Add Details About username_rdn_name and username_rdn_oid to PKI Security Doc #4022
Conversation
🔍 Preview links for changed docs |
|
hi @ebarlas - if those settings are only valid starting in 9.1, then you need to add some applies tags to the settings you added to indicate when they have become available (adding just need to review this PR still :) |
There was a problem hiding this comment.
are these options considered equivalent to each other? do we have a preference for which to use? if you don't have a preference (or prefer the alternative), consider the following. the bullets and tabs should be ordered in order of recommendation.
you might want to do this anyway, even if the rdn attribute method is the less ideal method, just to make the tutorial a little more compact / a little friendlier to those using older versions of ES
2. Optional: The username is defined by the [username_pattern](https://docs-v3-preview.elastic.dev/elastic/elasticsearch/tree/main/reference/elasticsearch/configuration-reference/security-settings#ref-pki-settings). If you want to use something other than the CN of the Subject DN as the username, you can use one of the following methods to extract the username:
* Specify a regex to extract the desired username. The regex is applied on the Subject DN.
* {applies_to}`stack: ga 9.1` Extract the username from a specific RDN attribute in the Subject DN.
:::::{tab-set}
::::{tab-item} Regex
Specify a regex to extract the desired username. The regex is applied on the Subject DN.
For example, the regex in the following configuration extracts the email address from the Subject DN:
```yaml
xpack:
security:
authc:
realms:
pki:
pki1:
order: 1
username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
```
:::{note}
If the regex is too restrictive and does not match the Subject DN of the client’s certificate, then the realm does not authenticate the certificate.
:::
::::
::::{tab-item} Specific RDN attribute
The username can be extracted from a specific RDN attribute in the Subject DN by using [username_rdn_name](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#ref-pki-settings) or [username_rdn_oid](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#ref-pki-settings). When an RDN attribute configuration is provided, it supersedes `username_pattern`.
For example, to extract the username from the `CN` RDN attribute:
```yaml
xpack:
security:
authc:
realms:
pki:
pki1:
order: 1
username_rdn_name: "CN"
```
::::
:::::
Great suggestion! I'm applying it now. |
| :::: | ||
|
|
||
| ::::{tab-item} Regex | ||
| Specify a regex to extract the desired username. The regex is applied on the Subject DN. |
There was a problem hiding this comment.
| Specify a regex to extract the desired username. The regex is applied on the Subject DN. | |
| Using the [[username_pattern](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#ref-pki-settings) setting, specify a regex to extract the desired username. The regex is applied on the Subject DN. The regex is applied on the Subject DN. |
| pki: | ||
| pki1: | ||
| order: 1 | ||
| username_rdn_name: "CN" |
There was a problem hiding this comment.
qq: does this just replicate the default behavior (the CN of the Subject DN as the username)? we might want to choose a different field to display in the example
There was a problem hiding this comment.
Yes, it does. There's a subtlety here, which is that we'd eventually like to deprecate the pattern-based configuration. So, eventually, the CN configuration shown will likely be the default. Having said that, we can use UID here instead.
Co-authored-by: shainaraskas <[email protected]>
Co-authored-by: shainaraskas <[email protected]>
Vale Linting ResultsSummary: 10 suggestions found 💡 Suggestions (10)
|
Co-authored-by: shainaraskas <[email protected]>
shainaraskas
left a comment
shainaraskas
left a comment
There was a problem hiding this comment.
one small typo then good to go. thanks for adding this in 🙏
Co-authored-by: shainaraskas <[email protected]>
|
@shainaraskas, can this be merged prior to the ES release date? Or should I delay until then? |
|
@ebarlas given that this is patching older releases, I suggest holding the PR until the patches go out. otherwise, people will think that this functionality is currently available. for what it's worth, the engineering policy is not to release features/enhancements in patches like this (unfortunately I don't have a written source for this policy on hand). our docs system accommodates features coming out in minors by subbing tags for future unreleased minor versions as edit: digging in the codebase, I think the rules in semver are what we are following as an org |
That makes sense. I believe the justification here is that it is security-related. |
2 participants
This change adds one section to
deploy-manage/users-roles/cluster-or-deployment-auth/pki.mdwith details about a pair of new settings:username_rdn_name- RDN attribute name to use for principal extraction from client certificate, e.g.CNusername_rdn_oid- RDN attribute OID to use for principal extraction from client certificate, e.g.2.5.4.3(CN)These changes have been merged to ES
main(9.3.0): elastic/elasticsearch#137230Back-porting is planned for ES 9.2.2, 9.1.8, and 8.19.8.