Hi,
I am trying to use elastic beats OSS version with opensearch. during the configuration of beats, there are 2 ways to provide authentication i.e. api_key and username password. We have an option to generate api_key in elasticsearch so is there an option to do the same in opensearch? and if so, which of these methods is more preferable?
@Paurav.Thakkar with opensearch, you can either use basic auth, which is simple to implement and is very lightweight or you can use certificates to authenticate beats user.
If you decide to go down the certificate route, just need to remember to enable cert_auth in config.yml file.
The beats config would look something like this:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["https://localhost:9200"]
ssl.certificate_authorities: ["/path/to/ca"]
ssl.certificate: "/path/to/cert"
ssl.key: "/path/to/key"
There is no option for api_key as far as I know
Hope this helps
1 Like
@Anthony when you say the certificate route, does this mean that I don’t need to provide id and password in yml file anymore or does this certificate just encrypt the communication?
@Paurav.Thakkar if you enable certificate_auth in config.yml, then in filebeats.yaml you no longer need to specify username/password, as it will not use basic auth and will use certificate to authenticate instead, you cannot extract backend roles from certificate however, therefore the role would need to be mapped to the username, in this case cn, assuming your config.yml uses cn, see below:
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
Hi @Anthony, can you please provide me the APIs to configure this option in opensearch. All I could find related to this is the role mapping API. Thank you for the help.
@Paurav.Thakkar
The docs for this API are here, however, as per the docs, I would highly recommend updating the config.yml file and using securityadmin.sh script to load the changes. As this API can be quite “temperamental”