Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Erstes Treffen 2014 der Atlassian
Usergroup Hamburg - AUGHH
2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
Nils Hofmeister
Bigpoint GmbH

Canada

Russia
Europe

North America

Atlassian meets Kerberos
How we imp lemented S S O 3 ...
Intro






Intro - Environment
Jira and LAMP
Confluence and „native“ kerberization
Proxy solution
Next steps
Intro
E nviron ment








Active Directory
Kerberos
Windows + Mac + Linux clients
Linux servers (almost all Debian...
Intro
E nviron ment




Jira
 889 users, 406 groups, 335.726 tickets
 109 active projects, 91 retired
 Jira Agile (ak...
Intro
E nviron ment

http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
Canada

Russia
North America

What we tried
Europe

Asia

South America

Africa
Australia
Jira and LAMP
D oes t h e j o b o kay. . .
•
•
•
•

Apache does Kerberos auth
Apache calls „Loginproxy“
Loginproxy identif...
Jira and LAMP
D oes t h e j o b o kay. . .
Pro:
• Utilizes our Apache Kerberos voodoo
• Works quite stable...
Con:
• Prett...
Confluence and native kerberization
Least comp licated in t h eor y
•
•
•
•
•

No proxy
Directly call Tomcat
Kerberos via ...
Confluence and native kerberization
Least comp licated in t h eor y
Pro:
• Simple design
• Feels like „we tamed the monste...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
•
•
•
•

Apache does Kerberos auth
Apache reverse proxy
Rew...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
Pro:
• Reuse of given Apache expertise
• Reuse of http auth...
Canada

Russia
North America

How the proxy stuff works
Europe

Asia

South America

Africa
Australia
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
R...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
<Server port="8001" shutdown="SHUTDOWN" debug="0" address="...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
public class RemoteUserAuthenticator extends ConfluenceAuth...
Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e

"ldap.group.filter": "(&(objectCategory=Group)(|(cn=conflu...
Canada

Russia

Next steps
Europe

North America

Asia

South America

Africa
Australia
Next Steps
We are n o t t h ere yet . . .
•
•
•
•
•
•

Test instances – done
Confluence production – done
Jira production ...
Upcoming SlideShare
Loading in …5
×

Atlassian meets Kerberos

3,382 views

Published on

Talk regarding kerberization of Jira and Confluence at the first meeting in 2014 of the Atlassian user group Hamburg.

Published in: Technology
  • If you are looking for customer-oriented academic and research paper writing service try ⇒⇒⇒ WRITE-MY-PAPER.net ⇐⇐⇐ liked them A LOTTT Really nice solutions for the last-day papers
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❤❤❤ http://bit.ly/39pMlLF ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Atlassian meets Kerberos

  1. 1. Erstes Treffen 2014 der Atlassian Usergroup Hamburg - AUGHH 2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
  2. 2. Nils Hofmeister Bigpoint GmbH Canada Russia Europe North America Atlassian meets Kerberos How we imp lemented S S O 3 t imes ; ) South America Asia Africa Australia Drehbahn 47-48, 20354 HAMBURG, GERMANY PRESENTATION
  3. 3. Intro      Intro - Environment Jira and LAMP Confluence and „native“ kerberization Proxy solution Next steps
  4. 4. Intro E nviron ment       Active Directory Kerberos Windows + Mac + Linux clients Linux servers (almost all Debian) MySQL Jira + Confluence installed via shell scripts from tarball
  5. 5. Intro E nviron ment   Jira  889 users, 406 groups, 335.726 tickets  109 active projects, 91 retired  Jira Agile (aka Greenhopper) active for 27 projects  Started 07.09.2010 Confluence  662 users, 168 groups, 203 spaces, 32.678 pages*  Team Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont ent Formatting, ...  Started 13.04.2011 SELECT COUNT( * * ) FROM CONTENT WHERE CONTENTTYPE = "page" AND CONTENT_STATUS = "current" AND PREVVER IS NULL
  6. 6. Intro E nviron ment http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
  7. 7. Canada Russia North America What we tried Europe Asia South America Africa Australia
  8. 8. Jira and LAMP D oes t h e j o b o kay. . . • • • • Apache does Kerberos auth Apache calls „Loginproxy“ Loginproxy identifies pwd Loginproxy redirects • AD sync via php cron • Groups + users + membership
  9. 9. Jira and LAMP D oes t h e j o b o kay. . . Pro: • Utilizes our Apache Kerberos voodoo • Works quite stable... Con: • Pretty complicated piece of custom SW • Awkward cron job • Utilizes some deprecated legacy stuff • ...sometimes not reliable, hard to debug • External Jira clients hard or impossible to use http://talljerome.com/images/wrkpstr_wrongtool.jpg
  10. 10. Confluence and native kerberization Least comp licated in t h eor y • • • • • No proxy Directly call Tomcat Kerberos via SPNEGO Custom http authenticator Some handish keytab handling • AD sync via Python cron • Groups + users + membership
  11. 11. Confluence and native kerberization Least comp licated in t h eor y Pro: • Simple design • Feels like „we tamed the monster“ Con: • We could only reproduce it once • All other instances refused to work • Customized SPNEGO lib • Auth errors nearly impossible to debug http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
  12. 12. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e • • • • Apache does Kerberos auth Apache reverse proxy Rewrite rules + write header Custom http authenticator • AD sync via standard AD directory
  13. 13. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e Pro: • Reuse of given Apache expertise • Reuse of http authenticator • Little application customizing • Easy handling of SSL • No custom AD synchronization • Least customized stack Con: • AD/LDAP config is a pain • Hard to find the right vhost configuration http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
  14. 14. Canada Russia North America How the proxy stuff works Europe Asia South America Africa Australia
  15. 15. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  16. 16. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  17. 17. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  18. 18. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  19. 19. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  20. 20. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  21. 21. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e <Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1"> <Service name="Tomcat-Standalone"> <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" /> <Engine name="Standalone" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname="" /> </Context> </Host> </Engine> </Service> </Server>
  22. 22. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e public class RemoteUserAuthenticator extends ConfluenceAuthenticator { ... public Principal getUser(HttpServletRequest request, HttpServletResponse response) { ... String remoteUser = request.getHeader("remote_user"); ... Principal user = getUser(remoteUser); ... // Modify session signaling that we are authenticated now. request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null); log.debug("Logged in via SSO with User " + remoteUser); return user; } } https://github.com/Bigpoint/remoteuser-confluence-authenticator
  23. 23. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e "ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“ ... "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
  24. 24. Canada Russia Next steps Europe North America Asia South America Africa Australia
  25. 25. Next Steps We are n o t t h ere yet . . . • • • • • • Test instances – done Confluence production – done Jira production + reverse proxy – todo Jira production + AD – todo Integrate production instances – todo Better understanding of AD integration – todo • In general • Better automation would be great (e.g. Chef)

×