We are running an Elastic Maps Server (EMS) in a docker swarm. I am wondering if it possible to configure EMS to use PKI authentication to Elasticsearch instead of username/password.
I have configured PKI certificates and they work to authenticate from inside the EMS container (the superuser role is only for testing purposes).
# docker exec -it 48f99803a01f curl -k https://elasticsearch:9200/_security/_authenticate?pretty --key config/certs/ems/ems.key --cert config/certs/ems/ems.crt --cacert config/certs/ca/ca.crt
{
"username" : "ems",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : {
"pki_dn" : "CN=ems"
},
"enabled" : true,
"authentication_realm" : {
"name" : "pki1",
"type" : "pki"
},
"lookup_realm" : {
"name" : "pki1",
"type" : "pki"
},
"authentication_type" : "realm"
}
Based on Connect to Elastic Maps Service | Kibana Guide [8.14] | Elastic, I tried to set the certificates in the environment variables, like:
BASEPATH=/map
ELASTICSEARCH_HOST=https://elasticsearch:9200
ELASTICSEARCH_SSL_CERTIFICATE=config/certs/ems/ems.crt
ELASTICSEARCH_SSL_KEY=config/certs/ems/ems.key
ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
But that doesn't allow for connection to Elasticsearch. The log entries:
{"log.level":"info","@timestamp":"2024-06-05T15:50:54.571Z","process.pid":1,"host.hostname":"ems","log.logger":"Elastic Maps Server","ecs.version":"8.10.0","created":1717602654458,"started":1717602654562,"host":"ems","port":8080,"protocol":"http","id":"ems:1:lx209u62","uri":"http://ems:8080","address":"10.10.1.26","message":"server started"}
{"log.level":"error","@timestamp":"2024-06-05T15:50:54.623Z","process.pid":1,"host.hostname":"ems","log.logger":"Elastic Maps Server","ecs.version":"8.10.0","message":"Unable to connect to the Elasticsearch cluster: https://elasticsearch:9200"}
Using username/password in the environment work just fine, however:
BASEPATH=/map
ELASTICSEARCH_HOST=https://elasticsearch:9200
ELASTICSEARCH_USERNAME=<ems_user>
ELASTICSEARCH_PASSWORD=<ems_pass>
ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt