2019-08-27 07:42:46 -04:00
|
|
|
[[pki-realm-for-direct-clients]]
|
|
|
|
==== PKI authentication for clients connecting directly to {es}
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
To use PKI in {es}, you configure a PKI realm, enable client authentication on
|
2019-11-19 13:29:20 -05:00
|
|
|
the desired network layers (transport or http), and map the Distinguished Names
|
|
|
|
(DNs) from the Subject field in the user certificates to roles. You create the
|
|
|
|
mappings in a role mapping file or use the role mappings API.
|
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
TIP: You can use a combination of PKI and username/password authentication. For
|
2018-05-01 16:47:24 -04:00
|
|
|
example, you can enable SSL/TLS on the transport layer and define a PKI realm to
|
|
|
|
require transport clients to authenticate with X.509 certificates, while still
|
2020-03-04 17:42:03 -05:00
|
|
|
authenticating HTTP traffic using username and password credentials.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
2018-11-05 22:56:50 -05:00
|
|
|
. Add a realm configuration for a `pki` realm to `elasticsearch.yml` under the
|
2020-03-04 17:42:03 -05:00
|
|
|
`xpack.security.authc.realms.pki` namespace. If you are configuring multiple
|
|
|
|
realms, you should explicitly set the `order` attribute. See
|
|
|
|
<<ref-pki-settings>> for all of the options you can set for a `pki` realm.
|
2018-05-01 16:47:24 -04:00
|
|
|
+
|
|
|
|
--
|
|
|
|
For example, the following snippet shows the most basic `pki` realm configuration:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
realms:
|
2018-11-05 22:56:50 -05:00
|
|
|
pki:
|
|
|
|
pki1:
|
|
|
|
order: 1
|
2018-05-01 16:47:24 -04:00
|
|
|
------------------------------------------------------------
|
|
|
|
|
2019-08-27 07:42:46 -04:00
|
|
|
With this configuration, any certificate trusted by the {es} SSL/TLS layer is
|
|
|
|
accepted for authentication. The username is the common name (CN) extracted
|
|
|
|
from the DN in the Subject field of the end-entity certificate. This
|
2020-03-04 17:42:03 -05:00
|
|
|
configuration is not sufficient to permit PKI authentication to {kib};
|
|
|
|
additional steps are required.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
IMPORTANT: When you configure realms in `elasticsearch.yml`, only the
|
|
|
|
realms you specify are used for authentication. If you also want to use the
|
|
|
|
`native` or `file` realms, you must include them in the realm chain.
|
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
--
|
|
|
|
|
|
|
|
. Optional: If you want to use something other than the CN of the Subject DN as
|
|
|
|
the username, you can specify a regex to extract the desired username. The regex
|
|
|
|
is applied on the Subject DN.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
For example, the regex in the following
|
2019-08-27 07:42:46 -04:00
|
|
|
configuration extracts the email address from the Subject DN:
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
realms:
|
2018-11-05 22:56:50 -05:00
|
|
|
pki:
|
|
|
|
pki1:
|
|
|
|
username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
|
2018-05-01 16:47:24 -04:00
|
|
|
------------------------------------------------------------
|
2019-08-27 07:42:46 -04:00
|
|
|
|
|
|
|
NOTE: If the regex is too restrictive and does not match the Subject DN of the
|
|
|
|
client's certificate, then the realm does not authenticate the certificate.
|
|
|
|
|
2018-05-01 16:47:24 -04:00
|
|
|
--
|
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
. Optional: If you want the same users to also be authenticated using
|
|
|
|
certificates when they connect to {kib}, you must configure the {es} PKI realm
|
|
|
|
to allow delegation. See <<pki-realm-for-proxied-clients>>.
|
|
|
|
|
2019-08-27 07:42:46 -04:00
|
|
|
. Restart {es} because realm configuration is not reloaded automatically. If
|
|
|
|
you're following through with the next steps, you might wish to hold the
|
|
|
|
restart for last.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
2019-08-27 07:42:46 -04:00
|
|
|
. <<configuring-tls,Enable SSL/TLS>>.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
. Enable client authentication on the desired network layers (transport or http).
