X-pack security fallback realm configuration?

security

(Jharrisonpnnl) #1

Hi all,
I'm trying to set up tiered realms in my elasticsearch.yml. I'd think that the following realm config:

xpack.security.authc.realms:
    native1:
	    type: native
        order: 1
    pki1:
	    type: pki
        order: 0

Would give me the ability to preferentially log in with PKI, with a fallback to native auth. As it is, I'm only getting PKI prompts, even when explicitly specifying the elastic user credentials.
Is there a way to tell Elasticsearch that I want to authenticate via PKI OR via native, whichever the client can supply?


(Jharrisonpnnl) #2

Scratch that - setting
xpack.security.http.ssl.client_authentication: required
instead of
xpack.security.http.ssl.client_authentication: optional

is the cause of the issue.
Once set to optional, I'm able to successfully authenticate with either option