diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 38d87c0062a..f62d0737e00 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -594,6 +594,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -852,10 +853,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -934,6 +931,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 9710b7a6111..c799fcd5ba0 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1497,6 +1497,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -1755,10 +1756,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -1837,6 +1834,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/filebeat/input/kafka/config.go b/filebeat/input/kafka/config.go index 75a0957744a..c69b2522a4f 100644 --- a/filebeat/input/kafka/config.go +++ b/filebeat/input/kafka/config.go @@ -193,6 +193,7 @@ func newSaramaConfig(config kafkaInputConfig) (*sarama.Config, error) { Username: config.Kerberos.Username, Password: config.Kerberos.Password, Realm: config.Kerberos.Realm, + DisablePAFXFAST: !config.Kerberos.EnableFAST, } } diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index dd20469807a..c2c74fca2f1 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -772,6 +772,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -1030,10 +1031,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -1112,6 +1109,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 29e6d2a90ab..dae323d89af 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -537,6 +537,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -795,10 +796,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -877,6 +874,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl b/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl index c364cb7b179..8bb01212d2d 100644 --- a/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl +++ b/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl @@ -98,3 +98,4 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + diff --git a/libbeat/_meta/config/output-kafka.reference.yml.tmpl b/libbeat/_meta/config/output-kafka.reference.yml.tmpl index 366652fd23e..336b5fd866b 100644 --- a/libbeat/_meta/config/output-kafka.reference.yml.tmpl +++ b/libbeat/_meta/config/output-kafka.reference.yml.tmpl @@ -131,10 +131,6 @@ # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - {{include "ssl.reference.yml.tmpl" . | indent 2 }} # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -160,3 +156,7 @@ # Kerberos realm. #kerberos.realm: ELASTIC + + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false diff --git a/libbeat/common/transport/kerberos/config.go b/libbeat/common/transport/kerberos/config.go index 42b779485fe..abea183f4d1 100644 --- a/libbeat/common/transport/kerberos/config.go +++ b/libbeat/common/transport/kerberos/config.go @@ -50,6 +50,7 @@ type Config struct { Username string `config:"username"` Password string `config:"password"` Realm string `config:"realm" validate:"required"` + EnableFAST bool `config:"enable_krb5_fast"` } // IsEnabled returns true if the `enable` field is set to true in the yaml. diff --git a/libbeat/docs/shared-kerberos-config.asciidoc b/libbeat/docs/shared-kerberos-config.asciidoc index 305df2e5df1..44d80adc17b 100644 --- a/libbeat/docs/shared-kerberos-config.asciidoc +++ b/libbeat/docs/shared-kerberos-config.asciidoc @@ -86,3 +86,8 @@ This option can only be configured for Kafka. It is the name of the Kafka servic ==== `realm` Name of the realm where the output resides. + +[float] +==== `enable_krb5_fast` + +Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is `false`. \ No newline at end of file diff --git a/libbeat/outputs/kafka/config.go b/libbeat/outputs/kafka/config.go index 374ed500e10..fabf0989958 100644 --- a/libbeat/outputs/kafka/config.go +++ b/libbeat/outputs/kafka/config.go @@ -201,6 +201,13 @@ func newSaramaConfig(log *logp.Logger, config *kafkaConfig) (*sarama.Config, err case config.Kerberos.IsEnabled(): cfgwarn.Beta("Kerberos authentication for Kafka is beta.") + // Due to a regrettable past decision, the flag controlling Kerberos + // FAST authentication was initially added to the output configuration + // rather than the shared Kerberos configuration. To avoid a breaking + // change, we still check for the old flag, but it is deprecated and + // should be removed in a future version. + enableFAST := config.Kerberos.EnableFAST || config.EnableFAST + k.Net.SASL.Enable = true k.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI k.Net.SASL.GSSAPI = sarama.GSSAPIConfig{ @@ -211,7 +218,7 @@ func newSaramaConfig(log *logp.Logger, config *kafkaConfig) (*sarama.Config, err Username: config.Kerberos.Username, Password: config.Kerberos.Password, Realm: config.Kerberos.Realm, - DisablePAFXFAST: !config.EnableFAST, + DisablePAFXFAST: !enableFAST, } case config.Username != "": diff --git a/libbeat/outputs/kafka/docs/kafka.asciidoc b/libbeat/outputs/kafka/docs/kafka.asciidoc index 026d0431345..f61d4c5d985 100644 --- a/libbeat/outputs/kafka/docs/kafka.asciidoc +++ b/libbeat/outputs/kafka/docs/kafka.asciidoc @@ -309,12 +309,6 @@ The ACK reliability level required from broker. 0=no response, 1=wait for local Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error. -===== `enable_krb5_fast` - -beta[] - -Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. It is separate from the standard Kerberos settings because this flag only applies to the Kafka output. The default is `false`. - ===== `ssl` Configuration options for SSL parameters like the root CA for Kafka connections. diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 861ff13108f..fc4fc1e027c 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1392,6 +1392,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -1650,10 +1651,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -1732,6 +1729,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 6af69f969db..2dd7bdf9e6d 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1089,6 +1089,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -1347,10 +1348,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -1429,6 +1426,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index e818d35392e..809c68e6ad9 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -517,6 +517,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -775,10 +776,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -857,6 +854,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index bfb92eee4a9..616112a7d8b 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -650,6 +650,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -908,10 +909,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -990,6 +987,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 8f4ce060801..78530816758 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -3600,6 +3600,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -3858,10 +3859,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -3940,6 +3937,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index 664f02de244..5a760f97046 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -880,6 +880,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index dd20469807a..c2c74fca2f1 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -772,6 +772,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -1030,10 +1031,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -1112,6 +1109,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 6fedb3b78d9..4bd416f7883 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1893,6 +1893,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -2151,10 +2152,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -2233,6 +2230,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/x-pack/osquerybeat/osquerybeat.reference.yml b/x-pack/osquerybeat/osquerybeat.reference.yml index eca6094f641..eb98402f328 100644 --- a/x-pack/osquerybeat/osquerybeat.reference.yml +++ b/x-pack/osquerybeat/osquerybeat.reference.yml @@ -493,6 +493,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index 6af69f969db..2dd7bdf9e6d 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1089,6 +1089,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -1347,10 +1348,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -1429,6 +1426,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module. diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 4707d065fe6..3b94dd6d807 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -560,6 +560,7 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # ------------------------------ Logstash Output ------------------------------- #output.logstash: # Boolean flag to enable or disable the output module. @@ -818,10 +819,6 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enables Kerberos FAST authentication in the Kafka output. This may - # conflict with certain Active Directory configurations. - #enable_krb5_fast: false - # Use SSL settings for HTTPS. #ssl.enabled: true @@ -900,6 +897,10 @@ output.elasticsearch: # Kerberos realm. #kerberos.realm: ELASTIC + # Enables Kerberos FAST authentication. This may + # conflict with certain Active Directory configurations. + #kerberos.enable_krb5_fast: false + # -------------------------------- Redis Output -------------------------------- #output.redis: # Boolean flag to enable or disable the output module.