SlideShare a Scribd company logo

Atlassian meets Kerberos: How we implemented SSO 3 times

Download as PPTX, PDF
Nils Hofmeister
Nils Hofmeister

Talk regarding kerberization of Jira and Confluence at the first meeting in 2014 of the Atlassian user group Hamburg.

Technology
1 of 25
Erstes Treffen 2014 der Atlassian Usergroup Hamburg - AUGHH 2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
Nils Hofmeister Bigpoint GmbH Canada Russia Europe North America Atlassian meets Kerberos How we imp lemented S S O 3 t imes ; ) South America Asia Africa Australia Drehbahn 47-48, 20354 HAMBURG, GERMANY PRESENTATION
Intro      Intro - Environment Jira and LAMP Confluence and „native“ kerberization Proxy solution Next steps
Intro E nviron ment       Active Directory Kerberos Windows + Mac + Linux clients Linux servers (almost all Debian) MySQL Jira + Confluence installed via shell scripts from tarball
Intro E nviron ment   Jira  889 users, 406 groups, 335.726 tickets  109 active projects, 91 retired  Jira Agile (aka Greenhopper) active for 27 projects  Started 07.09.2010 Confluence  662 users, 168 groups, 203 spaces, 32.678 pages*  Team Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont ent Formatting, ...  Started 13.04.2011 SELECT COUNT( * * ) FROM CONTENT WHERE CONTENTTYPE = "page" AND CONTENT_STATUS = "current" AND PREVVER IS NULL
Intro E nviron ment http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
Canada Russia North America What we tried Europe Asia South America Africa Australia
Jira and LAMP D oes t h e j o b o kay. . . • • • • Apache does Kerberos auth Apache calls „Loginproxy“ Loginproxy identifies pwd Loginproxy redirects • AD sync via php cron • Groups + users + membership
Jira and LAMP D oes t h e j o b o kay. . . Pro: • Utilizes our Apache Kerberos voodoo • Works quite stable... Con: • Pretty complicated piece of custom SW • Awkward cron job • Utilizes some deprecated legacy stuff • ...sometimes not reliable, hard to debug • External Jira clients hard or impossible to use http://talljerome.com/images/wrkpstr_wrongtool.jpg
Confluence and native kerberization Least comp licated in t h eor y • • • • • No proxy Directly call Tomcat Kerberos via SPNEGO Custom http authenticator Some handish keytab handling • AD sync via Python cron • Groups + users + membership
Confluence and native kerberization Least comp licated in t h eor y Pro: • Simple design • Feels like „we tamed the monster“ Con: • We could only reproduce it once • All other instances refused to work • Customized SPNEGO lib • Auth errors nearly impossible to debug http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e • • • • Apache does Kerberos auth Apache reverse proxy Rewrite rules + write header Custom http authenticator • AD sync via standard AD directory
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e Pro: • Reuse of given Apache expertise • Reuse of http authenticator • Little application customizing • Easy handling of SSL • No custom AD synchronization • Least customized stack Con: • AD/LDAP config is a pain • Hard to find the right vhost configuration http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
Canada Russia North America How the proxy stuff works Europe Asia South America Africa Australia
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e <Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1"> <Service name="Tomcat-Standalone"> <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" /> <Engine name="Standalone" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname="" /> </Context> </Host> </Engine> </Service> </Server>
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e public class RemoteUserAuthenticator extends ConfluenceAuthenticator { ... public Principal getUser(HttpServletRequest request, HttpServletResponse response) { ... String remoteUser = request.getHeader("remote_user"); ... Principal user = getUser(remoteUser); ... // Modify session signaling that we are authenticated now. request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null); log.debug("Logged in via SSO with User " + remoteUser); return user; } } https://github.com/Bigpoint/remoteuser-confluence-authenticator
Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e "ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“ ... "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
Canada Russia Next steps Europe North America Asia South America Africa Australia
Next Steps We are n o t t h ere yet . . . • • • • • • Test instances – done Confluence production – done Jira production + reverse proxy – todo Jira production + AD – todo Integrate production instances – todo Better understanding of AD integration – todo • In general • Better automation would be great (e.g. Chef)

Recommended

Authentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAuthentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAmbientia
 
HTML5 Server Sent Events/JSF JAX 2011 Conference
HTML5 Server Sent Events/JSF JAX 2011 ConferenceHTML5 Server Sent Events/JSF JAX 2011 Conference
HTML5 Server Sent Events/JSF JAX 2011 ConferenceRoger Kitain
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postvamsi krishna
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Play + scala + reactive mongo
Play + scala + reactive mongoPlay + scala + reactive mongo
Play + scala + reactive mongoMax Kremer
 
