We're looking at purchasing Shield, and I'm trying to evaluate whether it meets our security requirements.
Basically, every machine has a user certificate held in the Windows store. I'd like to be able to use that certificate so that users (both via Kibana and our own ES-integrated apps) can prove their identity securely, but permission those user accounts using group membership within Active Directory.
The aim is to do this without having to use passwords anywhere (entering them, or having to store them in files).
Our certificates contain the AD name (DN) in the Subject, so in theory we have all the information we need to then check that those users have membership of the required AD groups.
Is this possible? Will we have to create our own custom realm to do this? Presumably if it's the latter, we could leverage the PKI and AD realm functionality?
The behavior you describe can be implemented using a custom realm.
I recommend against doing this as we do not make any guarantees about the the APIs of the AD/LDAP/PKI/users code when it comes to custom realms and many of the classes may not be accessible to the custom realm.
We strive to not break the APIs we expose specifically for custom realms, so from the aspect of making upgrades easier, implementing it in the custom realm is the way to go in my opinion.
Thanks very much for the response. I certainly understand regarding the use of those APIs, and it would indeed not be in our interest to potentially make upgrades more difficult.
I think at this point we'll reevaluate our options. Possibly we need to go the plugin route anyway, but would be nice to try and work with what is standard.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.