I'm currently using ES 5.5 and am trying to enable client authentication via PKI and so far everything seems to work if the certificates I use only contain a common name (or email address by itself), but if I try to also include an emailAddress field, the role_mapping configuration doesn't seem to be coming into effect.
The relevant elasticsearch.yaml config:
xpack: security: authc: realms: realm1: type: pki order: 0 username_pattern: "EMAILADDRESS=(.*?)(?:,|$)" certificate_authorities: - /usr/share/elasticsearch/config/certs/ca.crt files: role_mapping: /usr/share/elasticsearch/config/certs/role_mapping.yaml
And role_mapping.yaml contains something similar to:
superuser: - "emailAddressfirstname.lastname@example.org"
I can see that
username_pattern worked properly if I try to make any sort of curl requests against the instance, as the error message I receive is able to parse the email address:
[2018-05-11T18:04:31,735][INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1] The security index is not yet available - no role mappings can be loaded [2018-05-11T18:04:31,744][INFO ][o.e.x.s.a.l.LoggingAuditTrail] [transport] [access_denied] origin_type=[rest], origin_address=[172.17.0.2], principal=[email@example.com], action=[cluster:monitor/main], request=[MainRequest]
The certificate's subject line appears like this:
Subject: emailAddressfirstname.lastname@example.org, CN=node1
Same with the "mangled" version (i.e. when the email address is not specified first using openssl's
The role mapping file documentation doesn't mention specifications for using email addresses - could the issue simply be a syntax-related one?