Thanks @Yang_Wang my question is are the steps 3 & 6 on the docs achievable on Basic license?
As per other link which I shared it says mTLS is covered under Basic but to achieve if one need to have the PKI realm and role mapping which are part of Gold / Platinum then mTLS is not part of the Basic. I would need a confirmation on this puzzle, can one setup mTLS on basic license?
Ah ok. Sorry I missed the steps for PKI realm. No PKI realm is not available for basic license. But you don't need PKI for mTLS. In your case, I think you can just skip step 3 and 6 and change step 4 to be xpack.security.http.ssl.client_authentication: "required".
my question is if I skip 3 & 6 then how does CN=kibana gets access to Elasticsearch without updating the userroles and no PKI realm.
Kibana will remain authenticated with no access to anything? no?
I think you are correct, mTLS from Kibana to Elasticsearch requires PKI realm, because you need a role mapping rule to map TLS client cert to kibana_system role. Basic license does not allow PKI realm, but you can use service account token (preferred) or username/password.
Service Account token example:
POST /_security/service/elastic/kibana/credential/token/mytoken?pretty=true
No. Using mTLS as a network level control does not require PKI realm and can totally work with the Basic license. A simplified configuration like the following works:
For simplicity, the above configuration uses the same pair of cert/key for both Elasticsearch and Kibana. But you can configure them to be different. The configuration uses mTLS as network layer control and Kibana service token as application level authentication and authorization.
Does bullet 5 mean I must have a paid subscription to setup mTLS?
Not sure If I understand if both serviceToken and cert will be used to identify kibana's identity by elasticsearch, if I am using serviceToken then whats the use of Kibana's tls client cert?
Is there a example on how to create the / automate the serviceToken for kibana_system if I am deploying ELK using helm charts?
No you don't. Both point 3 and 4 are mTLS. Piont 5 is mTls plus it uses client cert for kibana identity at application level which is not an inherent part of mTLS.
You don't really need client cert for kibana if you use service token. mTLS does not provide extra security compared to server TLS + service token. You started the question with mTLS. I assumed you need it. But if you just wanted client cert for Kibana identity at application level, it is not necessary. Service token or plain old kibana_system username+password works just fine. There are certain environments where mTLS and PKI is mandated. But apparently your enviroment is not like that. So you don't have configure it like that.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.