Configure Kerberosedit
You can specify Kerberos options with any output or input that supports Kerberos, like Elasticsearch and Kafka.
The following encryption types are supported:
- aes128-cts-hmac-sha1-96
- aes128-cts-hmac-sha256-128
- aes256-cts-hmac-sha1-96
- aes256-cts-hmac-sha384-192
- des3-cbc-sha1-kd
- rc4-hmac
Example output config with Kerberos password based authentication:
output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"] output.elasticsearch.kerberos.auth_type: password output.elasticsearch.kerberos.username: "elastic" output.elasticsearch.kerberos.password: "changeme" output.elasticsearch.kerberos.config_path: "/etc/krb5.conf" output.elasticsearch.kerberos.realm: "ELASTIC.CO"
The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration
it is going to be HTTP/[email protected]
.
Configuration optionsedit
You can specify the following options in the kerberos
section of the apm-server.yml
config file:
enabled
edit
The enabled
setting can be used to enable the kerberos configuration by setting
it to false
. The default value is true
.
Kerberos settings are disabled if either enabled
is set to false
or the
kerberos
section is missing.
auth_type
edit
There are two options to authenticate with Kerberos KDC: password
and keytab
.
password
expects the principal name and its password. When choosing keytab
, you
have to specify a princial name and a path to a keytab. The keytab must contain
the keys of the selected principal. Otherwise, authentication will fail.
config_path
edit
You need to set the path to the krb5.conf
, so +apm-server can find the Kerberos KDC to
retrieve a ticket.
username
edit
Name of the principal used to connect to the output.
password
edit
If you configured password
for auth_type
, you have to provide a password
for the selected principal.
keytab
edit
If you configured keytab
for auth_type
, you have to provide the path to the
keytab of the selected principal.
service_name
edit
This option can only be configured for Kafka. It is the name of the Kafka service, usually kafka
.
realm
edit
Name of the realm where the output resides.