Sensu-Go Apache/Nginx REMOTE_USER Authentication

Sensu Go
1

We are using Sensu-go Community version and trying to pass the webserver Apache or NGINX REMOTE_USER headers to Sensu-go and have it trust it.

On uchiwa we could implement it using the user Token. More info here: https://github.com/sensu/uchiwa/issues/295#issuecomment-239800555
In our implementation we use apache + kerberos for Single Sign On.

However user Token is not available on sensu-go.

What would be the way to have Sensu-go community trust the webserver REMOTE_USER ?

2

Here is an example apache config that does SSO with uchiwa

    AuthType Kerberos
    AuthName "Kerberos authenticated Intranet"
    KrbAuthRealms DOMAIN.CORP
    KrbServiceName HTTP/sensu.domain.corp@DOMAIN.CORP
    Krb5Keytab /etc/httpd/sensu.domain.corp.keytab
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    Require valid-user
    ProxyPass http://sensu.domain.corp:3000/
    Order allow,deny
    Allow from all
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule .* - [E=RU:%1]
    RequestHeader add X-Forwarded-User %{RU}e
    RequestHeader add Authorization "Token %{RU}e"
3

Hey!

I don’t have a solution pattern for this at present. But maybe if I explain what has changed someone who understands how to do browser proxying can point us in the right direction for a fix.

Previously the Sensu Core API did not enforce authentication and the addon uchiwa dashboard implemented authentication using manually configurable access tokens, which made it possible to cache as you have been doing.

The big change here is Sensu Go API now requires authentication using JWT, using short lived generated access tokens and a refresh tokens that can be used to request a new token. There’s no way to disable the authentication requirement nor a way to set a manual static access_token so that you can use the web server as an authentication proxy.

I think the way forward here is to make use of Sensu Go support for both LDAP and OIDC authentication directly. The official binaries have bpth LDAP and OIDC authentication built in as enterprise features. You should be able to integrate Sensu directly with your kerberos using the LDAP support.

And as per the new updated pricing policy, starting with Sensu Go 5.15 all the enterprise features will be available for use in the official binaries without needing a license (for deployments with less than 100 entities).

Watch for a release announcement next week for Sensu Go 5.15 availability.