Using PKI realms with email role_mapping

(Rezie) #1

I'm currently using ES 5.5 and am trying to enable client authentication via PKI and so far everything seems to work if the certificates I use only contain a common name (or email address by itself), but if I try to also include an emailAddress field, the role_mapping configuration doesn't seem to be coming into effect.

The relevant elasticsearch.yaml config:

          type: pki
          order: 0
          username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
          - /usr/share/elasticsearch/config/certs/ca.crt
            role_mapping: /usr/share/elasticsearch/config/certs/role_mapping.yaml

And role_mapping.yaml contains something similar to:

  - ""

I can see that username_pattern worked properly if I try to make any sort of curl requests against the instance, as the error message I receive is able to parse the email address:

[2018-05-11T18:04:31,735][INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1] The security index is not yet available - no role mappings can be loaded

[2018-05-11T18:04:31,744][INFO ][o.e.x.s.a.l.LoggingAuditTrail] [transport] [access_denied]	origin_type=[rest], origin_address=[], principal=[], action=[cluster:monitor/main], request=[MainRequest]

The certificate's subject line appears like this:
Subject:, CN=node1

Same with the "mangled" version (i.e. when the email address is not specified first using openssl's -subj flag):
Subject: CN=node1/

The role mapping file documentation doesn't mention specifications for using email addresses - could the issue simply be a syntax-related one?

(Rezie) #2

Was able to resolve this issue - I missed the suggestion in the documentation to use the authentication API endpoint to verify the DN. Once I grabbed the return value and used it in the role_mapping file, I was able to make curl commands regardless of how many fields I have set in the DN.

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.