SlideShare ist ein Scribd-Unternehmen logo
1 von 25
Downloaden Sie, um offline zu lesen
Erstes Treffen 2014 der Atlassian
Usergroup Hamburg - AUGHH
2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
Nils Hofmeister
Bigpoint GmbH

Canada

Russia
Europe

North America

Atlassian meets Kerberos
How we imp lemented S S O 3 t imes ; )
South America

Asia

Africa
Australia

Drehbahn 47-48, 20354 HAMBURG, GERMANY

PRESENTATION
Intro






Intro - Environment
Jira and LAMP
Confluence and „native“ kerberization
Proxy solution
Next steps
Intro
E nviron ment








Active Directory
Kerberos
Windows + Mac + Linux clients
Linux servers (almost all Debian)
MySQL
Jira + Confluence installed via shell scripts from tarball
Intro
E nviron ment




Jira
 889 users, 406 groups, 335.726 tickets
 109 active projects, 91 retired
 Jira Agile (aka Greenhopper) active for 27 projects
 Started 07.09.2010
Confluence
 662 users, 168 groups, 203 spaces, 32.678 pages*
 Team
Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont
ent Formatting, ...
 Started 13.04.2011
SELECT COUNT(
*

* )
FROM CONTENT
WHERE CONTENTTYPE = "page"
AND CONTENT_STATUS = "current"
AND PREVVER IS NULL
Intro
E nviron ment

http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
Canada

Russia
North America

What we tried
Europe

Asia

South America

Africa
Australia
Jira and LAMP
D oes t h e j o b o kay. . .
•
•
•
•

Apache does Kerberos auth
Apache calls „Loginproxy“
Loginproxy identifies pwd
Loginproxy redirects

• AD sync via php cron
• Groups + users + membership
Jira and LAMP
D oes t h e j o b o kay. . .
Pro:
• Utilizes our Apache Kerberos voodoo
• Works quite stable...
Con:
• Pretty complicated piece of custom SW
• Awkward cron job
• Utilizes some deprecated legacy stuff
• ...sometimes not reliable, hard to debug
• External Jira clients hard or impossible
to use
http://talljerome.com/images/wrkpstr_wrongtool.jpg
Confluence and native kerberization
Least comp licated in t h eor y
•
•
•
•
•

No proxy
Directly call Tomcat
Kerberos via SPNEGO
Custom http authenticator
Some handish keytab handling

• AD sync via Python cron
• Groups + users + membership
Confluence and native kerberization
Least comp licated in t h eor y
Pro:
• Simple design
• Feels like „we tamed the monster“
Con:
• We could only reproduce it once
• All other instances refused to work
• Customized SPNEGO lib
• Auth errors nearly impossible to
debug
http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
•
•
•
•

Apache does Kerberos auth
Apache reverse proxy
Rewrite rules + write header
Custom http authenticator

• AD sync via standard AD directory
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
Pro:
• Reuse of given Apache expertise
• Reuse of http authenticator
• Little application customizing
• Easy handling of SSL
• No custom AD synchronization
• Least customized stack
Con:
• AD/LDAP config is a pain
• Hard to find the right vhost
configuration
http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
Canada

Russia
North America

How the proxy stuff works
Europe

Asia

South America

Africa
Australia
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...

<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...

<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...

<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...

<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...

<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...

<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
<Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1">
<Service name="Tomcat-Standalone">
<Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" />
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<Manager pathname="" />
</Context>
</Host>
</Engine>
</Service>
</Server>
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
public class RemoteUserAuthenticator extends ConfluenceAuthenticator {
...
public Principal getUser(HttpServletRequest request, HttpServletResponse response) {
...
String remoteUser = request.getHeader("remote_user");
...
Principal user = getUser(remoteUser);
...
// Modify session signaling that we are authenticated now.
request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user);
request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null);
log.debug("Logged in via SSO with User " + remoteUser);
return user;
}

}

https://github.com/Bigpoint/remoteuser-confluence-authenticator
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e

"ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“
...
"ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
Canada

Russia

Next steps
Europe

North America

Asia

South America

Africa
Australia
Next Steps
We are n o t t h ere yet . . .
•
•
•
•
•
•

Test instances – done
Confluence production – done
Jira production + reverse proxy – todo
Jira production + AD – todo
Integrate production instances – todo
Better understanding of AD integration – todo

• In general
• Better automation would be great (e.g. Chef)

Weitere ähnliche Inhalte

Was ist angesagt?

