honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-03 09:29:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc
Albert Zaharovits 1ebee5bf9b
PKI realm authentication delegation (#45906) 
This commit introduces PKI realm delegation. This feature
supports the PKI authentication feature in Kibana.

In essence, this creates a new API endpoint which Kibana must
call to authenticate clients that use certificates in their TLS
connection to Kibana. The API call passes to Elasticsearch the client's
certificate chain. The response contains an access token to be further
used to authenticate as the client. The client's certificates are validated
by the PKI realms that have been explicitly configured to permit
certificates from the proxy (Kibana). The user calling the delegation
API must have the delegate_pki privilege.

Closes #34396
2019-08-27 14:42:46 +03:00

97 lines
4.7 KiB
Plaintext
Raw Blame History

[role="xpack"]
[[security-api-delegate-pki-authentication]]
=== Delegate PKI authentication API
++++
<titleabbrev>Delegate PKI authentication</titleabbrev>
++++
Implements the exchange of an {@code X509Certificate} chain into an {es} access
token.
[[security-api-delegate-pki-authentication-request]]
==== {api-request-title}
`POST /_security/delegate_pki`
[[security-api-delegate-pki-authentication-prereqs]]
==== {api-prereq-title}
* To call this API, the (proxy) user must have the `delegate_pki` or the `all`
cluster privilege. The `kibana_system` built-in role already grants this
privilege. See {stack-ov}/security-privileges.html[Security privileges].
[[security-api-delegate-pki-authentication-desc]]
==== {api-description-title}
This API implements the exchange of an _X509Certificate_ chain for an {es}
access token. The certificate chain is validated, according to RFC 5280, by
sequentially considering the trust configuration of every installed PKI realm
that has `delegation.enabled` set to `true` (default is `false`). A
successfully trusted client certificate is also subject to the validation of
the subject distinguished name according to that respective's realm
`username_pattern`.
This API is called by *smart* and *trusted* proxies, such as {kib}, which
terminate the user's TLS session but still want to authenticate the user
by using a PKI realm--as if the user connected directly to {es}. For more
details, see <<pki-realm-for-proxied-clients>>.
IMPORTANT: The association between the subject public key in the target
certificate and the corresponding private key is *not* validated. This is part
of the TLS authentication process and it is delegated to the proxy that calls
this API. The proxy is *trusted* to have performed the TLS authentication and
this API translates that authentication into an {es} access token.
[[security-api-delegate-pki-authentication-request-body]]
==== {api-request-body-title}
`x509_certificate_chain`::
(Required, list of strings) The _X509Certificate_ chain, which is represented as
an ordered string array. Each string in the array is a base64-encoded
(Section 4 of RFC4648 - not base64url-encoded) of the certificate's DER encoding.
+
The first element is the target certificate contains the subject distinguished
name that is requesting access. This may be followed by additional certificates;
each subsequent certificate is used to certify the previous one.
[[security-api-delegate-pki-authentication-response-body]]
==== {api-response-body-title}
`access_token`::
(string) An access token associated to the subject distinguished name of the
client's certificate.
`expires_in`::
(time units) The amount of time (in seconds) that the token expires in.
`type`::
(string) The type of token.
[[security-api-delegate-pki-authentication-example]]
==== {api-examples-title}
The following is an example request:
[source, js]
------------------------------------------------------------
POST /_security/delegate_pki
{
"x509_certificate_chain": ["MIIDbTCCAlWgAwIBAgIJAIxTS7Qdho9jMA0GCSqGSIb3DQEBCwUAMFMxKzApBgNVBAMTIkVsYXN0aWNzZWFyY2ggVGVzdCBJbnRlcm1lZGlhdGUgQ0ExFjAUBgNVBAsTDUVsYXN0aWNzZWFyY2gxDDAKBgNVBAoTA29yZzAeFw0xOTA3MTkxMzMzNDFaFw0yMzA3MTgxMzMzNDFaMEoxIjAgBgNVBAMTGUVsYXN0aWNzZWFyY2ggVGVzdCBDbGllbnQxFjAUBgNVBAsTDUVsYXN0aWNzZWFyY2gxDDAKBgNVBAoTA29yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHgMX2aX8t0nj4sGLNuKISmmXIYCj9RwRqS7L03l9Nng7kOKnhHu/nXDt7zMRJyHj+q6FAt5khlavYSVCQyrDybRuA5z31gOdqXerrjs2OXS5HSHNvoDAnHFsaYX/5geMewVTtc/vqpd7Ph/QtaKfmG2FK0JNQo0k24tcgCIcyMtBh6BA70yGBM0OT8GdOgd/d/mA7mRhaxIUMNYQzRYRsp4hMnnWoOTkR5Q8KSO3MKw9dPSpPe8EnwtJE10S3s5aXmgytru/xQqrFycPBNj4KbKVmqMP0G60CzXik5pr2LNvOFz3Qb6sYJtqeZF+JKgGWdaTC89m63+TEnUHqk0lcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU/+aAD6Q4mFq1vpHorC25/OY5zjcwHwYDVR0jBBgwFoAU8siFCiMiYZZm/95qFC75AG/LRE0wDQYJKoZIhvcNAQELBQADggEBAIRpCgDLpvXcgDHUk10uhxev21mlIbU+VP46ANnCuj0UELhTrdTuWvO1PAI4z+WbDUxryQfOOXO9R6D0dE5yR56L/J7d+KayW34zU7yRDZM7+rXpocdQ1Ex8mjP9HJ/Bf56YZTBQJpXeDrKow4FvtkI3bcIMkqmbG16LHQXeG3RS4ds4S4wCnE2nA6vIn9y+4R999q6y1VSBORrYULcDWxS54plHLEdiMr1vVallg82AGobS9GMcTL2U4Nx5IYZG7sbTk3LrDxVpVg/S2wLofEdOEwqCeHug/iOihNLJBabEW6z4TDLJAVW5KCY1DfhkYlBfHn7vxKkfKoCUK/yLWWI="] <1>
}
------------------------------------------------------------
// CONSOLE
<1> A one element certificate chain.
Which returns the following response:
[source,js]
--------------------------------------------------
{
"access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
"type" : "Bearer",
"expires_in" : 1200
}
--------------------------------------------------
// TESTRESPONSE[s/dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==/$body.access_token/]
Reference in New Issue View Git Blame Copy Permalink