Client certificate based authentication
Search Guard can use a client TLS certificate in the HTTP request to authenticate users and assign roles and permissions.
In order for Search Guard to pick up client certificate on the REST layer, you need to set the
elasticsearch.yml to either
The configuration for the client certificate authenticator is very minimal:
clientcert_auth_domain: http_enabled: true order: 1 http_authenticator: type: clientcert config: username_attribute: cn challenge: false authentication_backend: type: noop
|username_attribute||String, the part of the certificate’s DN that is used as username. If not specified, the complete DN is used.|
Mapping DNs to roles
To map a certificate based user to a role, just use the username as specified by
sg_roles_mapping.yml, for example:
You issued a certificate for the user
kirk for which the subject of the certificate is (
openssl x509 -in kirk.crt.pem -text -noout):
Subject: C=DE, L=Test, O=client, OU=client, CN=kirk
You would then map the role like so:
sg_role_starfleet: users: - kirk backend_roles: - ... hosts: - ...