|
|
|
|
+
|
|
|
|
--
|
2020-03-04 17:42:03 -05:00
|
|
|
IMPORTANT: To use PKI when clients connect directly to {es}, you must enable
|
|
|
|
SSL/TLS with client authentication. That is to say, you must set `xpack.security.transport.ssl.client_authentication` and
|
|
|
|
`xpack.security.http.ssl.client_authentication` to `optional` or `required`. If
|
|
|
|
the setting value is `optional`, clients without certificates can authenticate
|
|
|
|
with other credentials.
|
2018-12-19 17:53:37 -05:00
|
|
|
|
2019-08-27 07:42:46 -04:00
|
|
|
When clients connect directly to {es} and are not proxy-authenticated, the PKI
|
|
|
|
realm relies on the TLS settings of the node's network interface. The realm can
|
|
|
|
be configured to be more restrictive than the underlying network connection.
|
|
|
|
That is, it is possible to configure the node such that some connections
|
|
|
|
are accepted by the network interface but then fail to be authenticated by the
|
|
|
|
PKI realm. However, the reverse is not possible. The PKI realm cannot
|
|
|
|
authenticate a connection that has been refused by the network interface.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
In particular this means:
|
|
|
|
|
|
|
|
* The transport or http interface must request client certificates by setting
|
|
|
|
`client_authentication` to `optional` or `required`.
|
|
|
|
* The interface must _trust_ the certificate that is presented by the client
|
|
|
|
by configuring either the `truststore` or `certificate_authorities` paths,
|
2020-03-04 17:42:03 -05:00
|
|
|
or by setting `verification_mode` to `none`.
|
2018-05-01 16:47:24 -04:00
|
|
|
* The _protocols_ supported by the interface must be compatible with those
|
|
|
|
used by the client.
|
2020-03-04 17:42:03 -05:00
|
|
|
|
|
|
|
For an explanation of these settings, see <<ssl-tls-settings>>.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
The relevant network interface (transport or http) must be configured to trust
|
2020-03-04 17:42:03 -05:00
|
|
|
any certificate that is to be used within the PKI realm. However, it is possible
|
|
|
|
to configure the PKI realm to trust only a _subset_ of the certificates accepted
|
2018-05-01 16:47:24 -04:00
|
|
|
by the network interface. This is useful when the SSL/TLS layer trusts clients
|
|
|
|
with certificates that are signed by a different CA than the one that signs your
|
|
|
|
users' certificates.
|
|
|
|
|
2019-08-27 07:42:46 -04:00
|
|
|
To configure the PKI realm with its own truststore, specify the
|
|
|
|
`truststore.path` option. The path must be located within the Elasticsearch
|
2020-03-04 17:42:03 -05:00
|
|
|
configuration directory (`ES_PATH_CONF`). For example:
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
realms:
|
2018-11-05 22:56:50 -05:00
|
|
|
pki:
|
|
|
|
pki1:
|
|
|
|
truststore:
|
2019-08-27 07:42:46 -04:00
|
|
|
path: "pki1_truststore.jks"
|
|
|
|
------------------------------------------------------------
|
|
|
|
|
|
|
|
If the truststore is password protected, the password should be configured by
|
|
|
|
adding the appropriate `secure_password` setting to the {es} keystore. For
|
|
|
|
example, the following command adds the password for the example realm above:
|
|
|
|
|
|
|
|
[source, shell]
|
|
|
|
------------------------------------------------------------
|
|
|
|
bin/elasticsearch-keystore add \
|
|
|
|
xpack.security.authc.realms.pki.pki1.truststore.secure_password
|
2018-05-01 16:47:24 -04:00
|
|
|
------------------------------------------------------------
|
|
|
|
|
|
|
|
The `certificate_authorities` option can be used as an alternative to the
|
2020-03-04 17:42:03 -05:00
|
|
|
`truststore.path` setting, when the certificate files are PEM formatted. The
|
|
|
|
setting accepts a list. The two options are exclusive, they cannot be both used
|
2019-08-27 07:42:46 -04:00
|
|
|
simultaneously.
|
2018-05-01 16:47:24 -04:00
|
|
|
--
|
|
|
|
|
|
|
|
. Map roles for PKI users.