HTML5 Refresher
HTML5 RefresherHTML5 Refresher
HTML5 RefresherIvano Malavolta
 
Sherlock Homepage - A detective story about running large web services - NDC ...
Sherlock Homepage - A detective story about running large web services - NDC ...Sherlock Homepage - A detective story about running large web services - NDC ...
Sherlock Homepage - A detective story about running large web services - NDC ...Maarten Balliauw
 
Tips and Tricks For Faster Asp.NET and MVC Applications
Tips and Tricks For Faster Asp.NET and MVC ApplicationsTips and Tricks For Faster Asp.NET and MVC Applications
Tips and Tricks For Faster Asp.NET and MVC ApplicationsSarvesh Kushwaha
 

Recommended

Authentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAuthentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAmbientia
 
HTML5 Server Sent Events/JSF JAX 2011 Conference
HTML5 Server Sent Events/JSF JAX 2011 ConferenceHTML5 Server Sent Events/JSF JAX 2011 Conference
HTML5 Server Sent Events/JSF JAX 2011 ConferenceRoger Kitain
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postvamsi krishna
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Play + scala + reactive mongo
Play + scala + reactive mongoPlay + scala + reactive mongo
Play + scala + reactive mongoMax Kremer
 
HTML5 Refresher
HTML5 RefresherHTML5 Refresher
HTML5 RefresherIvano Malavolta
 
Sherlock Homepage - A detective story about running large web services - NDC ...
Sherlock Homepage - A detective story about running large web services - NDC ...Sherlock Homepage - A detective story about running large web services - NDC ...
Sherlock Homepage - A detective story about running large web services - NDC ...Maarten Balliauw
 
Tips and Tricks For Faster Asp.NET and MVC Applications
Tips and Tricks For Faster Asp.NET and MVC ApplicationsTips and Tricks For Faster Asp.NET and MVC Applications
Tips and Tricks For Faster Asp.NET and MVC ApplicationsSarvesh Kushwaha
 
High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016Vlad Mihalcea
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performanceHimanshu Desai
 
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Maarten Balliauw
 
Simplify your integrations with Apache Camel
Simplify your integrations with Apache CamelSimplify your integrations with Apache Camel
Simplify your integrations with Apache CamelKenneth Peeples
 
10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websitesoazabir
 
Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0Oscar Renalias
 
High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016Vlad Mihalcea
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Maarten Balliauw
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Java Play RESTful ebean
Java Play RESTful ebeanJava Play RESTful ebean
Java Play RESTful ebeanFaren faren
 
Java Play Restful JPA
Java Play Restful JPAJava Play Restful JPA
Java Play Restful JPAFaren faren
 
Plugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGemsPlugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGemsSadayuki Furuhashi
 
Building Scalable .NET Web Applications
Building Scalable .NET Web ApplicationsBuilding Scalable .NET Web Applications
Building Scalable .NET Web ApplicationsBuu Nguyen
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
Drupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp NorthDrupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp NorthPhilip Norton
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentrytrihug
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficientlypostmanclient
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 

More Related Content

What's hot

High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016Vlad Mihalcea
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performanceHimanshu Desai
 
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Maarten Balliauw
 
Simplify your integrations with Apache Camel
Simplify your integrations with Apache CamelSimplify your integrations with Apache Camel
Simplify your integrations with Apache CamelKenneth Peeples
 
10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websitesoazabir
 
Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0Oscar Renalias
 
High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016Vlad Mihalcea
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Maarten Balliauw
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Java Play RESTful ebean
Java Play RESTful ebeanJava Play RESTful ebean
Java Play RESTful ebeanFaren faren
 
Java Play Restful JPA
Java Play Restful JPAJava Play Restful JPA
Java Play Restful JPAFaren faren
 
Plugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGemsPlugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGemsSadayuki Furuhashi
 
Building Scalable .NET Web Applications
Building Scalable .NET Web ApplicationsBuilding Scalable .NET Web Applications
Building Scalable .NET Web ApplicationsBuu Nguyen
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
Drupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp NorthDrupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp NorthPhilip Norton
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentrytrihug
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficientlypostmanclient
 

What's hot (20)

High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016High-Performance Hibernate Devoxx France 2016
High-Performance Hibernate Devoxx France 2016
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performance
 
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
 
Simplify your integrations with Apache Camel
Simplify your integrations with Apache CamelSimplify your integrations with Apache Camel
Simplify your integrations with Apache Camel
 
