So I have an ES cluster with a TLS enabled, however I can’t seem to hit any endpoints using the admin certificate and curl.
My security config file contains the following:
_meta:
type: "config"
config_version: 2
config:
dynamic:
authc:
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop
And so I am expecting it to pull the CN from the cert and use that as a username.
I also have the following config in my elasticsearch.yml
opendistro_security.ssl.http.clientauth_mode: REQUIRE
opendistro_security.authcz.admin_dn:
- "CN=elastic-admin,OU=Application,O=MyOrg,L=GB"
However, after all the config and using the admin cert & key I get the following response:
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=CN=elastic-admin,OU=Application,O=MyOrg,L=GB, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=CN=elastic-admin,OU=Application,O=MyOrg,L=GB, backend_roles=[], requestedTenant=null]"},"status":403}
Even attempting to ensure the subject is correct I have inspected the cert with openssl
[root@st-shared-es-0 bleasej]# openssl x509 -subject -nameopt RFC2253 -noout -in admin.crt
subject= CN=elastic-admin,OU=Application,O=MyOrg,L=GB