High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016Vlad Mihalcea
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performanceHimanshu Desai
 
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Maarten Balliauw
 
Simplify your integrations with Apache Camel
Simplify your integrations with Apache CamelSimplify your integrations with Apache Camel
Simplify your integrations with Apache CamelKenneth Peeples
 
10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websitesoazabir
 
Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0Oscar Renalias
 
High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016Vlad Mihalcea
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Maarten Balliauw
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Java Play RESTful ebean
Java Play RESTful ebeanJava Play RESTful ebean
Java Play RESTful ebeanFaren faren
 
Java Play Restful JPA
Java Play Restful JPAJava Play Restful JPA
Java Play Restful JPAFaren faren
 
Plugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGemsPlugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGemsSadayuki Furuhashi
 
Building Scalable .NET Web Applications
Building Scalable .NET Web ApplicationsBuilding Scalable .NET Web Applications
Building Scalable .NET Web ApplicationsBuu Nguyen
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
Drupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp NorthDrupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp NorthPhilip Norton
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentrytrihug
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficientlypostmanclient
 

Was ist angesagt? (20)

High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performance
 
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
 
Simplify your integrations with Apache Camel
Simplify your integrations with Apache CamelSimplify your integrations with Apache Camel
Simplify your integrations with Apache Camel
 
10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites
 
Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0
 
High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Java Play RESTful ebean
Java Play RESTful ebeanJava Play RESTful ebean
Java Play RESTful ebean
 
Java Play Restful JPA
Java Play Restful JPAJava Play Restful JPA
Java Play Restful JPA
 
Plugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGemsPlugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGems
 
Building Scalable .NET Web Applications
Building Scalable .NET Web ApplicationsBuilding Scalable .NET Web Applications
Building Scalable .NET Web Applications
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
 
Drupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp NorthDrupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp North
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently
 

Ähnlich wie Atlassian meets Kerberos

Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd についてKubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd についてLINE Corporation
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4Jim Jagielski
 
ApacheCon 2014 - What's New in Apache httpd 2.4
ApacheCon 2014 - What's New in Apache httpd 2.4ApacheCon 2014 - What's New in Apache httpd 2.4
ApacheCon 2014 - What's New in Apache httpd 2.4Jim Jagielski
 
Apache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
Apache Ambari: Simplified Hadoop Cluster Operation & TroubleshootingApache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
Apache Ambari: Simplified Hadoop Cluster Operation & TroubleshootingJayush Luniya
 
Easy Cloud Native Transformation using HashiCorp Nomad
Easy Cloud Native Transformation using HashiCorp NomadEasy Cloud Native Transformation using HashiCorp Nomad
Easy Cloud Native Transformation using HashiCorp NomadBram Vogelaar
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsMarcelo Pinheiro
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
Drupal Deployment Troubles and Problems
Drupal Deployment Troubles and ProblemsDrupal Deployment Troubles and Problems
Drupal Deployment Troubles and ProblemsAndrii Lundiak
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Kubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, KyivKubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, KyivAleksey Asiutin
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariAlejandro Fernandez
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 

Ähnlich wie Atlassian meets Kerberos (20)

Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd についてKubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4
 
ApacheCon 2014 - What's New in Apache httpd 2.4
ApacheCon 2014 - What's New in Apache httpd 2.4ApacheCon 2014 - What's New in Apache httpd 2.4
ApacheCon 2014 - What's New in Apache httpd 2.4
 
Apache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
Apache Ambari: Simplified Hadoop Cluster Operation & TroubleshootingApache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
Apache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
 
Easy Cloud Native Transformation using HashiCorp Nomad
Easy Cloud Native Transformation using HashiCorp NomadEasy Cloud Native Transformation using HashiCorp Nomad
Easy Cloud Native Transformation using HashiCorp Nomad
 
Simplified Cluster Operation and Troubleshooting
Simplified Cluster Operation and TroubleshootingSimplified Cluster Operation and Troubleshooting
Simplified Cluster Operation and Troubleshooting
 
Simplified Cluster Operation & Troubleshooting
Simplified Cluster Operation & TroubleshootingSimplified Cluster Operation & Troubleshooting
Simplified Cluster Operation & Troubleshooting
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
Dc kyiv2010 jun_08
Dc kyiv2010 jun_08Dc kyiv2010 jun_08
Dc kyiv2010 jun_08
 