10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites
 
Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0Asynchronous web apps with the Play Framework 2.0
Asynchronous web apps with the Play Framework 2.0
 
High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016High Performance Hibernate JavaZone 2016
High Performance Hibernate JavaZone 2016
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Java Play RESTful ebean
Java Play RESTful ebeanJava Play RESTful ebean
Java Play RESTful ebean
 
Java Play Restful JPA
Java Play Restful JPAJava Play Restful JPA
Java Play Restful JPA
 
Plugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGemsPlugin-based software design with Ruby and RubyGems
Plugin-based software design with Ruby and RubyGems
 
Building Scalable .NET Web Applications
Building Scalable .NET Web ApplicationsBuilding Scalable .NET Web Applications
Building Scalable .NET Web Applications
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
 
Drupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp NorthDrupal Performance : DrupalCamp North
Drupal Performance : DrupalCamp North
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently
 

Similar to Atlassian meets Kerberos: How we implemented SSO 3 times

Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd についてKubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd についてLINE Corporation
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4Jim Jagielski
 
ApacheCon 2014 - What's New in Apache httpd 2.4
ApacheCon 2014 - What's New in Apache httpd 2.4ApacheCon 2014 - What's New in Apache httpd 2.4
ApacheCon 2014 - What's New in Apache httpd 2.4Jim Jagielski
 
Apache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
Apache Ambari: Simplified Hadoop Cluster Operation & TroubleshootingApache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
Apache Ambari: Simplified Hadoop Cluster Operation & TroubleshootingJayush Luniya
 
Easy Cloud Native Transformation using HashiCorp Nomad
Easy Cloud Native Transformation using HashiCorp NomadEasy Cloud Native Transformation using HashiCorp Nomad
Easy Cloud Native Transformation using HashiCorp NomadBram Vogelaar
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsMarcelo Pinheiro
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
Drupal Deployment Troubles and Problems
Drupal Deployment Troubles and ProblemsDrupal Deployment Troubles and Problems
Drupal Deployment Troubles and ProblemsAndrii Lundiak
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Kubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, KyivKubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, KyivAleksey Asiutin
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariAlejandro Fernandez
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 

Similar to Atlassian meets Kerberos: How we implemented SSO 3 times (20)

Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd についてKubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4
 
ApacheCon 2014 - What's New in Apache httpd 2.4
ApacheCon 2014 - What's New in Apache httpd 2.4ApacheCon 2014 - What's New in Apache httpd 2.4
ApacheCon 2014 - What's New in Apache httpd 2.4
 
Apache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
Apache Ambari: Simplified Hadoop Cluster Operation & TroubleshootingApache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
Apache Ambari: Simplified Hadoop Cluster Operation & Troubleshooting
 
Easy Cloud Native Transformation using HashiCorp Nomad
Easy Cloud Native Transformation using HashiCorp NomadEasy Cloud Native Transformation using HashiCorp Nomad
Easy Cloud Native Transformation using HashiCorp Nomad
 
Simplified Cluster Operation and Troubleshooting
Simplified Cluster Operation and TroubleshootingSimplified Cluster Operation and Troubleshooting
Simplified Cluster Operation and Troubleshooting
 
Simplified Cluster Operation & Troubleshooting
Simplified Cluster Operation & TroubleshootingSimplified Cluster Operation & Troubleshooting
Simplified Cluster Operation & Troubleshooting
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
Dc kyiv2010 jun_08
Dc kyiv2010 jun_08Dc kyiv2010 jun_08
Dc kyiv2010 jun_08
 
Drupal Deployment Troubles and Problems
Drupal Deployment Troubles and ProblemsDrupal Deployment Troubles and Problems
Drupal Deployment Troubles and Problems
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Kubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, KyivKubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, Kyiv
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache Ambari
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Cooking with Chef
Cooking with ChefCooking with Chef
Cooking with Chef
 
Introduction to Traefik
Introduction to TraefikIntroduction to Traefik
Introduction to Traefik
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Atlassian meets Kerberos: How we implemented SSO 3 times

