The highest tagged major version is
Documentation
¶
Overview ¶
Delegate PKI authentication.
This API implements the exchange of an X509Certificate chain for an Elasticsearch access token. The certificate chain is validated, according to RFC 5280, by sequentially considering the trust configuration of every installed PKI realm that has `delegation.enabled` set to `true`. A successfully trusted client certificate is also subject to the validation of the subject distinguished name according to thw `username_pattern` of the respective realm.
This API is called by smart and trusted proxies, such as Kibana, which terminate the user's TLS session but still want to authenticate the user by using a PKI realm—-as if the user connected directly to Elasticsearch.
IMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not validated. This is part of the TLS authentication process and it is delegated to the proxy that calls this API. The proxy is trusted to have performed the TLS authentication and this API translates that authentication into an Elasticsearch access token.
Index ¶
- Variables
- type DelegatePki
- func (r DelegatePki) Do(providedCtx context.Context) (*Response, error)
- func (r *DelegatePki) ErrorTrace(errortrace bool) *DelegatePki
- func (r *DelegatePki) FilterPath(filterpaths ...string) *DelegatePki
- func (r *DelegatePki) Header(key, value string) *DelegatePki
- func (r *DelegatePki) HttpRequest(ctx context.Context) (*http.Request, error)
- func (r *DelegatePki) Human(human bool) *DelegatePki
- func (r DelegatePki) Perform(providedCtx context.Context) (*http.Response, error)
- func (r *DelegatePki) Pretty(pretty bool) *DelegatePki
- func (r *DelegatePki) Raw(raw io.Reader) *DelegatePki
- func (r *DelegatePki) Request(req *Request) *DelegatePki
- func (r *DelegatePki) X509CertificateChain(x509certificatechains ...string) *DelegatePki
- type NewDelegatePki
- type Request
- type Response
Constants ¶
This section is empty.
Variables ¶
var ErrBuildPath = errors.New("cannot build path, check for missing path parameters")
ErrBuildPath is returned in case of missing parameters within the build of the request.
Functions ¶
This section is empty.
Types ¶
type DelegatePki ¶
type DelegatePki struct {
// contains filtered or unexported fields
}
func New ¶
func New(tp elastictransport.Interface) *DelegatePki
Delegate PKI authentication.
This API implements the exchange of an X509Certificate chain for an Elasticsearch access token. The certificate chain is validated, according to RFC 5280, by sequentially considering the trust configuration of every installed PKI realm that has `delegation.enabled` set to `true`. A successfully trusted client certificate is also subject to the validation of the subject distinguished name according to thw `username_pattern` of the respective realm.
This API is called by smart and trusted proxies, such as Kibana, which terminate the user's TLS session but still want to authenticate the user by using a PKI realm—-as if the user connected directly to Elasticsearch.
IMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not validated. This is part of the TLS authentication process and it is delegated to the proxy that calls this API. The proxy is trusted to have performed the TLS authentication and this API translates that authentication into an Elasticsearch access token.
func (DelegatePki) Do ¶
func (r DelegatePki) Do(providedCtx context.Context) (*Response, error)
Do runs the request through the transport, handle the response and returns a delegatepki.Response
func (*DelegatePki) ErrorTrace ¶
func (r *DelegatePki) ErrorTrace(errortrace bool) *DelegatePki
ErrorTrace When set to `true` Elasticsearch will include the full stack trace of errors when they occur. API name: error_trace
func (*DelegatePki) FilterPath ¶
func (r *DelegatePki) FilterPath(filterpaths ...string) *DelegatePki
FilterPath Comma-separated list of filters in dot notation which reduce the response returned by Elasticsearch. API name: filter_path
func (*DelegatePki) Header ¶
func (r *DelegatePki) Header(key, value string) *DelegatePki
Header set a key, value pair in the DelegatePki headers map.
func (*DelegatePki) HttpRequest ¶
HttpRequest returns the http.Request object built from the given parameters.
func (*DelegatePki) Human ¶
func (r *DelegatePki) Human(human bool) *DelegatePki
Human When set to `true` will return statistics in a format suitable for humans. For example `"exists_time": "1h"` for humans and `"eixsts_time_in_millis": 3600000` for computers. When disabled the human readable values will be omitted. This makes sense for responses being consumed only by machines. API name: human
func (DelegatePki) Perform ¶
Perform runs the http.Request through the provided transport and returns an http.Response.
func (*DelegatePki) Pretty ¶
func (r *DelegatePki) Pretty(pretty bool) *DelegatePki
Pretty If set to `true` the returned JSON will be "pretty-formatted". Only use this option for debugging only. API name: pretty
func (*DelegatePki) Raw ¶
func (r *DelegatePki) Raw(raw io.Reader) *DelegatePki
Raw takes a json payload as input which is then passed to the http.Request If specified Raw takes precedence on Request method.
func (*DelegatePki) Request ¶
func (r *DelegatePki) Request(req *Request) *DelegatePki
Request allows to set the request property with the appropriate payload.
func (*DelegatePki) X509CertificateChain ¶
func (r *DelegatePki) X509CertificateChain(x509certificatechains ...string) *DelegatePki
The X509Certificate chain, which is represented as an ordered string array. Each string in the array is a base64-encoded (Section 4 of RFC4648 - not base64url-encoded) of the certificate's DER encoding.
The first element is the target certificate that contains the subject distinguished name that is requesting access. This may be followed by additional certificates; each subsequent certificate is used to certify the previous one. API name: x509_certificate_chain
type NewDelegatePki ¶
type NewDelegatePki func() *DelegatePki
NewDelegatePki type alias for index.
func NewDelegatePkiFunc ¶
func NewDelegatePkiFunc(tp elastictransport.Interface) NewDelegatePki
NewDelegatePkiFunc returns a new instance of DelegatePki with the provided transport. Used in the index of the library this allows to retrieve every apis in once place.
type Request ¶
type Request struct {
// X509CertificateChain The X509Certificate chain, which is represented as an ordered string array.
// Each string in the array is a base64-encoded (Section 4 of RFC4648 - not
// base64url-encoded) of the certificate's DER encoding.
//
// The first element is the target certificate that contains the subject
// distinguished name that is requesting access.
// This may be followed by additional certificates; each subsequent certificate
// is used to certify the previous one.
X509CertificateChain []string `json:"x509_certificate_chain"`
}
Request holds the request body struct for the package delegatepki
type Response ¶
type Response struct {
// AccessToken An access token associated with the subject distinguished name of the
// client's certificate.
AccessToken string `json:"access_token"`
Authentication *types.Authentication `json:"authentication,omitempty"`
// ExpiresIn The amount of time (in seconds) before the token expires.
ExpiresIn int64 `json:"expires_in"`
// Type The type of token.
Type string `json:"type"`
}
Response holds the response body struct for the package delegatepki
Source Files