Drupal Deployment Troubles and Problems
Drupal Deployment Troubles and ProblemsDrupal Deployment Troubles and Problems
Drupal Deployment Troubles and Problems
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Kubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, KyivKubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, Kyiv
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache Ambari
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Cooking with Chef
Cooking with ChefCooking with Chef
Cooking with Chef
 
Introduction to Traefik
Introduction to TraefikIntroduction to Traefik
Introduction to Traefik
 

Kürzlich hochgeladen

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 

Kürzlich hochgeladen (20)

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 

Atlassian meets Kerberos

  • 1. Erstes Treffen 2014 der Atlassian Usergroup Hamburg - AUGHH 2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
  • 2. Nils Hofmeister Bigpoint GmbH Canada Russia Europe North America Atlassian meets Kerberos How we imp lemented S S O 3 t imes ; ) South America Asia Africa Australia Drehbahn 47-48, 20354 HAMBURG, GERMANY PRESENTATION
  • 3. Intro      Intro - Environment Jira and LAMP Confluence and „native“ kerberization Proxy solution Next steps
  • 4. Intro E nviron ment       Active Directory Kerberos Windows + Mac + Linux clients Linux servers (almost all Debian) MySQL Jira + Confluence installed via shell scripts from tarball
  • 5. Intro E nviron ment   Jira  889 users, 406 groups, 335.726 tickets  109 active projects, 91 retired  Jira Agile (aka Greenhopper) active for 27 projects  Started 07.09.2010 Confluence  662 users, 168 groups, 203 spaces, 32.678 pages*  Team Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont ent Formatting, ...  Started 13.04.2011 SELECT COUNT( * * ) FROM CONTENT WHERE CONTENTTYPE = "page" AND CONTENT_STATUS = "current" AND PREVVER IS NULL
  • 7. Canada Russia North America What we tried Europe Asia South America Africa Australia
  • 8. Jira and LAMP D oes t h e j o b o kay. . . • • • • Apache does Kerberos auth Apache calls „Loginproxy“ Loginproxy identifies pwd Loginproxy redirects • AD sync via php cron • Groups + users + membership
  • 9. Jira and LAMP D oes t h e j o b o kay. . . Pro: • Utilizes our Apache Kerberos voodoo • Works quite stable... Con: • Pretty complicated piece of custom SW • Awkward cron job • Utilizes some deprecated legacy stuff • ...sometimes not reliable, hard to debug • External Jira clients hard or impossible to use http://talljerome.com/images/wrkpstr_wrongtool.jpg
  • 10. Confluence and native kerberization Least comp licated in t h eor y • • • • • No proxy Directly call Tomcat Kerberos via SPNEGO Custom http authenticator Some handish keytab handling • AD sync via Python cron • Groups + users + membership
  • 11. Confluence and native kerberization Least comp licated in t h eor y Pro: • Simple design • Feels like „we tamed the monster“ Con: • We could only reproduce it once • All other instances refused to work • Customized SPNEGO lib • Auth errors nearly impossible to debug http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
  • 12. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e • • • • Apache does Kerberos auth Apache reverse proxy Rewrite rules + write header Custom http authenticator • AD sync via standard AD directory
  • 13. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e Pro: • Reuse of given Apache expertise • Reuse of http authenticator • Little application customizing • Easy handling of SSL • No custom AD synchronization • Least customized stack Con: • AD/LDAP config is a pain • Hard to find the right vhost configuration http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
  • 14. Canada Russia North America How the proxy stuff works Europe Asia South America Africa Australia
  • 15. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 16. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 17. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 18. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 19. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 20. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 21. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e <Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1"> <Service name="Tomcat-Standalone"> <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" /> <Engine name="Standalone" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname="" /> </Context> </Host> </Engine> </Service> </Server>
  • 22. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e public class RemoteUserAuthenticator extends ConfluenceAuthenticator { ... public Principal getUser(HttpServletRequest request, HttpServletResponse response) { ... String remoteUser = request.getHeader("remote_user"); ... Principal user = getUser(remoteUser); ... // Modify session signaling that we are authenticated now. request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null); log.debug("Logged in via SSO with User " + remoteUser); return user; } } https://github.com/Bigpoint/remoteuser-confluence-authenticator
  • 23. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e "ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“ ... "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
  • 25. Next Steps We are n o t t h ere yet . . . • • • • • • Test instances – done Confluence production – done Jira production + reverse proxy – todo Jira production + AD – todo Integrate production instances – todo Better understanding of AD integration – todo • In general • Better automation would be great (e.g. Chef)