Version: 6.x-23
Community

Client certificate based authentication

Search Guard can use a client TLS certificate in the HTTP request to authenticate users and assign roles and permissions.

Configuration

In order for Search Guard to pick up client certificate on the REST layer, you need to set the clientauth_mode in elasticsearch.yml to either OPTIONAL or REQUIRE:

searchguard.ssl.http.clientauth_mode: OPTIONAL

The configuration for the client certificate authenticator is very minimal:

clientcert_auth_domain:
  enabled: true
  order: 1
  http_authenticator:
    type: clientcert
    config:
      username_attribute: cn
    challenge: false
  authentication_backend:
    type: noop
Name Description
username_attribute String, the part of the certificate’s DN that is used as username. If not specified, the complete DN is used.

Mapping DNs to roles

To map a certificate based user to a role, just use the username as specified by username_attribute (cn in clientcert_auth_domain) in sg_roles_mapping.yml, for example:

You issued a certificate for the user kirk for which the subject of the certificate is (openssl x509 -in kirk.crt.pem -text -noout):

Subject: C=DE, L=Test, O=client, OU=client, CN=kirk

You would then map the role like so:

sg_role_starfleet:
  users:
    - kirk
  backendroles:
    - ...
  hosts:
    - ...