2018-05-01 16:47:24 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[configuring-pki-realm]]
|
|
|
|
=== Configuring a PKI realm
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
You can configure {es} to use Public Key Infrastructure (PKI) certificates
|
|
|
|
to authenticate users. This requires clients to present X.509 certificates.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
NOTE: You cannot use PKI certificates to authenticate users in {kib}.
|
|
|
|
|
|
|
|
To use PKI in {es}, you configure a PKI realm, enable client authentication on
|
|
|
|
the desired network layers (transport or http), and map the Distinguished Names
|
2018-12-19 17:53:37 -05:00
|
|
|
(DNs) from the user certificates to roles in the
|
2018-08-30 23:25:27 -04:00
|
|
|
<<security-api-role-mapping,role-mapping API>> or role-mapping file.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
You can also use a combination of PKI and username/password authentication. For
|
|
|
|
example, you can enable SSL/TLS on the transport layer and define a PKI realm to
|
|
|
|
require transport clients to authenticate with X.509 certificates, while still
|
|
|
|
authenticating HTTP traffic using username and password credentials. You can
|
|
|
|
also set `xpack.security.transport.ssl.client_authentication` to `optional` to
|
|
|
|
allow clients without certificates to authenticate with other credentials.
|
|
|
|
|
|
|
|
IMPORTANT: You must enable SSL/TLS and enable client authentication to use PKI.
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
For more information, see {stack-ov}/pki-realm.html[PKI User Authentication].
|
2018-05-01 16:47:24 -04:00
|
|
|
|
2018-11-05 22:56:50 -05:00
|
|
|
. Add a realm configuration for a `pki` realm to `elasticsearch.yml` under the
|
|
|
|
`xpack.security.authc.realms.pki` namespace.
|
|
|
|
If you are configuring multiple realms, you should
|
2018-05-01 16:47:24 -04:00
|
|
|
explicitly set the `order` attribute. See <<ref-pki-settings>> for all of the
|
|
|
|
options you can set for a `pki` realm.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
For example, the following snippet shows the most basic `pki` realm configuration:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
realms:
|
2018-11-05 22:56:50 -05:00
|
|
|
pki:
|
|
|
|
pki1:
|
|
|
|
order: 1
|
2018-05-01 16:47:24 -04:00
|
|
|
------------------------------------------------------------
|
|
|
|
|
|
|
|
With this configuration, any certificate trusted by the SSL/TLS layer is accepted
|
|
|
|
for authentication. The username is the common name (CN) extracted from the DN
|
|
|
|
of the certificate.
|
|
|
|
|
|
|
|
IMPORTANT: When you configure realms in `elasticsearch.yml`, only the
|
|
|
|
realms you specify are used for authentication. If you also want to use the
|
|
|
|
`native` or `file` realms, you must include them in the realm chain.
|
|
|
|
|
|
|
|
If you want to use something other than the CN of the DN as the username, you
|
|
|
|
can specify a regex to extract the desired username. For example, the regex in
|
|
|
|
the following configuration extracts the email address from the DN:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
realms:
|
2018-11-05 22:56:50 -05:00
|
|
|
pki:
|
|
|
|
pki1:
|
|
|
|
username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
|
2018-05-01 16:47:24 -04:00
|
|
|
------------------------------------------------------------
|
|
|
|
--
|
|
|
|
|
|
|
|
. Restart {es}.
|
|
|
|
|
|
|
|
. <<configuring-tls,Enable SSL/TLS>>.
|
|
|
|
|
|
|
|
. Enable client authentication on the desired network layers (transport or http).
|
|
|
|
+
|
|
|
|
--
|
2018-12-19 17:53:37 -05:00
|
|
|
|
2018-05-01 16:47:24 -04:00
|
|
|
The PKI realm relies on the TLS settings of the node's network interface. The
|
|
|
|
realm can be configured to be more restrictive than the underlying network
|
|
|
|
connection - that is, it is possible to configure the node such that some
|
|
|
|
connections are accepted by the network interface but then fail to be
|
|
|
|
authenticated by the PKI realm. However, the reverse is not possible. The PKI
|
|
|
|
realm cannot authenticate a connection that has been refused by the network
|
|
|
|
interface.
|
|
|
|
|
|
|
|
In particular this means:
|
|
|
|
|
|
|
|
* The transport or http interface must request client certificates by setting
|
|
|
|
`client_authentication` to `optional` or `required`.