|
|
|
|
+
|
|
|
|
--
|
2020-03-04 17:42:03 -05:00
|
|
|
You map roles for PKI users through the
|
|
|
|
<<security-role-mapping-apis,role mapping APIs>> or by using a file stored on
|
|
|
|
each node. Both configuration options are merged together. When a user
|
|
|
|
authenticates against a PKI realm, the privileges for that user are the union of
|
|
|
|
all privileges defined by the roles to which the user is mapped.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
You identify a user by the distinguished name in their certificate.
|
|
|
|
For example, the following mapping configuration maps `John Doe` to the
|
2020-03-04 17:42:03 -05:00
|
|
|
`user` role using the role mapping API:
|
2019-09-09 12:35:50 -04:00
|
|
|
|
|
|
|
[source,console]
|
2018-05-01 16:47:24 -04:00
|
|
|
--------------------------------------------------
|
2018-12-11 04:13:10 -05:00
|
|
|
PUT /_security/role_mapping/users
|
2018-05-01 16:47:24 -04:00
|
|
|
{
|
|
|
|
"roles" : [ "user" ],
|
|
|
|
"rules" : { "field" : {
|
|
|
|
"dn" : "cn=John Doe,ou=example,o=com" <1>
|
|
|
|
} },
|
|
|
|
"enabled": true
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2019-09-09 12:35:50 -04:00
|
|
|
|
2018-05-01 16:47:24 -04:00
|
|
|
<1> The distinguished name (DN) of a PKI user.
|
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
Alternatively, use a role-mapping file. For example:
|
2019-08-27 07:42:46 -04:00
|
|
|
|
2018-05-01 16:47:24 -04:00
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
user: <1>
|
|
|
|
- "cn=John Doe,ou=example,o=com" <2>
|
|
|
|
------------------------------------------------------------
|
|
|
|
<1> The name of a role.
|
|
|
|
<2> The distinguished name (DN) of a PKI user.
|
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
The file's path defaults to `ES_PATH_CONF/role_mapping.yml`. You can specify a
|
|
|
|
different path (which must be within `ES_PATH_CONF`) by using the
|
|
|
|
`files.role_mapping` realm setting (e.g.
|
|
|
|
`xpack.security.authc.realms.pki.pki1.files.role_mapping`).
|
|
|
|
|
2019-01-07 08:44:12 -05:00
|
|
|
The distinguished name for a PKI user follows X.500 naming conventions which
|
2018-05-01 16:47:24 -04:00
|
|
|
place the most specific fields (like `cn` or `uid`) at the beginning of the
|
2020-03-04 17:42:03 -05:00
|
|
|
name and the most general fields (like `o` or `dc`) at the end of the name.
|
2018-05-01 16:47:24 -04:00
|
|
|
Some tools, such as _openssl_, may print out the subject name in a different
|
2019-08-27 07:42:46 -04:00
|
|
|
format.
|
2018-05-01 16:47:24 -04:00
|
|
|
|
|
|
|
One way that you can determine the correct DN for a certificate is to use the
|
|
|
|
<<security-api-authenticate,authenticate API>> (use the relevant PKI
|
|
|
|
certificate as the means of authentication) and inspect the metadata field in
|
|
|
|
the result. The user's distinguished name will be populated under the `pki_dn`
|
|
|
|
key. You can also use the authenticate API to validate your role mapping.
|
|
|
|
|
2019-10-07 18:23:19 -04:00
|
|
|
For more information, see <<mapping-roles>>.
|
2018-08-30 23:25:27 -04:00
|
|
|
|
2019-10-07 18:23:19 -04:00
|
|
|
NOTE: The PKI realm supports <<authorization_realms,authorization realms>> as an
|
2018-08-30 23:25:27 -04:00
|
|
|
alternative to role mapping.
|
|
|
|
|
|
|
|
--
|
2019-08-27 07:42:46 -04:00
|
|
|
|
|
|
|
[[pki-realm-for-proxied-clients]]
|
|
|
|
==== PKI authentication for clients connecting to {kib}
|
|
|
|
|
|
|
|
By default, the PKI realm relies on the node's network interface to perform the
|
|
|
|
SSL/TLS handshake and extract the client certificate. This behaviour requires
|
2020-03-04 17:42:03 -05:00
|
|
|
that clients connect directly to {es} so that their SSL connection is terminated
|
|
|
|
by the {es} node. If SSL/TLS authentication is to be performed by {kib}, the
|
|
|
|
PKI realm must be configured to permit delegation.
