Hi, I'm trying to setup PKI authentication on my on-premises cluster. However, I can't make it work no matter what I try to do.
Setup:
- elasticsearch-7.5.2, Linux
- testing this out with 3 nodes, all on my host
- all nodes use the same configuration and the same certificates, their names are
node{0,1,2}
- the certificate's CN is
$HOSTNAME
Relevant cluster settings:
-Ecluster.initial_master_nodes="node00"
-Ediscovery.seed_hosts=$HOSTNAME:9200,$HOSTNAME:9201,$HOSTNAME:9202
-Enetwork.bind_host=0.0.0.0
-Enetwork.publish_host=$HOSTNAME
-Enode.attr.host=$HOST
Security settings (also, xpack license = basic)
-Expack.security.enabled=true
-Expack.security.authc.anonymous.roles=user
-Expack.security.transport.ssl.enabled=true
-Expack.security.transport.ssl.key=$HOSTNAME.key
-Expack.security.transport.ssl.certificate=$HOSTNAME.crt
-Expack.security.transport.ssl.client_authentication=required
-Expack.security.http.ssl.enabled=true
-Expack.security.http.ssl.key=$HOSTNAME.key
-Expack.security.http.ssl.certificate=$HOSTNAME.crt
-Expack.security.http.ssl.client_authentication=required
-Expack.security.authc.realms.pki.pki1.order=0
The cluster forms without problems. I'm able to curl --key $HOSTNAME.key --cert $HOSTNAME.crt https://$HOSTNAME:9200
without a problem - because I'm authenticated as anonymous. When I remove the anonymous, I'm unable to authenticate what ever I do.
I've put this in the roles_mapping.yml
:
superuser:
- "cn=$HOSTNAME" # actual hostname. do I need to fill in the other fields (eg. ou) as well? afaiu, only cn should be enough
When I update the file on a live cluster, I can see
[2020-08-27T10:40:13,381][INFO ][o.e.x.s.a.s.DnRoleMapper ] [node00] role mappings file [/packages/elasticsearch.server-7.5.2/config/role_mapping.yml] changed for realm [pki/pki1]. updating mappings...
[2020-08-27T10:40:13,381][TRACE][o.e.x.s.a.s.DnRoleMapper ] [node00] reading realm [pki/pki1] role mappings file [/packages/elasticsearch.server-7.5.2/config/role_mapping.yml]...
[2020-08-27T10:40:13,382][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [node00] [5] role mappings found in file [/packages/elasticsearch.server-7.5.2/config/role_mapping.yml] for realm [pki/pki1]
So I guess it does recognize my PKI realm.
When I try to query /_xpack/security/_authenticate
I never seem to get pki_dn
or anything similar in the metadata
field, as most tutorials suggest. Always this:
{
"username": "_anonymous",
"roles": [
"user"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true,
"authentication_realm": {
"name": "__anonymous",
"type": "__anonymous"
},
"lookup_realm": {
"name": "__anonymous",
"type": "__anonymous"
}
}
I'm looking for help on how to resolve this, or at least put up some logging so I can't see why it's not using the PKI realm, or why is PKi realm failing to authorize. Any help is highly appreciated!