atlassian meets kerberos
DESCRIPTION
Talk regarding kerberization of Jira and Confluence at the first meeting in 2014 of the Atlassian user group Hamburg.TRANSCRIPT
Erstes Treffen 2014 der Atlassian Usergroup Hamburg - AUGHH21.01.2014, ergon Datenprojekte GmbH
North America
Africa
Canada
Europe
Asia
Russia
South America
Australia
Atlassian meets KerberosHow we implemented SSO 3 ti mes ; )
Nils HofmeisterB i g p o i n t G m b H
D r e h b a h n 4 7 - 4 8 , 2 0 3 5 4 H A M B U R G , G E R M A N Y P R E S E N T A T I O N
Intro - Environment Jira and LAMP Confluence and „native“ kerberization Proxy solution Next steps
Intro
IntroEnvironment
Active Directory Kerberos Windows + Mac + Linux clients Linux servers (almost all Debian) MySQL Jira + Confluence installed via shell scripts from tarball
Jira 889 users, 406 groups, 335.726 tickets 109 active projects, 91 retired Jira Agile (aka Greenhopper) active for 27 projects Started 07.09.2010
Confluence 662 users, 168 groups, 203 spaces, 32.678 pages* Team Calendars, Balsamiq, Gliffy, Linking,
Redirection, Content Formatting, ... Started 13.04.2011
IntroEnvironment
SELECT COUNT( * ) FROM CONTENTWHERE CONTENTTYPE = "page"AND CONTENT_STATUS = "current"AND PREVVER IS NULL
*
IntroEnvironment
http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
North America
Africa
Canada
Europe
Asia
Russia
South America
Australia
What we tried
Jira and LAMPDoes the job okay. . .
• Apache does Kerberos auth• Apache calls „Loginproxy“• Loginproxy identifies pwd• Loginproxy redirects
• AD sync via php cron• Groups + users + membership
Jira and LAMPDoes the job okay. . .
Pro:• Utilizes our Apache Kerberos voodoo• Works quite stable...
Con:• Pretty complicated piece of custom SW• Awkward cron job• Utilizes some deprecated legacy stuff• ...sometimes not reliable, hard to debug• External Jira clients hard or impossible
to usehttp://talljerome.com/images/wrkpstr_wrongtool.jpg
Confluence and native kerberizationLeast compl icated in theory
• No proxy• Directly call Tomcat• Kerberos via SPNEGO• Custom http authenticator• Some handish keytab handling
• AD sync via Python cron• Groups + users + membership
Pro:• Simple design• Feels like „we tamed the monster“
Con:• We could only reproduce it once• All other instances refused to work• Customized SPNEGO lib• Auth errors nearly impossible to
debug
Confluence and native kerberizationLeast compl icated in theory
http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
Proxy SolutionMost effi cient way for us in practi ce
• Apache does Kerberos auth• Apache reverse proxy• Rewrite rules + write header• Custom http authenticator
• AD sync via standard AD directory
Pro:• Reuse of given Apache expertise• Reuse of http authenticator• Little application customizing• Easy handling of SSL• No custom AD synchronization• Least customized stack
Con:• AD/LDAP config is a pain• Hard to find the right vhost
configuration
Proxy SolutionMost effi cient way for us in practi ce
http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
North America
Africa
Canada
Europe
Asia
Russia
South America
Australia
How the proxy stuff works
Proxy SolutionMost effi cient way for us in practi ce... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net KrbAuthRealm BIGPOINT.LOCAL KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC off AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups Require group confluence_%_user Order deny,allow Deny from all Allow from xx.xx.xx.xx 127.0.0.1 ProxyPass ajp://localhost/ Satisfy any </Location>
...<VirtualHost 0.0.0.0:80> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost> <VirtualHost 0.0.0.0:8080> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost>...
Proxy SolutionMost effi cient way for us in practi ce... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net KrbAuthRealm BIGPOINT.LOCAL KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC off AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups Require group confluence_%_user Order deny,allow Deny from all Allow from xx.xx.xx.xx 127.0.0.1 ProxyPass ajp://localhost/ Satisfy any </Location>
...<VirtualHost 0.0.0.0:80> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost> <VirtualHost 0.0.0.0:8080> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost>...
Proxy SolutionMost effi cient way for us in practi ce... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net KrbAuthRealm BIGPOINT.LOCAL KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC off AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups Require group confluence_%_user Order deny,allow Deny from all Allow from xx.xx.xx.xx 127.0.0.1 ProxyPass ajp://localhost/ Satisfy any </Location>
...<VirtualHost 0.0.0.0:80> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost> <VirtualHost 0.0.0.0:8080> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost>...
Proxy SolutionMost effi cient way for us in practi ce... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net KrbAuthRealm BIGPOINT.LOCAL KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC off AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups Require group confluence_%_user Order deny,allow Deny from all Allow from xx.xx.xx.xx 127.0.0.1 ProxyPass ajp://localhost/ Satisfy any </Location>
...<VirtualHost 0.0.0.0:80> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost> <VirtualHost 0.0.0.0:8080> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost>...
Proxy SolutionMost effi cient way for us in practi ce... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net KrbAuthRealm BIGPOINT.LOCAL KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC off AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups Require group confluence_%_user Order deny,allow Deny from all Allow from xx.xx.xx.xx 127.0.0.1 ProxyPass ajp://localhost/ Satisfy any </Location>
...<VirtualHost 0.0.0.0:80> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost> <VirtualHost 0.0.0.0:8080> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost>...
Proxy SolutionMost effi cient way for us in practi ce... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net KrbAuthRealm BIGPOINT.LOCAL KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC off AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups Require group confluence_%_user Order deny,allow Deny from all Allow from xx.xx.xx.xx 127.0.0.1 ProxyPass ajp://localhost/ Satisfy any </Location>
...<VirtualHost 0.0.0.0:80> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost> <VirtualHost 0.0.0.0:8080> RewriteEngine On RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] Include "/etc/apache2/vhost-override.d/"</VirtualHost>...
Proxy SolutionMost effi cient way for us in practi ce
<Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1"> <Service name="Tomcat-Standalone"> <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" /> <Engine name="Standalone" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname="" /> </Context> </Host> </Engine> </Service></Server>
Proxy SolutionMost effi cient way for us in practi ce
public class RemoteUserAuthenticator extends ConfluenceAuthenticator {... public Principal getUser(HttpServletRequest request, HttpServletResponse response) {... String remoteUser = request.getHeader("remote_user");...
Principal user = getUser(remoteUser); ... // Modify session signaling that we are authenticated now. request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null); log.debug("Logged in via SSO with User " + remoteUser); return user; }}
https://github.com/Bigpoint/remoteuser-confluence-authenticator
Proxy SolutionMost effi cient way for us in practi ce
"ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“..."ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
North America
Africa
Canada
Europe
Asia
Russia
South America
Australia
Next steps
Next StepsWe are not there yet . . .
• Test instances – done• Confluence production – done• Jira production + reverse proxy – todo• Jira production + AD – todo• Integrate production instances – todo• Better understanding of AD integration – todo
• In general• Better automation would be great (e.g. Chef)