Re: [graylog2] Re: Graylog Kerberos Single Sign-On Configuration

2016-09-15 Thread Aleksey Chudov 
I have opened the bug 
report https://github.com/Graylog2/graylog-plugin-auth-sso/issues/16.

Thank you!

On Thursday, September 15, 2016 at 10:45:21 AM UTC+3, Jan Doberstein wrote:
>
> Dear Aleksey,
>
> please open a bug report for this: 
> https://github.com/Graylog2/graylog-plugin-auth-sso/issues
>
> thank you
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/00760f33-8a10-4322-8393-fc24c91bcfd7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog Kerberos Single Sign-On Configuration

2016-09-15 Thread Jan Doberstein 
Dear Aleksey,

please open a bug report for this: 
https://github.com/Graylog2/graylog-plugin-auth-sso/issues

thank you


Von: Aleksey Chudov 
Antworten: graylog2@googlegroups.com 
Datum: 15. September 2016 at 09:32:52
An: Graylog Users 
Betreff:  [graylog2] Re: Graylog Kerberos Single Sign-On Configuration  

Dear Graylog developers,

Should I register a bug or a feature request on this issue?

Aleksey


On Thursday, September 8, 2016 at 2:23:00 PM UTC+3, Aleksey Chudov wrote:
Hi,

Thanks for SSO Authentication Plugin for Graylog! 

I'm trying to setup Kerberos Single Sign-On to Graylog 2.1 on my Apache HTTP 
Server proxy.

My current Apache HTTP Server proxy configuration:

    
        SSLRequireSSL
        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/";
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    

First of all I've created user ad...@example.com via Graylog WEB UI 
/system/authentication/users and configured SSO Plugin 
/system/authentication/config/sso to trust X-Remote-User HTTP header.

To test SSO plugin works as expected I've added static header to my 
configuration:

    
        SSLRequireSSL
        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/";
        RequestHeader set X-Remote-User "ad...@example.com"
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    

With the above configuration I always login as ad...@example.com without 
prompting for password.

So, the Kerberos part uses mod_auth_gssapi 
https://github.com/modauthgssapi/mod_auth_gssapi

    
        SSLRequireSSL

        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab
        GssapiUseSessions On
        Require valid-user

        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/";
        RequestHeader set X-Remote-User %{REMOTE_USER}s

        Session On
        SessionCookieName gssapi_session path=/;httponly;secure;

        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    

With the above configuration Apache HTTP Server authenticates me as 
ad...@example.com but Graylog API session is not authorized

192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET / HTTP/1.1" 
200 500 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET /config.js 
HTTP/1.1" 200 136 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET 
/assets/polyfill.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:20 +0300] "GET 
/assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.052c725323b2a784f7b0.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET 
/assets/plugin/org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin/plugin.org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin.cac9c48526f92b69f0dc.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET 
/assets/plugin/org.graylog.plugins.map.MapWidgetPlugin/plugin.org.graylog.plugins.map.MapWidgetPlugin.2d9b16670c4a97bedae2.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:22 +0300] "GET 
/api/system/cluster/node HTTP/1.1" 200 223 "https://graylog.example.com/"; 
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.3