Skip to content

Add Details About username_rdn_name and username_rdn_oid to PKI Security Doc #4022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add Details About username_rdn_name and username_rdn_oid to PKI Security Doc #4022

Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bb53b30
Add details about username_rdn_name and username_rdn_oid to PKI secur…
ebarlas Nov 20, 2025
7407abc
Rearrange the section related to certificate principal extraction in …
ebarlas Nov 20, 2025
63764e0
Update deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
ebarlas Nov 20, 2025
c717dcc
Replace tabs with spaces
ebarlas Nov 20, 2025
8306f98
Update deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
ebarlas Nov 21, 2025
a78bf13
Update deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
ebarlas Nov 21, 2025
fc077f5
Update deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
ebarlas Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 30 additions & 3 deletions deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,32 @@
When you configure realms in `elasticsearch.yml`, only the realms you specify are used for authentication. If you also want to use the `native` or `file` realms, you must include them in the realm chain.
::::

2. Optional: The username is defined by the [username_pattern](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#ref-pki-settings). If you want to use something other than the CN of the Subject DN as the username, you can specify a regex to extract the desired username. The regex is applied on the Subject DN.
2. Optional: If you want to use something other than the CN of the Subject DN as the username, you can use one of the following methods to extract the username:

Check notice on line 47 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Wordiness: Consider using 'remove' instead of 'extract'.

* {applies_to}`stack: ga 9.1` Extract the username from a specific relative distinguished name (RDN) attribute in the Subject DN.

Check notice on line 49 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Acronyms: 'RDN' has no definition.

Check notice on line 49 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Wordiness: Consider using 'remove' instead of 'Extract'.
* Using the [[username_pattern](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#ref-pki-settings) setting, specify a regex to extract the desired username. The regex is applied on the Subject DN.

Check notice on line 50 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Wordiness: Consider using 'remove' instead of 'extract'.

:::::{tab-set}

::::{tab-item} Specific RDN attribute

Check notice on line 54 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Acronyms: 'RDN' has no definition.
The username can be extracted from a specific RDN attribute in the Subject DN by using [username_rdn_name](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#ref-pki-settings) or [username_rdn_oid](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#ref-pki-settings). When an RDN attribute configuration is provided, it supersedes `username_pattern`.

Check notice on line 55 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Acronyms: 'RDN' has no definition.

Check notice on line 55 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Acronyms: 'RDN' has no definition.

For example, to extract the username from the `CN` RDN attribute:

Check notice on line 57 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Acronyms: 'RDN' has no definition.

Check notice on line 57 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Wordiness: Consider using 'remove' instead of 'extract'.

```yaml
xpack:
security:
authc:
realms:
pki:
pki1:
order: 1
username_rdn_name: "CN"
Copy link
Collaborator

@shainaraskas shainaraskas Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

qq: does this just replicate the default behavior (the CN of the Subject DN as the username)? we might want to choose a different field to display in the example

Copy link
Contributor Author

@ebarlas ebarlas Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it does. There's a subtlety here, which is that we'd eventually like to deprecate the pattern-based configuration. So, eventually, the CN configuration shown will likely be the default. Having said that, we can use UID here instead.

```
::::

::::{tab-item} Regex
Specify a regex to extract the desired username. The regex is applied on the Subject DN.

Check notice on line 72 in deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.Wordiness: Consider using 'remove' instead of 'extract'.

For example, the regex in the following configuration extracts the email address from the Subject DN:

Expand All @@ -58,11 +83,13 @@
order: 1
username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
```

::::{note}
:::{note}
If the regex is too restrictive and does not match the Subject DN of the client’s certificate, then the realm does not authenticate the certificate.
:::
::::

:::::

3. Optional: If you want the same users to also be authenticated using certificates when they connect to {{kib}}, you must configure the {{es}} PKI realm to allow delegation. See [PKI authentication for clients connecting to {{kib}}](#pki-realm-for-proxied-clients).
4. Restart {{es}} because realm configuration is not reloaded automatically. If you’re following through with the next steps, you might wish to hold the restart for last.
5. If you're using a self-managed cluster, then [enable SSL/TLS](../../security/secure-cluster-communications.md#encrypt-internode-communication).
Expand Down
Loading