Unable to setup PKI Authentication

Hi, I'm trying to setup PKI authentication on my on-premises cluster. However, I can't make it work no matter what I try to do.

Setup:

  • elasticsearch-7.5.2, Linux
  • testing this out with 3 nodes, all on my host
  • all nodes use the same configuration and the same certificates, their names are node{0,1,2}
  • the certificate's CN is $HOSTNAME

Relevant cluster settings:

        -Ecluster.initial_master_nodes="node00"
        -Ediscovery.seed_hosts=$HOSTNAME:9200,$HOSTNAME:9201,$HOSTNAME:9202
        -Enetwork.bind_host=0.0.0.0
        -Enetwork.publish_host=$HOSTNAME
        -Enode.attr.host=$HOST

Security settings (also, xpack license = basic)

    -Expack.security.enabled=true

    -Expack.security.authc.anonymous.roles=user

    -Expack.security.transport.ssl.enabled=true
    -Expack.security.transport.ssl.key=$HOSTNAME.key
    -Expack.security.transport.ssl.certificate=$HOSTNAME.crt
    -Expack.security.transport.ssl.client_authentication=required

    -Expack.security.http.ssl.enabled=true
    -Expack.security.http.ssl.key=$HOSTNAME.key
    -Expack.security.http.ssl.certificate=$HOSTNAME.crt
    -Expack.security.http.ssl.client_authentication=required

    -Expack.security.authc.realms.pki.pki1.order=0

The cluster forms without problems. I'm able to curl --key $HOSTNAME.key --cert $HOSTNAME.crt https://$HOSTNAME:9200 without a problem - because I'm authenticated as anonymous. When I remove the anonymous, I'm unable to authenticate what ever I do.
I've put this in the roles_mapping.yml:

superuser:
  - "cn=$HOSTNAME" # actual hostname. do I need to fill in the other fields (eg. ou) as well? afaiu, only cn should be enough

When I update the file on a live cluster, I can see

[2020-08-27T10:40:13,381][INFO ][o.e.x.s.a.s.DnRoleMapper ] [node00] role mappings file [/packages/elasticsearch.server-7.5.2/config/role_mapping.yml] changed for realm [pki/pki1]. updating mappings...
[2020-08-27T10:40:13,381][TRACE][o.e.x.s.a.s.DnRoleMapper ] [node00] reading realm [pki/pki1] role mappings file [/packages/elasticsearch.server-7.5.2/config/role_mapping.yml]...
[2020-08-27T10:40:13,382][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [node00] [5] role mappings found in file [/packages/elasticsearch.server-7.5.2/config/role_mapping.yml] for realm [pki/pki1]

So I guess it does recognize my PKI realm.
When I try to query /_xpack/security/_authenticate I never seem to get pki_dn or anything similar in the metadata field, as most tutorials suggest. Always this:

{
  "username": "_anonymous",
  "roles": [
    "user"
  ],
  "full_name": null,
  "email": null,
  "metadata": {
    "_reserved": true
  },
  "enabled": true,
  "authentication_realm": {
    "name": "__anonymous",
    "type": "__anonymous"
  },
  "lookup_realm": {
    "name": "__anonymous",
    "type": "__anonymous"
  }
}

I'm looking for help on how to resolve this, or at least put up some logging so I can't see why it's not using the PKI realm, or why is PKi realm failing to authorize. Any help is highly appreciated!

Welcome @filiph, thanks for reaching out!

To ensure the correct :eyes: see your question, I moved your post from the Elastic Security category, which is focused on SIEM and endpoint, to the Elastic Stack > Elasticsearch category.

Hi there! PKI realm is not available in the basic license unfortunately. We realize this should have been better relayed in the logs and we are addressing this in the next release https://github.com/elastic/elasticsearch/pull/61402

In the meantime you can try this out by starting a trial license in your cluster

Ah, I see, thanks for the quick response!
True, having logs would be really helpful to quickly err out.
By next release do you mean v8, or a v7 update?

Next minor. To be clear, what changes is the addition of the log message. The PKI realm is still not available in basic license.

Got it, thanks!
Feel free to close the topic

1 Like