(v9) Add JWT auth guide for ElasticSearch #12612
Conversation
github-actions
bot
requested review from
smallinsky,
strideynet,
xinding33 and
zmb3
|
@r0mant Should we mention somewhere in the Database Access that ElasticSearch can be configured in Application access? I'd personally look for ElasticSearch in DB access and probably assume that it's not supported if it's not mentioned there. |
|
@jakule Yeah, this guide will probably become obsolete (or at least, less relevant) when we implement proper ElasticSearch support in Database Access but it's still ways off, and still may be useful for some folks I think. |
|
@jakule Actually, I think I may have misunderstood what you meant. You're talking about something like adding a link to this guide from Database Access guides section? Yes, I thought about it before also and I think it makes sense. I'll play around and see how it'd make sense to do it. |
Yes, I was thinking about mentioning this guide in the Database Access to indicate that although we do not fully support ElasticSearch, there is a way to integrate it into Teleport. I think that most people don't know how Application access works and they may not be aware that such workaround exists. I understand that this is not a full support, but I still think it's work to mention it somewhere for better visibility. |
|
Will this be forward-ported to master? |
Yes. TBH I should have started with master but I started editing this in v9 and decided to push here first. |
|
@ptgott I have addressed your feedback, can you take another look? |
|
|
||
| ## Prerequisites | ||
|
|
||
| - Teleport cluster version >= 9.3 with running Auth/Proxy Services and configured [Application Access](../guides/connecting-apps.mdx). |
There was a problem hiding this comment.
Should we use something like the edition-prereqs-tabs.mdx partial instead of the first bullet? The benefit would be that there would be edition-specific information on getting started. Downsides would be that (a) there's no version warning in the partial and (b) tctl is mentioned in the partial but not the guide.
There was a problem hiding this comment.
Yeah, in this case it is different enough that I don't think it's really worth it.
There was a problem hiding this comment.
👍
I think we can clarify "configured Application Access." Does that mean that there's at least one host running the Application Service and at least one connected application?
| claims.principal: sub | ||
| claims.groups: roles | ||
| allowed_issuer: example-cluster | ||
| allowed_audiences: ["https://elasticsearch.example.com:9200"] |
There was a problem hiding this comment.
Will this list always have a single element?
There was a problem hiding this comment.
In most cases yes. It probably can have more than 1 element if other applications also use JWT auth and connect to ElasticSearch using different address.
|
@ptgott Sorry for delay, just got a chance to address your feedback. Could you take another look pelae? |
|
|
||
| ## Prerequisites | ||
|
|
||
| - Teleport cluster version >= 9.3 with running Auth/Proxy Services and configured [Application Access](../guides/connecting-apps.mdx). |
There was a problem hiding this comment.
👍
I think we can clarify "configured Application Access." Does that mean that there's at least one host running the Application Service and at least one connected application?
Following #12567, I wanted to add a guide showing how to configure JWT authn with ElasticSearch.
I've factored out JWT into a separate section, will add Grafana to it later as well.