Change plugins.security.kerberos.krb5_filepath to a relative path
#10985
Conversation
Pigueiras
requested review from
AMoo-Miki,
dlvenable,
epugh,
kolchfa-aws,
natebower and
sumobrian
as code owners
|
Thank you for submitting your PR. The PR states are In progress (or Draft) -> Tech review -> Doc review -> Editorial review -> Merged. Before you submit your PR for doc review, make sure the content is technically accurate. If you need help finding a tech reviewer, tag a maintainer. When you're ready for doc review, tag the assignee of this PR. The doc reviewer may push edits to the PR directly or leave comments and editorial suggestions for you to address (let us know in a comment if you have a preference). The doc reviewer will arrange for an editorial review. |
|
@cwperks Could you review this PR when you get a chance? |
|
@Pigueiras Could you please fix DCO in the meantime? |
Pigueiras
force-pushed
the
kerberos
branch
2 times, most recently
from
115595b to
61e890f
Compare
|
Thank you for the PR @Pigueiras. The changes lgtm and I do think its worthwhile to make this change on the documentation website. With that being said, what you faced in the security repo is a bug that needs to be addressed there as well. Essentially the security repo needs to have a grant in its and the grant needs to reference the system prop that holds the location of the config file. Unfortunately, I don't know how to test kerberos setup in order to adequate prepare a bugfix. |
This commit updates `plugins.security.kerberos.krb5_filepath` to use a relative path and extends the existing clarification note about the `keytab` file, which is also required to be relative. With Java 24 (bundled in OpenSearch 3.2), absolute paths no longer work due to stricter security restrictions introduced in newer JDK versions. Related issue: [opensearch-project/security#5646](opensearch-project/security#5646) Signed-off-by: Luis Pigueiras <[email protected]>
kolchfa-aws
added
Editorial review
Signed-off-by: Nathan Bower <[email protected]>
…10985) * Change `plugins.security.kerberos.krb5_filepath` to a relative path This commit updates `plugins.security.kerberos.krb5_filepath` to use a relative path and extends the existing clarification note about the `keytab` file, which is also required to be relative. With Java 24 (bundled in OpenSearch 3.2), absolute paths no longer work due to stricter security restrictions introduced in newer JDK versions. Related issue: [opensearch-project/security#5646](opensearch-project/security#5646) Signed-off-by: Luis Pigueiras <[email protected]> * Update _security/authentication-backends/kerberos.md Signed-off-by: Nathan Bower <[email protected]> --------- Signed-off-by: Luis Pigueiras <[email protected]> Signed-off-by: Nathan Bower <[email protected]> Co-authored-by: Nathan Bower <[email protected]> (cherry picked from commit e733852) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
4 participants
Description
This PR updates
plugins.security.kerberos.krb5_filepathto use a relative path and extends the existing clarification note about thekeytabfile, which is also required to be relative.With Java 24 (bundled in OpenSearch 3.2), absolute paths no longer work due to stricter security restrictions introduced in newer JDK versions.
Issues Resolved
I can open one in this project if needed, but it's related to: opensearch-project/security#5646
Version
Only from 3.2 onwards.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.