Support for proxied PKI authentication

[jaymode]

The PKI realm currently relies on the TLS handshake with the client for authentication, which works in most cases. However, there are cases where end user requests may be proxied by another server such as Kibana. In these cases, the PKI realm would not have access to the TLS handshake with the client and the clients certificate directly. In order to enable end user PKI authentication for this use case we would need to add support for proxied PKI (PPKI MITM AAS as @jkakavas puts it). The requirements for this are:

• The proxied client certificate must be placed in an HTTP header
• The client connection proxying the certificate must be authenticated using PKI
• The client subject authenticated using PKI must be allowed to proxy pki (configured at the realm level)
• There needs to be some level of auditing for this; can we safely re-purpose run as?

cc @kobelb @clintongormley

[elasticmachine]

Pinging @elastic/es-security

[alexbrasetvik]

Some of the material here might be of interest: https://docs.google.com/presentation/d/1ko8xveyspZsZ6RWcXwHizPnt3R1EAGFdV__a2ZTGUDM/edit?usp=sharing

[tvernum]

The client connection proxying the certificate must be authenticated using PKI

Do we specifically mean that it must use the PKI realm, or simply that it must have a validated client certificate?

[jaymode]

Do we specifically mean that it must use the PKI realm, or simply that it must have a validated client certificate?

My initial thought was that we should require the connection to be authenticated with the PKI Realm and the proxied client certificate should be authenticated with the PKI realm as well. Upon further thought, I do not feel that aspect is a hard requirement. I think the following should be properties that we keep though:

• the connection from the proxying app has authentication
• the authenticated user from the proxying app needs to be authorized to proxy the certificate

[albertzaharovits]

The description above is of a variant of run-as functionality; there is one authenticated client (kibana) that authorizes as another principal. We already have the privilege model to define which principals can authorize as which one (the run_as privilege). The way to convey the authorization principal is through the es-security-runas-user HTTP header.
Therefore, one option is to extend the existing run_as functionality to make it work in the case that the authorization principal is defined by a X509v3 certificate. There are de-facto standards to convey the client certificate (or fields of it) from the proxy (kibana) to the service provider (elasticsearch); eg the X-SSL-CERT family of headers of nginx.

Implementation hurdles:

• there are possibly multiple identities bound to the certificate; we need to build capabilities into ES that allow the administrator to define THE way to parse out the principal.
• if we wish to allow extracting the principal in terms of the client's trusted certificate chain it will become very complex; not least because passing cert chains using the de-facto headers is not available.

Qualms:

• Kibana is more than a proxy doing authentication as part of the TLS termination. Kibana does many more requests to ES for a single incoming request; there is also the notion of background jobs running as the user. Therefore we would be stretching the X-SSL-CERT outside the de-facto use case (there is no inherent security problem with that, but if we go with a standard practice let's follow the use case the practice is used for, otherwise find another standard).

Note that this alternative will not add or extend any authentication realm, it will extend an authorization feature (the run_as impersonation).

Another alternative is to create a new API that implements the delegation functionality of the PKI realm. In ES we broadly have two types of realms, the ones that validate secrets, such as passwords, and realms that consume authentication statements from third party services (SAML, OIDC, Kerberos). The latter do not do authentication but validate an authentication statement (claims, tickets). Upon successful validation, ES issues a token usable by kibana to authorize as the user in the claims/ticket.

In this proposal ES will be validating the certificate chain of the client that connected over TLS to kibana and afterwards will emit a token to be used by kibana to authorize as the user. Kibana then stores the token on the client as a cookie, and forwards it to ES as a header.

Implementation hurdles:

• The same problem with extracting a principal from a certificate chain on the ES side.
• Kibana has to make sure the token in the cookie is associated with the current TLS client certificate; The underlying TLS connection can change without a proper logout ceremony. Kibana has to detect that the token in the cookie was issue for a different client certificate than the currently used one (after a new TLS handshake) and re-request a new token.

Qualms:

• Certificate chains may look like signed assertions of identity, but they lack the crucial short time validity. Without a limited lifetime, the cert chain used as an identity assertion provides little guarantees. Therefore, this is not a true realm, offering a false sense of security (unusable outside Kibbana) and relying on Kibana to validate the association of the secret private key with the certificate (during TLS termination).

Another alternative is to completely delegate authentication to Kibana, including parsing of the principal. This is a variant of the first alternative. In this way there is little to do on the ES side, but do the role-mapping to the principal (basically run-as with the option to not lookup the user). The principal can be conveyed to ES via headers (X-SSL-CERT friends) or fancy JWT tokens. Both of these require TLS between Kibana and ES. The only narrow advantage of JWT is the ability to communicate more complex attributes about the user that can be utilized in role mappings.

RFC @elastic/es-security @elastic/kibana-security

[albertzaharovits]

When discussing options, I propose we argue about what the considered option is bringing over simply using the existing run-as ES feature.

I will shortly describe the setup with run-as, and let us consider this as the baseline implementation.

Kibana does TLS termination and parses the principal out of the DN in the Subject attribute of the client's certificate and then forwards that principal value in the es-security-runas-user header to ES.
Kibana has to make sure that the header value of every request to ES reflects truthfully the client cert on the TLS session between the client and Kibana. Similarly to ES's PKI realm, Kibana should permit the configuration of additional truststores that must validate the client cert, in addition to the HTTP layer validation. There ought to be mandatory TLS between Kibana and ES. ES is not aware that Kibana validates PKI certs (eg in audit logs) but can do the LDAP lookup of the principal by rebuilding the DN with the rules of the individual LDAP realms. ES also has to be configured to permit run_as for the Kibana principal

I believe this satisfies most of the requirements, and I would suggest we go with this. Alternatively, let us find compelling use cases not satisfied by this setup to motivate implementation variations suggested in #34396 (comment).

[kobelb]

Previous discussion about allowing Kibana to utilize the run-as header have ended with us deciding that we shouldn't grant this privilege to the kibana_system role because of the security ramifications. If I understand correctly, the other solutions which have been proposed don't require the relaxing of this consideration, and prevent Kibana from being able to "run as" arbitrary users.