/ </Location> With the above configuration I always login as [email protected] without prompting for password. So, the Kerberos part uses mod_auth_gssapi https://github.com/modauthgssapi/mod_auth_gssapi <Location /> SSLRequireSSL AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab GssapiUseSessions On Require valid-user RequestHeader set X-Graylog-Server-URL "https://graylog.example.com/api/"; RequestHeader set X-Remote-User %{REMOTE_USER}s Session On SessionCookieName gssapi_session path=/;httponly;secure; ProxyPass http://127.0.0.1:9000/ ProxyPassReverse http://127.0.0.1:9000/ </Location> With the above configuration Apache HTTP Server authenticates me as [email protected] but Graylog API session is not authorized 192.168.0.133 - [email protected] [08/Sep/2016:14:05:19 +0300] "GET / HTTP/1.1" 200 500 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:19 +0300] "GET /config.js HTTP/1.1" 200 136 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:19 +0300] "GET /assets/polyfill.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:20 +0300] "GET /assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.052c725323b2a784f7b0.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:21 +0300] "GET /assets/plugin/org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin/plugin.org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin.cac9c48526f92b69f0dc.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:21 +0300] "GET /assets/plugin/org.graylog.plugins.map.MapWidgetPlugin/plugin.org.graylog.plugins.map.MapWidgetPlugin.2d9b16670c4a97bedae2.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:22 +0300] "GET /api/system/cluster/node HTTP/1.1" 200 223 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:22 +0300] "GET /assets/f9a25466e5ac752f14dfa013fad9730a.jpg HTTP/1.1" 304 - "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:23 +0300] "GET /assets/plugin/org.graylog.plugins.auth.sso.SsoAuthPlugin/plugin.org.graylog.plugins.auth.sso.SsoAuthPlugin.2b841b0e8c062b58a186.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:23 +0300] "GET /assets/2.LoginPage.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:23 +0300] "GET /assets/32.32.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:23 +0300] "GET /assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.2d7e15af839c3b19942b.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" 192.168.0.133 - [email protected] [08/Sep/2016:14:05:23 +0300] "GET /assets/app.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36" Request headers: GET /api/system/sessions HTTP/1.1 Host: graylog.example.com Connection: keep-alive Authorization: Basic dW5kZWZpbmVkOnNlc3Npb24= Accept: application/json X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36 Content-Type: application/json Referer: https://graylog.example.com/ Accept-Encoding: gzip, deflate, sdch, br Accept-Language: en-US,en;q=0.8,ru;q=0.6 Cookie: gssapi_session=MagBearerToken=XXXYYY Response headers: HTTP/1.1 401 Unauthorized Date: Thu, 08 Sep 2016 11:05:20 GMT Server: Apache Set-Cookie: gssapi_session=MagBearerToken=XXXYYY;path=/;httponly;secure; WWW-Authenticate: Negotiate Cache-Control: no-cache Content-Length: 381 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Seems like request to /api/system/sessions breaks Kerberos auth (header WWW-Authenticate: Negotiate) by adding HTTP header "Authorization: Basic dW5kZWZpbmVkOnNlc3Npb24=". Does anyone use Kerberos Single Sign-On to Graylog? Do you have any idea how to setup this? Regards, Aleksey -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5a1445ac-b255-4edc-885e-27520850e80c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- | Voice: +49 173 7100308 | Text: [email protected] | http://jalogis.ch/bio | W3W sticks.flanks.pulse | ----------------------------------------------------------------- | get trusted and secure VPN services http://jalogis.ch/vpnsh -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/etPan.57da518b.3cd7cd12.3a1%40jalogisch.de. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Message signed with OpenPGP using AMPGpg
