4.1
Kerberos
Kerberos uses SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) for authentication.
To set up Kerberos you need a Kerberos principal and a password-less keytab. Add them
in security.conf
:
# Kerberos settings
lenses.security.kerberos.service.principal="HTTP/lenses.url[@REALM]"
lenses.security.kerberos.keytab=/path/to/lenses.keytab
The system-wide Kerberos configuration contains information about your Kerberos KDC (key distribution center),
realm and other settings (typically is found at /etc/krb5.conf
). If you do not have a global
krb5.conf in place,
ask your Kerberos administrator
for one and point Lenses to it via the LENSES_OPT environment variable:
export LENSES_OPTS="-Djava.security.krb5.conf=/path/to/krb5.conf
Kerberos will automatically log in authorized users when using the /api/auth REST endpoint. If using Microsoft Windows, logging into your Windows domain is usually sufficient to issue your Kerberos credentials.
On Linux, if you use Kerberos with PAM, your Kerberos credentials should be already available
to Kerberos-enabled browsers. Otherwise, you will need to authenticate to the KDC manually using kinit
at the
command line and start your browser from the same terminal.
Group management
Kerberos by design focuses on authentication only. It provides the user’s principal, and is not managing user groups. Read how to create groups of users with permissions .