Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doc: Clarify xpack.security.http.ssl.client_authentication: optional recommendation #48303

Closed
ppf2 opened this issue Oct 15, 2019 · 3 comments
Closed

Doc: Clarify xpack.security.http.ssl.client_authentication: optional recommendation #48303

ppf2 opened this issue Oct 15, 2019 · 3 comments
Assignees
@KOTungseth
Labels
Team:Docs

Comments

@ppf2
Copy link
Member

ppf2 commented Oct 15, 2019

Let's clarify xpack.security.http.ssl.client_authentication: optional recommendation for Kibana in 6.4+ directly in documentation.

We currently briefly mention this in the release notes of 6.4.0 (https://www.elastic.co/guide/en/kibana/6.4/release-notes-6.4.0.html). This is easy to miss and it doesn't help users who are running post-6.4.0 to begin with (or users upgrading from pre-6.3 and not reading the details in the readme).

No longer sets certs and keys for proxied calls to Elasticsearch #17804
Resolved issue with using PKI to authenticate the internal server user against Elasticsearch when X-Pack security is disabled or the realms in Elasticsearch are configured with PKI taking precedence to basic authentication.

Would like to see this documented directly in the appropriate sections around setting up security:

  • When setting up Elasticsearch https and not using PKI realm, do not set xpack.security.http.ssl.client_authentication: required. Recommended: xpack.security.http.ssl.client_authentication: optional
  • If there is a requirement for Kibana server to authenticate with Elasticsearch, configure PKI realm in Elasticsearch, then you can use elasticsearch.ssl.certificate and elasticsearch.ssl.key settings in the kibana.yml to specify the certificates to authenticate with Elasticsearch.
@ppf2 ppf2 added the Team:Docs label Oct 15, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-docs (Team:Docs)

@KOTungseth KOTungseth self-assigned this Oct 18, 2019
@KOTungseth
Copy link
Contributor

KOTungseth commented Oct 21, 2019
edited
Loading

@ppf2 I can pick this up, but I need some more context. Is this setting similar to the server.ssl.clientAuthentication setting:

Note that with server.ssl.clientAuthentication set to required, users are asked to provide a valid client certificate, even if they want to authenticate with username and password. Depending on the security policies, it may or may not be desired. If not, server.ssl.clientAuthentication can be set to optional. In this case, Kibana still requests a client certificate, but the client won’t be required to present one. The optional client authentication mode might also be needed in other cases, for example, when PKI authentication is used in conjunction with Reporting.

@KOTungseth
Copy link
Contributor

This was covered in #50748. The Elasticsearch writers are opening an issue to cover this in the Elasticsearch docs. Closing.

@jrodewig jrodewig mentioned this issue Nov 22, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KOTungseth KOTungseth

Labels
Team:Docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ppf2 @elasticmachine @KOTungseth