It is time to say goodbye: This version of Elastic Cloud Enterprise has reached end-of-life (EOL) and is no longer supported.
The documentation for this version is no longer being maintained. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Secure your clusters with Kerberos
editSecure your clusters with Kerberos
editYou can secure your Elasticsearch clusters and Kibana instances in a deployment by using the Kerberos-5 protocol to authenticate users.
The Kerberos credentials are valid against the deployment, not the ECE platform.
Before you begin
editElastic Cloud Enterprise supports Kerberos with Elastic Stack version 7.3 and later.
The steps in this section require an understanding of Kerberos. To learn more about Kerberos, see our documentation on configuring Elasticsearch for Kerberos authentication.
Configure the cluster to use Kerberos
editWith a custom bundle containing the Kerberos files and changes to the cluster configuration, you can enforce user authentication through the Kerberos protocol.
- Create or use an existing deployment that includes a Kibana instance version 7.3 or later.
-
Create a custom bundle that contains your
krb5.conf
andkeytab
files, and add it to your cluster.You should use these exact filenames for Elastic Cloud Enterprise to recognize the file in the bundle.
-
Edit your cluster configuration, sometimes also referred to as the deployment plan, to define Kerberos settings as described in Elasticsearch documentation.
xpack.security.authc.realms.kerberos.cloud-krb: order: 2 keytab.path: es.keytab remove_realm_name: false
-
Update Kibana in the user settings configuration to use Kerberos as the authentication provider:
xpack.security.authc.providers: ['kerberos']
This configuration disables all other realms and only allows users to authenticate with Kerberos. If you wish to allow your native realm users to authenticate, you need to also enable the
basic
authProvider
by settingxpack.security.authc.providers: [kerberos, basic]
in the configuration of Kibana. - Use the Kibana endpoint URL to log in.