diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2b75b0e90055..68119f66cac3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -585,6 +585,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Deprecate aws_partition config parameter for AWS, use endpoint instead. {pull}23539[23539] - Update the baseline version of Sarama (Kafka support library) to 1.27.2. {pull}23595[23595] - Add kubernetes.volume.fs.used.pct field. {pull}23564[23564] +- Add the `enable_krb5_fast` flag to the Kafka output to explicitly opt-in to FAST authentication. {pull}23629[23629] *Auditbeat* diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index ef82491a4dd3..9e368522ce6f 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -844,6 +844,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 91b1dfa31901..8293bb3aa46c 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1724,6 +1724,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 37e3e2ed1226..ad2e856020bc 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -1022,6 +1022,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 7e875edcf8e4..a9a4acc2a014 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -787,6 +787,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/libbeat/_meta/config/output-kafka.reference.yml.tmpl b/libbeat/_meta/config/output-kafka.reference.yml.tmpl index c1240f758673..366652fd23e4 100644 --- a/libbeat/_meta/config/output-kafka.reference.yml.tmpl +++ b/libbeat/_meta/config/output-kafka.reference.yml.tmpl @@ -131,6 +131,10 @@ # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + {{include "ssl.reference.yml.tmpl" . | indent 2 }} # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/outputs/kafka/config.go b/libbeat/outputs/kafka/config.go index b3c8e984fe9b..c81e5ae840dc 100644 --- a/libbeat/outputs/kafka/config.go +++ b/libbeat/outputs/kafka/config.go @@ -69,6 +69,7 @@ type kafkaConfig struct { Password string `config:"password"` Codec codec.Config `config:"codec"` Sasl saslConfig `config:"sasl"` + EnableFAST bool `config:"enable_krb5_fast"` } type saslConfig struct { @@ -244,6 +245,7 @@ func newSaramaConfig(log *logp.Logger, config *kafkaConfig) (*sarama.Config, err Username: config.Kerberos.Username, Password: config.Kerberos.Password, Realm: config.Kerberos.Realm, + DisablePAFXFAST: !config.EnableFAST, } case config.Username != "": diff --git a/libbeat/outputs/kafka/docs/kafka.asciidoc b/libbeat/outputs/kafka/docs/kafka.asciidoc index f61d4c5d9855..026d04313456 100644 --- a/libbeat/outputs/kafka/docs/kafka.asciidoc +++ b/libbeat/outputs/kafka/docs/kafka.asciidoc @@ -309,6 +309,12 @@ The ACK reliability level required from broker. 0=no response, 1=wait for local Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error. +===== `enable_krb5_fast` + +beta[] + +Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. It is separate from the standard Kerberos settings because this flag only applies to the Kafka output. The default is `false`. + ===== `ssl` Configuration options for SSL parameters like the root CA for Kafka connections. diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index f7530d7e386b..dacaf231c1a0 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1621,6 +1621,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 57142c142630..7d67c18274fe 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1339,6 +1339,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index 316df4ae3dd8..6a08fd5c4b26 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -767,6 +767,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index ec3ef722b0cc..9c0f9d8039e2 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -900,6 +900,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 0fd068e19637..ee2bc11966de 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -3522,6 +3522,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index 37e3e2ed1226..ad2e856020bc 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -1022,6 +1022,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 66c0e02eaa2c..5eef86894b2d 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -2122,6 +2122,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index 57142c142630..7d67c18274fe 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1339,6 +1339,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 03652ce2788b..4d3b7ebaab2f 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -810,6 +810,10 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats + # Enables Kerberos FAST authentication in the Kafka output. This may + # conflict with certain Active Directory configurations. + #enable_krb5_fast: false + # Use SSL settings for HTTPS. #ssl.enabled: true