diff --git a/docs/reference/security/authentication/configuring-pki-realm.asciidoc b/docs/reference/security/authentication/configuring-pki-realm.asciidoc index 54118027e59af..499113989be14 100644 --- a/docs/reference/security/authentication/configuring-pki-realm.asciidoc +++ b/docs/reference/security/authentication/configuring-pki-realm.asciidoc @@ -6,11 +6,6 @@ the desired network layers (transport or http), and map the Distinguished Names (DNs) from the Subject field in the user certificates to roles. You create the mappings in a role mapping file or use the role mappings API. -TIP: You can use a combination of PKI and username/password authentication. For -example, you can enable SSL/TLS on the transport layer and define a PKI realm to -require transport clients to authenticate with X.509 certificates, while still -authenticating HTTP traffic using username and password credentials. - . Add a realm configuration for a `pki` realm to `elasticsearch.yml` under the `xpack.security.authc.realms.pki` namespace. You must explicitly set the `order` attribute. See <> for all of the options you can set for a @@ -42,7 +37,8 @@ realms you specify are used for authentication. If you also want to use the -- -. Optional: If you want to use something other than the CN of the Subject DN as +. Optional: The username (as defined by the username_pattern) is used for auditing and logging. +If you want to use something other than the CN of the Subject DN as the username, you can specify a regex to extract the desired username. The regex is applied on the Subject DN. + diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index 78850f617ee65..494dc428a295b 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -1015,8 +1015,9 @@ the following settings: `username_pattern`:: (<>) The regular expression pattern used to extract the username from the -certificate DN. The first match group is the used as the username. -Defaults to `CN=(.*?)(?:,\|$)`. +certificate DN. The username is used for auditing and logging (not role mapping). +The first match group is the used as the username. +Defaults to `CN=(.*?)(?:,|$)`. `certificate_authorities`:: (<>)