Elasticsearch: explicitly require --db-user. (#20695)

* Elasticsearch: require `--db-user`. * Review: improve error message, cleanup.
2024-10-20 01:03:40 +00:00 · 2023-01-30 15:22:08 +01:00 · 2023-01-30 15:22:08 +01:00 · f00f35bfc8
parent 978fd03a22
commit f00f35bfc8
2 changed files with 6 additions and 1 deletions
--- a/lib/srv/db/elasticsearch/engine.go
+++ b/lib/srv/db/elasticsearch/engine.go
@ -118,6 +118,10 @@ func (e *Engine) HandleConnection(ctx context.Context, sessionCtx *common.Sessio

 	clientConnReader := bufio.NewReader(e.clientConn)

+	if sessionCtx.Identity.RouteToDatabase.Username == "" {
+		return trace.BadParameter("database username required for Elasticsearch")
+	}
+
 	tlsConfig, err := e.Auth.GetTLSConfig(ctx, sessionCtx)
 	if err != nil {
 		return trace.Wrap(err)
--- a/tool/tsh/db.go
+++ b/tool/tsh/db.go
@ -265,9 +265,10 @@ func checkAndSetDBRouteDefaults(r *tlsca.RouteToDatabase) error {
 	// When generating certificate for MongoDB access, database username must
 	// be encoded into it. This is required to be able to tell which database
 	// user to authenticate the connection as.
+	// Elasticsearch needs database username too.
 	if r.Username == "" {
 		switch r.Protocol {
-		case defaults.ProtocolMongoDB:
+		case defaults.ProtocolMongoDB, defaults.ProtocolElasticsearch:
 			return trace.BadParameter("please provide the database user name using the --db-user flag")
 		case defaults.ProtocolRedis:
 			// Default to "default" in the same way as Redis does. We need the username to check access on our side.