|
2019-08-27 07:42:46 -04:00
|
|
|
|
|
|
|
Specifically, when clients presenting X.509 certificates connect to {kib},
|
|
|
|
{kib} performs the SSL/TLS authentication. {kib} then forwards the client's
|
2020-03-04 17:42:03 -05:00
|
|
|
certificate chain (by calling an {es} API) to have them further validated by
|
2019-08-27 07:42:46 -04:00
|
|
|
the PKI realms that have been configured for delegation.
|
|
|
|
|
|
|
|
To permit authentication delegation for a specific {es} PKI realm, start by
|
|
|
|
configuring the realm for the usual case, as detailed in the
|
2020-03-04 17:42:03 -05:00
|
|
|
<<pki-realm-for-direct-clients>> section. In this scenario, when you enable TLS,
|
|
|
|
it is mandatory that you <<tls-http,encrypt HTTP client communications>>.
|
2019-08-27 07:42:46 -04:00
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
You must also explicitly configure a `truststore` (or, equivalently
|
|
|
|
`certificate_authorities`) even though it is the same trust configuration that
|
|
|
|
you have configured on the network layer. The
|
|
|
|
`xpack.security.authc.token.enabled` and `delegation.enabled` settings must also
|
|
|
|
be `true`. For example:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
token.enabled: true
|
|
|
|
realms:
|
|
|
|
pki:
|
|
|
|
pki1:
|
|
|
|
order: 1
|
|
|
|
delegation.enabled: true
|
|
|
|
truststore:
|
|
|
|
path: "pki1_truststore.jks"
|
|
|
|
------------------------------------------------------------
|
2019-08-27 07:42:46 -04:00
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
After you restart {es}, this realm can validate delegated PKI authentication.
|
|
|
|
You must then
|
|
|
|
{kibana-ref}/kibana-authentication.html#pki-authentication[configure {kib} to allow PKI certificate authentication].
|
2019-08-27 07:42:46 -04:00
|
|
|
|
|
|
|
A PKI realm with `delegation.enabled` still works unchanged for clients
|
2020-03-04 17:42:03 -05:00
|
|
|
connecting directly to {es}. Directly authenticated users and users that are PKI
|
2019-08-27 07:42:46 -04:00
|
|
|
authenticated by delegation to {kib} both follow the same
|
2019-10-07 18:23:19 -04:00
|
|
|
<<mapping-roles,role mapping rules>> or
|
|
|
|
<<authorization_realms,authorization realms configurations>>.
|
2019-08-27 07:42:46 -04:00
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
If you use the <<security-role-mapping-apis,role mapping APIs>>, however, you
|
|
|
|
can distinguish between users that are authenticated by delegation and users
|
|
|
|
that are authenticated directly. The former have the extra fields
|
|
|
|
`pki_delegated_by_user` and `pki_delegated_by_realm` in the user's metadata. In
|
|
|
|
the common setup, where authentication is delegated to {kib}, the values of
|
|
|
|
these fields are `kibana` and `reserved`, respectively. For example, the
|
|
|
|
following role mapping rule assigns the `role_for_pki1_direct` role to all users
|
|
|
|
that have been authenticated directly by the `pki1` realm, by connecting to {es}
|
|
|
|
instead of going through {kib}:
|
2019-08-27 07:42:46 -04:00
|
|
|
|
2019-09-09 12:35:50 -04:00
|
|
|
[source,console]
|
2019-08-27 07:42:46 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
PUT /_security/role_mapping/direct_pki_only
|
|
|
|
{
|
|
|
|
"roles" : [ "role_for_pki1_direct" ],
|
|
|
|
"rules" : {
|
|
|
|
"all": [
|
|
|
|
{
|
|
|
|
"field": {"realm.name": "pki1"}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"field": {
|
|
|
|
"metadata.pki_delegated_by_user": null <1>
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
"enabled": true
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2019-09-09 12:35:50 -04:00
|
|
|
|
2020-03-04 17:42:03 -05:00
|
|
|
<1> If this metadata field is set (that is to say, it is *not* `null`), the user
|
|
|
|
has been authenticated in the delegation scenario.
|