Skip to content

[beatsauthextension] Add support for kerberos #828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
khushijain21 wants to merge 6 commits into from
Closed

[beatsauthextension] Add support for kerberos #828

khushijain21 wants to merge 6 commits into from

Conversation

@khushijain21
Copy link
Contributor

@khushijain21 khushijain21 commented Oct 9, 2025
edited
Loading

This PR adds support for Kerberos authentication

Testing Steps:

  1. Start elasticsearch with kerberos enabled.
  2. Start collector with following config
receivers:
  filelog:
    include_file_name: true
    include:
      - "./otlp-all.json"

extensions:
  beatsauth:
   kerberos: 
     auth_type: "password"
     config_path: "/Users/khushijain/Documents/beats/libbeat/outputs/elasticsearch/testdata/krb5.conf"
     username: "beats"
     password: "testing"
     realm: "elastic"
    
exporters:
  debug:
    verbosity: detailed
  elasticsearch:
   endpoints:
    -  "http://elasticsearch_kerberos.elastic:9203"
   auth:
    authenticator: beatsauth
   mapping:
     mode: raw
   telemetry:
     log_response_body: true    

service:
  telemetry:
    logs:
      level: debug
  extensions: [beatsauth]
  pipelines:
    logs:
      receivers: [filelog]
      processors: []
      exporters: [debug, elasticsearch]
  1. Observer no error logs
  2. Observer number of documents indexed to logs-generic-default.
curl -X GET -u admin:testing "http://localhost:9203/logs-generic*/_count?pretty"
{
  "count" : 16,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  }
}

@khushijain21 khushijain21 reopened this Oct 27, 2025
@khushijain21 khushijain21 changed the title Add support for kerberos [beatsauthextension] Add support for kerberos Oct 27, 2025
@khushijain21 khushijain21 marked this pull request as ready for review October 27, 2025 06:40
@khushijain21 khushijain21 requested a review from a team as a code owner October 27, 2025 06:40
khushijain21
khushijain21 commented Oct 27, 2025
View reviewed changes
extension/beatsauthextension/go.mod
go 1.24.9

require (
github.com/elastic/beats/v7 v7.17.29
Copy link
Contributor Author

@khushijain21 khushijain21 Oct 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only import beats for Kerberos config creating/validation.

There is a PR up to move kerberos package to elastic-agent-libs so that we can do not have to import beats elastic/elastic-agent-libs#360. The CI failure is also related to the same

@khushijain21 khushijain21 mentioned this pull request Oct 27, 2025
Closed
3 tasks
@khushijain21 khushijain21 requested a review from axw October 27, 2025 06:49
@khushijain21 khushijain21 mentioned this pull request Oct 27, 2025
Open
4 tasks
@khushijain21
Copy link
Contributor Author

khushijain21 commented Oct 29, 2025
edited
Loading

beatsauthextension will be moved to beats. Before that a test collector distro will require to be setup in beats for easy testing. Changes from this PR will be added directly on the beats repo.

axw
axw reviewed Oct 30, 2025
View reviewed changes
Copy link
Member

@axw axw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@khushijain21 code looks fine, just one small suggestion. Can you add some tests please?

extension/beatsauthextension/authenticator.go

return client, nil
if beatAuthConfig.Kerberos.IsEnabled() {
return NewKerberosClientProvider(beatAuthConfig.Kerberos, client)
Copy link
Member

@axw axw Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return NewKerberosClientProvider(beatAuthConfig.Kerberos, client)
p, err := NewKerberosClientProvider(beatAuthConfig.Kerberos, client)
if err != nil {
return nil, fmt.Errorf("error creating Kerberos client provider: %w", err)
}
return p, nil

Let's wrap the error, otherwise it will be difficult to understand the "invalid authentication type" error message.

@khushijain21 khushijain21 marked this pull request as draft November 5, 2025 05:37
@khushijain21
Copy link
Contributor Author

khushijain21 commented Nov 8, 2025

Beatsauth extension has been moved into beats codebase. The related PR to support kerberos hence is also moved there
See elastic/beats#47534

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@axw axw axw left review comments

@mauri870 mauri870 Awaiting requested review from mauri870 mauri870 was automatically assigned from elastic/elastic-agent-data-plane

@andrzej-stencel andrzej-stencel Awaiting requested review from andrzej-stencel andrzej-stencel was automatically assigned from elastic/elastic-agent-data-plane

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@khushijain21 @axw