Erstes Treffen 2014 der Atlassian
Usergroup Hamburg - AUGHH
2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
Nils Hofmeister
Bigpoint GmbH

Canada

Russia
Europe

North America

Atlassian meets Kerberos
How we imp lemented S S O 3 ...
Intro






Intro - Environment
Jira and LAMP
Confluence and „native“ kerberization
Proxy solution
Next steps
Intro
E nviron ment








Active Directory
Kerberos
Windows + Mac + Linux clients
Linux servers (almost all Debian...
Intro
E nviron ment




Jira
 889 users, 406 groups, 335.726 tickets
 109 active projects, 91 retired
 Jira Agile (ak...
Intro
E nviron ment

http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
Canada

Russia
North America

What we tried
Europe

Asia

South America

Africa
Australia
Jira and LAMP
D oes t h e j o b o kay. . .
•
•
•
•

Apache does Kerberos auth
Apache calls „Loginproxy“
Loginproxy identif...
Jira and LAMP
D oes t h e j o b o kay. . .
Pro:
• Utilizes our Apache Kerberos voodoo
• Works quite stable...
Con:
• Prett...
Confluence and native kerberization
Least comp licated in t h eor y
•
•
•
•
•

No proxy
Directly call Tomcat
Kerberos via ...
Confluence and native kerberization
Least comp licated in t h eor y
Pro:
• Simple design
• Feels like „we tamed the monste...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
•
•
•
•

Apache does Kerberos auth
Apache reverse proxy
Rew...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
Pro:
• Reuse of given Apache expertise
• Reuse of http auth...
Canada

Russia
North America

How the proxy stuff works
Europe

Asia

South America

Africa
Australia
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
<Server port="8001" shutdown="SHUTDOWN" debug="0" address="...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
public class RemoteUserAuthenticator extends ConfluenceAuth...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e

"ldap.group.filter": "(&(objectCategory=Group)(|(cn=conflu...
Canada

Russia

Next steps
Europe

North America

Asia

South America

Africa
Australia
Next Steps
We are n o t t h ere yet . . .
•
•
•
•
•
•

Test instances – done
Confluence production – done
Jira production ...
Upcoming SlideShare
Loading in …5
×

Atlassian meets Kerberos

3,111 views

Published on

Talk regarding kerberization of Jira and Confluence at the first meeting in 2014 of the Atlassian user group Hamburg.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,111
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Atlassian meets Kerberos

  1. 1. Erstes Treffen 2014 der Atlassian Usergroup Hamburg - AUGHH 2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
  2. 2. Nils Hofmeister Bigpoint GmbH Canada Russia Europe North America Atlassian meets Kerberos How we imp lemented S S O 3 t imes ; ) South America Asia Africa Australia Drehbahn 47-48, 20354 HAMBURG, GERMANY PRESENTATION
  3. 3. Intro      Intro - Environment Jira and LAMP Confluence and „native“ kerberization Proxy solution Next steps
  4. 4. Intro E nviron ment       Active Directory Kerberos Windows + Mac + Linux clients Linux servers (almost all Debian) MySQL Jira + Confluence installed via shell scripts from tarball
  5. 5. Intro E nviron ment   Jira  889 users, 406 groups, 335.726 tickets  109 active projects, 91 retired  Jira Agile (aka Greenhopper) active for 27 projects  Started 07.09.2010 Confluence  662 users, 168 groups, 203 spaces, 32.678 pages*  Team Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont ent Formatting, ...  Started 13.04.2011 SELECT COUNT( * * ) FROM CONTENT WHERE CONTENTTYPE = "page" AND CONTENT_STATUS = "current" AND PREVVER IS NULL
  6. 6. Intro E nviron ment http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
  7. 7. Canada Russia North America What we tried Europe Asia South America Africa Australia
  8. 8. Jira and LAMP D oes t h e j o b o kay. . . • • • • Apache does Kerberos auth Apache calls „Loginproxy“ Loginproxy identifies pwd Loginproxy redirects • AD sync via php cron • Groups + users + membership
  9. 9. Jira and LAMP D oes t h e j o b o kay. . . Pro: • Utilizes our Apache Kerberos voodoo • Works quite stable... Con: • Pretty complicated piece of custom SW • Awkward cron job • Utilizes some deprecated legacy stuff • ...sometimes not reliable, hard to debug • External Jira clients hard or impossible to use http://talljerome.com/images/wrkpstr_wrongtool.jpg
  10. 10. Confluence and native kerberization Least comp licated in t h eor y • • • • • No proxy Directly call Tomcat Kerberos via SPNEGO Custom http authenticator Some handish keytab handling • AD sync via Python cron • Groups + users + membership
  11. 11. Confluence and native kerberization Least comp licated in t h eor y Pro: • Simple design • Feels like „we tamed the monster“ Con: • We could only reproduce it once • All other instances refused to work • Customized SPNEGO lib • Auth errors nearly impossible to debug http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
  12. 12. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e • • • • Apache does Kerberos auth Apache reverse proxy Rewrite rules + write header Custom http authenticator • AD sync via standard AD directory
  13. 13. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e Pro: • Reuse of given Apache expertise • Reuse of http authenticator • Little application customizing • Easy handling of SSL • No custom AD synchronization • Least customized stack Con: • AD/LDAP config is a pain • Hard to find the right vhost configuration http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
  14. 14. Canada Russia North America How the proxy stuff works Europe Asia South America Africa Australia
  15. 15. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  16. 16. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  17. 17. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  18. 18. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  19. 19. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  20. 20. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  21. 21. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e <Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1"> <Service name="Tomcat-Standalone"> <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" /> <Engine name="Standalone" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname="" /> </Context> </Host> </Engine> </Service> </Server>
  22. 22. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e public class RemoteUserAuthenticator extends ConfluenceAuthenticator { ... public Principal getUser(HttpServletRequest request, HttpServletResponse response) { ... String remoteUser = request.getHeader("remote_user"); ... Principal user = getUser(remoteUser); ... // Modify session signaling that we are authenticated now. request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null); log.debug("Logged in via SSO with User " + remoteUser); return user; } } https://github.com/Bigpoint/remoteuser-confluence-authenticator
  23. 23. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e "ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“ ... "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
  24. 24. Canada Russia Next steps Europe North America Asia South America Africa Australia
  25. 25. Next Steps We are n o t t h ere yet . . . • • • • • • Test instances – done Confluence production – done Jira production + reverse proxy – todo Jira production + AD – todo Integrate production instances – todo Better understanding of AD integration – todo • In general • Better automation would be great (e.g. Chef)

×