|
|
|
|
* The interface must _trust_ the certificate that is presented by the client
|
|
|
|
by configuring either the `truststore` or `certificate_authorities` paths,
|
|
|
|
or by setting `verification_mode` to `none`. See
|
|
|
|
<<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of this
|
|
|
|
setting.
|
|
|
|
* The _protocols_ supported by the interface must be compatible with those
|
|
|
|
used by the client.
|
|
|
|
|
|
|
|
The relevant network interface (transport or http) must be configured to trust
|
|
|
|
any certificate that is to be used within the PKI realm. However, it possible to
|
|
|
|
configure the PKI realm to trust only a _subset_ of the certificates accepted
|
|
|
|
by the network interface. This is useful when the SSL/TLS layer trusts clients
|
|
|
|
with certificates that are signed by a different CA than the one that signs your
|
|
|
|
users' certificates.
|
|
|
|
|
|
|
|
To configure the PKI realm with its own truststore, specify the `truststore.path`
|
|
|
|
option. For example:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
realms:
|
2018-11-05 22:56:50 -05:00
|
|
|
pki:
|
|
|
|
pki1:
|
|
|
|
truststore:
|
|
|
|
path: "/path/to/pki_truststore.jks"
|
|
|
|
password: "x-pack-test-password"
|
2018-05-01 16:47:24 -04:00
|
|
|
------------------------------------------------------------
|
|
|
|
|
|
|
|
The `certificate_authorities` option can be used as an alternative to the
|
|
|
|
`truststore.path` setting.
|
|
|
|
--
|
|
|
|
|
|
|
|
. Map roles for PKI users.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
You map roles for PKI users through the
|
2018-08-20 17:30:42 -04:00
|
|
|
<<security-role-mapping-apis,role mapping APIs>> or by using a file stored on
|
2018-05-01 16:47:24 -04:00
|
|
|
each node. When a user authenticates against a PKI realm, the privileges for
|
|
|
|
that user are the union of all privileges defined by the roles to which the
|
|
|
|
user is mapped.
|
|
|
|
|
|
|
|
You identify a user by the distinguished name in their certificate.
|
|
|
|
For example, the following mapping configuration maps `John Doe` to the
|
|
|
|
`user` role:
|
|
|
|
|
|
|
|
Using the role-mapping API:
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
2018-12-11 04:13:10 -05:00
|
|
|
PUT /_security/role_mapping/users
|
2018-05-01 16:47:24 -04:00
|
|
|
{
|
|
|
|
"roles" : [ "user" ],
|
|
|
|
"rules" : { "field" : {
|
|
|
|
"dn" : "cn=John Doe,ou=example,o=com" <1>
|
|
|
|
} },
|
|
|
|
"enabled": true
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
|
|
|
// CONSOLE
|
|
|
|
<1> The distinguished name (DN) of a PKI user.
|
|
|
|
|
|
|
|
Or, alternatively, configured in a role-mapping file:
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
user: <1>
|
|
|
|
- "cn=John Doe,ou=example,o=com" <2>
|
|
|
|
------------------------------------------------------------
|
|
|
|
<1> The name of a role.
|
|
|
|
<2> The distinguished name (DN) of a PKI user.
|
|
|
|
|
2019-01-07 08:44:12 -05:00
|
|
|
The distinguished name for a PKI user follows X.500 naming conventions which
|
2018-05-01 16:47:24 -04:00
|
|
|
place the most specific fields (like `cn` or `uid`) at the beginning of the
|
|
|
|
name, and the most general fields (like `o` or `dc`) at the end of the name.
|
|
|
|
Some tools, such as _openssl_, may print out the subject name in a different
|
|
|
|
format.
|
|
|
|
|
|
|
|
One way that you can determine the correct DN for a certificate is to use the
|
|
|
|
<<security-api-authenticate,authenticate API>> (use the relevant PKI
|
|
|
|
certificate as the means of authentication) and inspect the metadata field in
|
|
|
|
the result. The user's distinguished name will be populated under the `pki_dn`
|
|
|
|
key. You can also use the authenticate API to validate your role mapping.
|
|
|
|
|
|
|
|
For more information, see
|
2018-12-19 17:53:37 -05:00
|
|
|
{stack-ov}/mapping-roles.html[Mapping Users and Groups to Roles].
|
2018-08-30 23:25:27 -04:00
|
|
|
|
|
|
|
NOTE: The PKI realm supports
|
|
|
|
{stack-ov}/realm-chains.html#authorization_realms[authorization realms] as an
|
|
|
|
alternative to role mapping.
|
|
|
|
|
|
|
|
--
|