  • 1. Erstes Treffen 2014 der Atlassian Usergroup Hamburg - AUGHH 2 1 .01. 2014, ergo n D ate n p ro j e kte Gmb H
  • 2. Nils Hofmeister Bigpoint GmbH Canada Russia Europe North America Atlassian meets Kerberos How we imp lemented S S O 3 t imes ; ) South America Asia Africa Australia Drehbahn 47-48, 20354 HAMBURG, GERMANY PRESENTATION
  • 3. Intro      Intro - Environment Jira and LAMP Confluence and „native“ kerberization Proxy solution Next steps
  • 4. Intro E nviron ment       Active Directory Kerberos Windows + Mac + Linux clients Linux servers (almost all Debian) MySQL Jira + Confluence installed via shell scripts from tarball
  • 5. Intro E nviron ment   Jira  889 users, 406 groups, 335.726 tickets  109 active projects, 91 retired  Jira Agile (aka Greenhopper) active for 27 projects  Started 07.09.2010 Confluence  662 users, 168 groups, 203 spaces, 32.678 pages*  Team Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont ent Formatting, ...  Started 13.04.2011 SELECT COUNT( * * ) FROM CONTENT WHERE CONTENTTYPE = "page" AND CONTENT_STATUS = "current" AND PREVVER IS NULL
  • 7. Canada Russia North America What we tried Europe Asia South America Africa Australia
  • 8. Jira and LAMP D oes t h e j o b o kay. . . • • • • Apache does Kerberos auth Apache calls „Loginproxy“ Loginproxy identifies pwd Loginproxy redirects • AD sync via php cron • Groups + users + membership
  • 9. Jira and LAMP D oes t h e j o b o kay. . . Pro: • Utilizes our Apache Kerberos voodoo • Works quite stable... Con: • Pretty complicated piece of custom SW • Awkward cron job • Utilizes some deprecated legacy stuff • ...sometimes not reliable, hard to debug • External Jira clients hard or impossible to use http://talljerome.com/images/wrkpstr_wrongtool.jpg
  • 10. Confluence and native kerberization Least comp licated in t h eor y • • • • • No proxy Directly call Tomcat Kerberos via SPNEGO Custom http authenticator Some handish keytab handling • AD sync via Python cron • Groups + users + membership
  • 11. Confluence and native kerberization Least comp licated in t h eor y Pro: • Simple design • Feels like „we tamed the monster“ Con: • We could only reproduce it once • All other instances refused to work • Customized SPNEGO lib • Auth errors nearly impossible to debug http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
  • 12. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e • • • • Apache does Kerberos auth Apache reverse proxy Rewrite rules + write header Custom http authenticator • AD sync via standard AD directory
  • 13. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e Pro: • Reuse of given Apache expertise • Reuse of http authenticator • Little application customizing • Easy handling of SSL • No custom AD synchronization • Least customized stack Con: • AD/LDAP config is a pain • Hard to find the right vhost configuration http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
  • 14. Canada Russia North America How the proxy stuff works Europe Asia South America Africa Australia
  • 15. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 16. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 17. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 18. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 19. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 20. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER "%{RU}e" env=RU ... <Location /> AuthType Kerberos AuthName confluence_%_user Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net KrbServiceName HTTP/xyz.nue.bigpoint.net ... KrbAuthRealm BIGPOINT.LOCAL <VirtualHost 0.0.0.0:80> KrbMethodNegotiate on RewriteEngine On KrbSaveCredentials on RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] KrbVerifyKDC off Include "/etc/apache2/vhost-override.d/" AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups </VirtualHost> Require group confluence_%_user Order deny,allow <VirtualHost 0.0.0.0:8080> Deny from all RewriteEngine On Allow from xx.xx.xx.xx 127.0.0.1 RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R] ProxyPass ajp://localhost/ Include "/etc/apache2/vhost-override.d/" Satisfy any </VirtualHost> </Location> ...
  • 21. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e <Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1"> <Service name="Tomcat-Standalone"> <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" /> <Engine name="Standalone" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname="" /> </Context> </Host> </Engine> </Service> </Server>
  • 22. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e public class RemoteUserAuthenticator extends ConfluenceAuthenticator { ... public Principal getUser(HttpServletRequest request, HttpServletResponse response) { ... String remoteUser = request.getHeader("remote_user"); ... Principal user = getUser(remoteUser); ... // Modify session signaling that we are authenticated now. request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null); log.debug("Logged in via SSO with User " + remoteUser); return user; } } https://github.com/Bigpoint/remoteuser-confluence-authenticator
  • 23. Proxy Solution M o st eff ic ient way fo r u s in p rac t ic e "ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“ ... "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
  • 25. Next Steps We are n o t t h ere yet . . . • • • • • • Test instances – done Confluence production – done Jira production + reverse proxy – todo Jira production + AD – todo Integrate production instances – todo Better understanding of AD integration – todo • In general • Better automation would be great (e.g. Chef)