Using PKI realms with email role_mapping


(Rezie) #1

I'm currently using ES 5.5 and am trying to enable client authentication via PKI and so far everything seems to work if the certificates I use only contain a common name (or email address by itself), but if I try to also include an emailAddress field, the role_mapping configuration doesn't seem to be coming into effect.

The relevant elasticsearch.yaml config:

xpack:
  security:
    authc:
      realms:
        realm1:
          type: pki
          order: 0
          username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
          certificate_authorities:
          - /usr/share/elasticsearch/config/certs/ca.crt
          files:
            role_mapping: /usr/share/elasticsearch/config/certs/role_mapping.yaml

And role_mapping.yaml contains something similar to:

superuser:
  - "emailAddress=admin@example.com"

I can see that username_pattern worked properly if I try to make any sort of curl requests against the instance, as the error message I receive is able to parse the email address:

[2018-05-11T18:04:31,735][INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1] The security index is not yet available - no role mappings can be loaded

[2018-05-11T18:04:31,744][INFO ][o.e.x.s.a.l.LoggingAuditTrail] [transport] [access_denied]	origin_type=[rest], origin_address=[172.17.0.2], principal=[admin@example.com], action=[cluster:monitor/main], request=[MainRequest]

The certificate's subject line appears like this:
Subject: emailAddress=admin@example.com, CN=node1

Same with the "mangled" version (i.e. when the email address is not specified first using openssl's -subj flag):
Subject: CN=node1/emailAddress=admin@example.com

The role mapping file documentation doesn't mention specifications for using email addresses - could the issue simply be a syntax-related one?


(Rezie) #2

Was able to resolve this issue - I missed the suggestion in the documentation to use the authentication API endpoint to verify the DN. Once I grabbed the return value and used it in the role_mapping file, I was able to make curl commands regardless of how many fields I have set in the DN.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.