[DOCS] Adds PKI delegation.enabled example #53030
Conversation
lcawl
added
>docs
|
Pinging @elastic/es-security (:Security/Authentication) |
|
Pinging @elastic/es-docs (>docs) |
| If you want the same users to also be authenticated using certificates when they connect to {kib}, you must configure the {es} PKI realm to | ||
| <<pki-realm-for-proxied-clients,allow delegation>> and to | ||
| {kibana-ref}/kibana-authentication.html#pki-authentication[enable PKI authentication in {kib}]. |
There was a problem hiding this comment.
I moved this paragraph to a separate step, which links to the Kibana section.
x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc
Outdated
Show resolved
Hide resolved
| . PKI authentication delegation requires that SSL/TLS is configured (without | ||
| SSL/TLS client authentication). See <<ssl-tls>>. |
There was a problem hiding this comment.
without SSL/TLS client authentication. See <>
This sentence is a bit unclear to me, since I don't think we describe a way to configure TLS without authentication in the linked page. Can we clarify or is there a better link?
There was a problem hiding this comment.
without SSL/TLS client authentication. See <>
This sentence is a bit unclear to me, since I don't think we describe a way to configure TLS without authentication in the linked page. Can we clarify or is there a better link?
I agree this is confusing. Otherwise, everything else LGTM! 👍
So, for regular PKI authentication, HTTP or transport TLS with client authentication enabled (i.e. optional or required) is required. This is/was stated clearly in the docs. But it's true that for the case of delegated PKI, the TLS topic was not touched at all. The requirement in this case is to just have TLS for the HTTP layer (with or without client authentication). But, to muddy the waters, when delegated PKI is enabled, the realm can work for non-delegated authentication as well, in which case the TLS restrictions for that apply.
It's tricky, maybe just mention HTTPS is required for delegated PKI at the beginning somewhere, and don't mention client authentication?
| `xpack.security.authc.realms.pki` namespace. | ||
| You must explicitly set the `order` attribute. See <<ref-pki-settings>> for all | ||
| of the options you can set for a `pki` realm. | ||
| `xpack.security.authc.realms.pki` namespace. You must explicitly set the `order` |
| authenticating HTTP traffic using username and password credentials. You can | ||
| also set `xpack.security.transport.ssl.client_authentication` to `optional` to | ||
| allow clients without certificates to authenticate with other credentials. | ||
|
|
||
| IMPORTANT: You must enable SSL/TLS with client authentication to use PKI when | ||
| clients connect directly to {es}. |
There was a problem hiding this comment.
You can also set
xpack.security.transport.ssl.client_authentication... You must enable SSL/TLS with client authentication...
I moved this content into the "Enable client authentication on the desired network layers (transport or http)" step, since in my opinion it was out of context and therefore harder to understand in this introductory section.
| @@ -41,15 +33,21 @@ xpack: | |||
| With this configuration, any certificate trusted by the {es} SSL/TLS layer is | |||
| accepted for authentication. The username is the common name (CN) extracted | |||
| from the DN in the Subject field of the end-entity certificate. This | |||
| configuration does not permit PKI authentication to {kib}. | |||
| configuration is not sufficient to permit PKI authentication to {kib}; | |||
There was a problem hiding this comment.
is not sufficient
I changed this sentence since by my understanding this step is necessary to permit PKI authentication in Kibana, it just isn't sufficient (other steps are required). If I've misunderstood, please let me know and I can revert this change.
Thanks for the explanation. I've added this line to the Kibana section:
If that's not what you had in mind, just let me know. Thanks! |
| simply toggle the `delegation.enabled` realm setting to `true`. This realm is | ||
| now allowed to validate delegated PKI authentication (after restarting {es}). | ||
| <<pki-realm-for-direct-clients>> section. In this scenario, when you enable TLS, | ||
| it is mandatory that you <<tls-http,encrypt HTTP client communications>>. |
|
Thank you Lisa, I uphold my LGTM, beautifully worded, as usual! |
Fixes #53023
Related to #45906
Preview: http://elasticsearch_53030.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/pki-realm.html