graylog2-web-interface icon indicating copy to clipboard operation
graylog2-web-interface copied to clipboard

Published 20 hours ago verified publisher icon graylog-labs

Authenticate using REMOTE_USER from web application container

Open sigmaris opened this issue 11 years ago • 10 comments

It would be great to be able to authenticate to Graylog2 using (e.g.) the REMOTE_USER variable filled in by Apache when a user authenticates using one of Apache's authentication models. This allows some single-sign-on implementations (e.g. using client certs or Kerberos) that would otherwise not be possible with username/password authentication.

I can expand on this by explaining our current setup with some of our other internal applications. With these, we run Apache with mod_auth_kerb installed, as the web server for the application. Apache mod_auth_kerb will try and authenticate users with SPNEGO, and then fill in the REMOTE_USER variable with the user's Kerberos principal. The web application then reads / trusts the REMOTE_USER variable from Apache and queries our LDAP server for info about the user's name, email and groups membership. We also use the SPNEGO support in Tomcat for doing the same thing for servlet-based applications.

If Graylog2 could take the 'query LDAP using REMOTE_USER' approach that would be the best option, but also just taking the REMOTE_USER provided by Apache and logging in or creating a user in Graylog2's internal database (instead of querying LDAP) would be nice.

sigmaris avatar Jan 24 '14 17:01 sigmaris

Thank you! Scheduled for our "post-0.20.0" milestone. :)

lennartkoopmann avatar Jan 25 '14 15:01 lennartkoopmann

+1

I was looking for something similar for myself. I'd suggest going one step further, though: our SSO systems (CAS) can also pass the name/email/etc attributes in as part of the request, without any connection to any LDAP server whatsoever. Just let me map the names of attributes to your fields, and I'll be a happy camper. (And you won't have to go back and query LDAP for it!)

For reference purposes, here's the Apache module: https://github.com/Jasig/mod_auth_cas

btusi avatar Feb 22 '14 08:02 btusi

for a similar request see #713

kroepke avatar Jun 03 '14 10:06 kroepke

+1

We're using FreeIPA and I'd like to configure SSO. Currently it won't authenticate against FreeIPA's LDAP and SSO would be more preferable to that anyway.

matjam avatar Sep 17 '14 08:09 matjam

Is there any progress?

h0nIg avatar Apr 21 '15 13:04 h0nIg

:+1:

akrus avatar Oct 08 '15 12:10 akrus

Here is one attempt: https://github.com/mikkolehtisalo/grl-authen/tree/master

It's not a very working approach so I am not going to develop it further. The main reasons are that the REST API requires users' passwords, and the implementation breaks way too easy if something changes in Graylog and/or Play framework.

May I suggest, that given the apparent lack of resources compared to the requirements of implementing several kinds of authentication methods, Graylog should implement a re-usable access token service (specialized system level API) instead.

It would make people requiring different methods (OAuth, Kerberos, SAML, CAS, TLS client certificates etc) to build their authentication on their own, and then based on that request for a token from a system service. The token (typically a ready-to-use cookie) could then proxied to the user.

mikkolehtisalo avatar Jan 12 '16 20:01 mikkolehtisalo

+1 nice!

h0nIg avatar Jan 12 '16 21:01 h0nIg

+1

btw. first comment says "Scheduled for our "post-0.20.0" milestone" but it doesn't look scheduled at all... any updates?

pettai avatar Mar 09 '16 07:03 pettai

will be made possible by https://github.com/Graylog2/graylog2-server/issues/2232

kroepke avatar May 13 '16 13:05 kroepke