Hi,
From the documentation, I see that a user in ES can be authenticated via Kerberos/PKI mechanisms (and others like LDAP/ActiveDirectory). Documentation also mentions that REST Client can only authenticate users with Basic Http Authentication based on User/Password as http is stateless and every request is authenticated. And this sounds reasonable to me.
I can imagine that PKI based authentication for REST API would not be easy (or performant), if every request needs to be authenticated. However, I did read about Watcher using PKI authentication on http client. Hence this doubt.
Also apache http client provides kerberos credentials out-of-the-box, so was wondering if REST API requests can be authenticated using kerberos. Although this also does not sound reasonable if every request will be authenticated by contacting kerberos server.
But I wanted to double check if there are alternative authentication mechanism for REST client.
Here is my use case: A database system would be indexing it's content into Elastichsearch Cluster using REST Client (HTTPS client). So the ES REST Client is a database system. The communication is over https and ES would be secured using Shield. We only care about authenticating one admin user which can index data.
The ES Cluster would belong to a customer and we do not control it as such, except giving steps to perform on ES side for configuring user credentials.
For this use case scenario, a Kerberos or PKI (more preferred) based authentication looks like a better choice as creating a User which sits in two separate systems creates problem of consistency in maintaining their credentials in two separate systems. (Password expiry,changes etc). PKI based authentication is the best possible solution for our use case.
To Summarize. the questions are:
Q1) Apache http-components allow Kerberos Credentials to pass in their http client. But, I assume ES REST API Requests intercepted by Shield will look for User/Password Basic authentication. Is this assumption correct?
Q2)Is there anyway Rest Client can send user credentials based on certificates using PKI realm in Shield? And Shield can somehow authenticate this kind of (http)REST Request without any kind of SSL handshake steps involved.