{"id":397,"date":"2020-02-13T10:41:10","date_gmt":"2020-02-13T10:41:10","guid":{"rendered":"https:\/\/www.samarthya.me\/wps\/?p=397"},"modified":"2020-02-13T16:22:36","modified_gmt":"2020-02-13T16:22:36","slug":"authentication-elastic","status":"publish","type":"post","link":"https:\/\/blog.samarthya.me\/wps\/2020\/02\/13\/authentication-elastic\/","title":{"rendered":"Authentication: Elastic"},"content":{"rendered":"<p>As a software professional, I have been working in the space of IAM, SSO, DRM for quite some time and from my experience I can say, the way Elastic has simplified the integration of external or internal security for access is a treat for fellow developers. It was interesting to experiment with the security settings, and control tenancy.<\/p>\n<p>In this multi step blog, I will try and capture the concepts first and then do a final integration with a dummy IdP to show case a demo.<\/p>\n<h2>Realms<\/h2>\n<p>Realms in the context of elastic is a service that provides authentication.<\/p>\n<blockquote>\n<pre><a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/realms.html\">https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/realms.html<\/a><\/pre>\n<\/blockquote>\n<p>From the official documentation &#8211; A <em>realm<\/em> is used to resolve and authenticate users based on authentication tokens.<\/p>\n<p>The beauty is the chaining that allows to plug in one ore more such services as a fallback option. A prioritized list of configured realms of different types.<\/p>\n<blockquote>\n<p>The priority in the realm chain is always ascending; implying the lowest order is evaluated first.<\/p>\n<\/blockquote>\n<h2>Authentication explained<\/h2>\n<p>During authentication the incoming request is tried against one realm at a time. Once one of the realms <span style=\"text-decoration: underline;\"><strong>successfully authenticates<\/strong><\/span> the request, the authentication is considered to be successful. The authenticated user is associated with the request, which then proceeds to the <span style=\"text-decoration: underline;\"><strong>authorization<\/strong> <strong>phase<\/strong><\/span>.<\/p>\n<p>If a realm cannot authenticate the request, the next realm in the chain is consulted. If all realms in the chain cannot authenticate the request, the authentication is considered to be unsuccessful and an authentication error is returned.<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter  wp-image-402\" src=\"https:\/\/www.samarthya.me\/wps\/wp-content\/uploads\/2020\/02\/realmchain-300x153.png\" alt=\"\" width=\"451\" height=\"230\" srcset=\"https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2020\/02\/realmchain-300x153.png 300w, https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2020\/02\/realmchain.png 511w\" sizes=\"(max-width: 451px) 100vw, 451px\" \/><\/p>\n<h3>Only when the security is enabled<\/h3>\n<p>When security features (<strong>xpack.security.enabled: true<\/strong>) are enabled, depending on the realms you\u2019ve configured the authentication will be evaluated.<\/p>\n<p><span class=\"term\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-405\" src=\"https:\/\/www.samarthya.me\/wps\/wp-content\/uploads\/2020\/02\/internal-r.png\" alt=\"\" width=\"260\" height=\"262\" srcset=\"https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2020\/02\/internal-r.png 260w, https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2020\/02\/internal-r-150x150.png 150w\" sizes=\"(max-width: 260px) 100vw, 260px\" \/><\/span><\/p>\n<pre style=\"text-align: center;\"><span class=\"term\">Internal realms are managed by elastic <br \/><\/span><\/pre>\n<h2>Types of realms<\/h2>\n<p>There are two main categories<\/p>\n<ul>\n<li>Internal : Do not require external communication.<\/li>\n<li>External : Require external communication.<\/li>\n<\/ul>\n<p>Internal allows only one one to be configured at a time, either of file or native. No such restriction applies to external which can be <code class=\"literal\">ldap<\/code>, <code class=\"literal\">active_directory<\/code>, <code class=\"literal\">saml<\/code>, <code class=\"literal\">kerberos<\/code>, and <code class=\"literal\">pki<\/code>.<\/p>\n<h2>Details<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/security-api.html#security-user-apis\"><span class=\"term\"><em>native<\/em><\/span><\/a> realm is where users are stored in a dedicated Elasticsearch index.<\/li>\n<li><a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/ldap-realm.html\"><span class=\"term\"> <em>ldap<\/em><\/span><\/a> realm uses an external LDAP server to authenticate the users.<\/li>\n<li><a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/active-directory-realm.html\"><span class=\"term\"><em>active_directory<\/em><\/span><\/a> realm uses an external Active Directory Server to authenticate the users.<\/li>\n<li><span class=\"term\"><em>pki<\/em> r<\/span>ealm authenticates users using Public Key Infrastructure (PKI).<\/li>\n<li><a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/file-realm.html\"><span class=\"term\"><em>file<\/em><\/span><\/a> (internal) realm defines users in a files stored on each node in the Elasticsearch cluster.<\/li>\n<li><a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/saml-realm.html\"><span class=\"term\"><em>saml<\/em><\/span><\/a> realm facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through Kibana and is not intended for use in the REST API.<\/li>\n<li><span class=\"term\"><em>kerberos<\/em> <\/span>realm authenticates a user using Kerberos authentication.<\/li>\n<li><span class=\"term\"><em>dc<\/em> <\/span>realm facilitates authentication using OpenID Connect.<\/li>\n<\/ul>\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">&#8212; THE &#8211; END &#8212; <\/h2>\n","protected":false},"excerpt":{"rendered":"<p>As a software professional, I have been working in the space of IAM, SSO, DRM for quite some time and from my experience I can say, the way Elastic has simplified the integration of external or internal security for access is a treat for fellow developers. It was interesting to experiment with the security settings, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":399,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[34],"tags":[],"class_list":["post-397","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical"],"_links":{"self":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/397","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/comments?post=397"}],"version-history":[{"count":0,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/397\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media\/399"}],"wp:attachment":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media?parent=397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/categories?post=397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/tags?post=397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}