From 7c6620a3ee180c6e16688ca257d98bb59d8954fe Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 25 Sep 2025 19:34:07 +0000 Subject: [PATCH] Change `plugins.security.kerberos.krb5_filepath` to a relative path (#10985) * Change `plugins.security.kerberos.krb5_filepath` to a relative path This commit updates `plugins.security.kerberos.krb5_filepath` to use a relative path and extends the existing clarification note about the `keytab` file, which is also required to be relative. With Java 24 (bundled in OpenSearch 3.2), absolute paths no longer work due to stricter security restrictions introduced in newer JDK versions. Related issue: [opensearch-project/security#5646](https://github.com/opensearch-project/security/issues/5646) Signed-off-by: Luis Pigueiras * Update _security/authentication-backends/kerberos.md Signed-off-by: Nathan Bower --------- Signed-off-by: Luis Pigueiras Signed-off-by: Nathan Bower Co-authored-by: Nathan Bower (cherry picked from commit e733852814b9518343d1e9deb13b1e23b24b6834) Signed-off-by: github-actions[bot] --- _security/authentication-backends/kerberos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_security/authentication-backends/kerberos.md b/_security/authentication-backends/kerberos.md index 40b041abcb6..02c8b08b7b8 100644 --- a/_security/authentication-backends/kerberos.md +++ b/_security/authentication-backends/kerberos.md @@ -16,7 +16,7 @@ In order to use Kerberos authentication, you must set the following settings in In `opensearch.yml`, define the following settings: ```yml -plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf' +plugins.security.kerberos.krb5_filepath: 'krb5.conf' plugins.security.kerberos.acceptor_keytab_filepath: 'opensearch_keytab.tab' plugins.security.kerberos.acceptor_principal: 'HTTP/localhost' ``` @@ -27,7 +27,7 @@ Name | Description `acceptor_keytab_filepath` | The path to the `keytab` file, which contains the principal that the Security plugin uses to issue requests through Kerberos. `acceptor_principal` | The principal that the Security plugin uses to issue requests through Kerberos. This value must be present in the `keytab` file. -Due to security restrictions, the `keytab` file must be placed in `config` or a subdirectory, and the path in `opensearch.yml` must be relative, not absolute. +Because of security restrictions, the `keytab` and `krb5.conf` files must be placed in the `config` directory or its subdirectory, and their paths in `opensearch.yml` must be relative, not absolute. {: .note } ## Cluster security configuration