Hi,
I tried to setup client certificate authentication between kibana and elasticsearch (rpm based installation):
elasticsearch.ssl.verificationMode: full
elasticsearch.ssl.certificateAuthorities: /etc/kibana/root-ca.pem
elasticsearch.ssl.certificate: /etc/kibana/kibanaserver.crt
elasticsearch.ssl.key: /etc/kibana/kibanaserver.key
#elasticsearch.username: kibanaserver
#elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
...
Certificate is signed by root ca and accepted on elasticsearch. So connection is functional.
But when I login to kibana using my ldap user/password my user is hidden by the kibanaserver user. Kibana shows the “kibanaserver” as user and if I e.g. try a simple search via console I get an error
"no permissions for [indices:data/read/search] and User [name=kibanaserver, backend_roles=, requestedTenant=user]
So effectively the end user is hidden to elasticsearch and therefore all user specific permissions are not effective.
If I comment out the elasticsearch.ssl.certificate and key and comment in the user/password everything works as expected.
But for security reasons we do not want to have technical users with password.
In config.yml the follworing providers are activated:
- basic_internal_auth_domain
- clientcert_auth_domain
- ldap
I suspect that the reason is that because of the client cert the basic auth user entry is completely ignored
Am I missing something or is this a bug?
Regards Michael