CN of logstash certificate contains the logstash server name and in role_mapping.xml i have mapped power_user role to CN Map i.e CN=servername ,OU=CompanyUnit,O=Company.
Can you please elaborate if i need to create a user in Elasticsearch in esusers with that server name ?
As per the error in logstash logs which says Authentication token missing in the request . it seems logstash is not sending the cert details to the elastic search and elastic search is not getting any PKI cert creds . Is it really an issue with shield config ?
It looks like you are using the logstash HTTP output. In order for PKI authentication to work with http you will need to set:
shield.http.ssl.client.auth: optional
This setting will ask the clients to present a certificate for authentication, but it does not require the certificate so basic authentication will still work.
Hi I made the suggested changes in shield config , now the user is being authenticated but now i am getting Autharization Exception . Even though i have already defined the mapping in role_mapping.yml
equest=[BulkRequest]
[2015-10-26 15:27:06,435][DEBUG][shield.ssl ] no truststore defined. using keystore [/etc/pki/elasticWild.jks] as truststore
[2015-10-26 15:27:07,307][DEBUG][shield.authc.support ] [Sinister] the roles [[]], are mapped from these [pki] groups [[]] for realm [pki/pki1]
[2015-10-26 15:27:07,308][DEBUG][shield.audit.logfile ] [Sinister] [transport] [access_denied] origin_type=[rest], origin_address=[], principal=[***], action=[indices:data/write/bulk], request=[BulkRequest]
[2015-10-26 15:27:08,281][DEBUG][shield.ssl ] no truststore defined. using keystore [/etc/pki/elasticWild.jks] as truststore
[2015-10-26 15:27:09,331][DEBUG][shield.authc.support ] [Sinister] the roles [[]], are mapped from these [pki] groups [[]] for realm [pki/pki1]
shield.http.ssl.client.auth: optional , does this config mean that we are only authenticating the Server and bypassing the Client machine auth as part of SSL authentication ? Means we are not implementing the Mutual Authentication ?
It appears as though there is some issue with the role mapping. When there is a role mapping that matches the user DN, you would see the following line:
the roles [admin], are mapped from the user [CN=server name,OU=unitname,O=unit] for realm [pki/pki1]
Is the formatting correct in the yml file? Only spaces and no tabs? Is that the full Subject DN in your certificate?
This means that mutual authentication is not required but is requested; if the client does not provide a certificate then they will have to authenticate using another method such as username/password. You can change optional to required to require all HTTP clients to perform mutual authentication.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.