I'm currently using ES 5.5 and am trying to enable client authentication via PKI and so far everything seems to work if the certificates I use only contain a common name (or email address by itself), but if I try to also include an emailAddress field, the role_mapping configuration doesn't seem to be coming into effect.
The relevant elasticsearch.yaml config:
xpack:
security:
authc:
realms:
realm1:
type: pki
order: 0
username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
certificate_authorities:
- /usr/share/elasticsearch/config/certs/ca.crt
files:
role_mapping: /usr/share/elasticsearch/config/certs/role_mapping.yaml
And role_mapping.yaml contains something similar to:
superuser:
- "emailAddress=admin@example.com"
I can see that username_pattern worked properly if I try to make any sort of curl requests against the instance, as the error message I receive is able to parse the email address:
[2018-05-11T18:04:31,735][INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1] The security index is not yet available - no role mappings can be loaded
[2018-05-11T18:04:31,744][INFO ][o.e.x.s.a.l.LoggingAuditTrail] [transport] [access_denied] origin_type=[rest], origin_address=[172.17.0.2], principal=[admin@example.com], action=[cluster:monitor/main], request=[MainRequest]
The certificate's subject line appears like this:
Subject: emailAddress=admin@example.com, CN=node1
Same with the "mangled" version (i.e. when the email address is not specified first using openssl's -subj flag):
Subject: CN=node1/emailAddress=admin@example.com
The role mapping file documentation doesn't mention specifications for using email addresses - could the issue simply be a syntax-related one?