- Enterprise Search Guide: other versions:
- Overview
- Getting started
- Web crawler
- Connectors
- Engines and content sources
- Programming language clients
- Search UI
- App Search and Workplace Search
- Enterprise Search server
- Run using Docker images
- Run using downloads (packages)
- Troubleshooting
- Monitoring
- Read-only mode
- Management APIs
- Monitoring APIs
- Read-only mode API
- Configuration
- Configuring encryption keys
- Configuring a mail service
- Configuring SSL/TLS
- Upgrading and migrating
- Upgrading self-managed deployments
- Upgrading from Enterprise Search 7.x
- Upgrading from Enterprise Search 7.11 and earlier
- Migrating from App Search on Elastic Cloud
- Migrating from App Search on Swiftype.com
- Migrating from self-managed App Search
- Logs and logging
- Release notes
- 8.4.3 release notes
- 8.4.2 release notes
- 8.4.1 release notes
- 8.4.0 release notes
- 8.3.3 release notes
- 8.3.2 release notes
- 8.3.1 release notes
- 8.3.0 release notes
- 8.2.3 release notes
- 8.2.2 release notes
- 8.2.1 release notes
- 8.2.0 release notes
- 8.1.3 release notes
- 8.1.2 release notes
- 8.1.1 release notes
- 8.1.0 release notes
- 8.0.1 release notes
- 8.0.0 release notes
- 8.0.0-rc2 release notes
- 8.0.0-rc1 release notes
- 8.0.0-beta1 release notes
- 8.0.0-alpha2 release notes
- 8.0.0-alpha1 release notes
Set up Enterprise Search with PKI user authentication
editSet up Enterprise Search with PKI user authentication
editThis feature is not available for all Elastic subscription levels. Refer to the subscriptions pages for Elastic Cloud and Elastic Stack. To change your subscription level or start a trial, see Elastic subscription.
The following documentation describes the process of configuring Elasticsearch and Kibana:
Within your Enterprise Search configuration settings, make sure that:
-
kibana.host
is set -
kibana.external_url
is set -
any
auth.source
configurations are removed.
Configure Enterprise Search role mappings for PKI users
editWhen you configured Elasticsearch and Kibana for PKI authentication using the documentation links above, one of the steps advised you to create a role mapping to be able to access Kibana. As a very simple and permissive example, you can give all users in pki1
realm superuser
role, and that will also give them full access to App Search and Workplace Search:
PUT /_security/role_mapping/pki1_mapping { "roles": [ "superuser" ], "enabled": true, "rules": { "all": [ {"field": { "realm.name": "pki1"}}} ] } }
However, it’s better to have more control. In the following example, users who successfully log in to the pki1
realm get full access to Kibana, but no access to Enterprise Search:
PUT /_security/role_mapping/pki1_mapping { "roles": [ "kibana_admin" ], "enabled": true, "rules": { "all": [ {"field": { "realm.name": "pki1"}}} ] } }
In this case, pki1
users can be managed via Enterprise Search mappings. Before any mappings can be created, it is necessary to enable role-based access (RBAC) mode in either App Search or Workplace Search. After that, users can be mapped in Users and Roles.
Mapping can use common Elasticsearch user attributes, such as username
and email
, but also anything provided in metadata
that is returned by the provider. A user logged in with a PKI certificate would have a pki_dn
(distinguished name) populated in metadata
. Example:
{ "pki_dn": "CN=john.smith, OU=Example Company Users, DC=example, DC=com", "pki_delegated_by_realm": "pki1", "pki_delegated_by_user": "localhost" }
We could give users different permissions applying a pattern match on the pki_dn
. In the following snippet, Example Company Users would get user-level permissions to Workplace Search:
PUT /_security/role_mapping/pki1_mapping { "roles": [ "enterprise-search-workplace-search-user" ], "enabled": true, "rules": { "all": [ {"field": { "dn": "*, OU=Example Company Users, DC=example, DC=com"}}} ] } }
However, Example Company Admins would get admin-level permissions:
PUT /_security/role_mapping/pki1_mapping { "roles": [ "enterprise-search-workplace-search-admin" ], "enabled": true, "rules": { "all": [ {"field": { "dn": "*, OU=Example Company Admins, DC=example, DC=com"}}} ] } }
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now