Linking TLS certificate CN with user/role

I have created a client TLS certificate and enabled clientcert authentication.
How is the authentication_backend configured to map the CN in the certificate to a user?

I have created new certificates, configured them in elasticsearch.yml and added the new Root CA to /etc/ssl/certs/ca-certificates.crt using update-ca-certifiactes and tested that the client cretificate is valid.

I am attempting to connect to Elasticsearch from Python using the Elasticsearch module but get:
elasticsearch.exceptions.AuthenticationException: AuthenticationException(401, ‘Unauthorized’)

when attemting to connect with:

es = Elasticsearch([{‘host’: ‘192.168.0.10’, ‘port’: ‘9200’}],
scheme=“https”,
use_ssl=True,
ssl_assert_hostname=False,
client_cert=‘client.cert’,
client_key=‘client.key’,
ca_certs=’/etc/ssl/certs/ca-certificates.crt’
)

es.info()

I am assuming this is because the TLS CN name is not mapped to a user/role.

My config is:
clientcert_auth_domain:
description: “Authenticate via SSL client certificates”
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: internal

Regards,
Ben

I found the answer in the SearchGuard docmentation:

  1. Create a role with the appropriate permissions
  2. Create a role mapping from the role with the user name as the CN from the TLS certificate