2017-04-11 04:08:12 -04:00
|
|
|
[[cross-cluster-configuring]]
|
|
|
|
=== Cross Cluster Search and Security
|
|
|
|
|
|
|
|
{ref}/modules-cross-cluster-search.html[Cross Cluster Search] enables
|
|
|
|
federated search across multiple clusters. When using cross cluster search
|
|
|
|
with secured clusters, all clusters must have {security} enabled.
|
|
|
|
|
|
|
|
The local cluster (the cluster used to initiate cross cluster search) must be
|
|
|
|
allowed to connect to the remote clusters, which means that the CA used to
|
|
|
|
sign the SSL/TLS key of the local cluster must be trusted by the remote
|
|
|
|
clusters.
|
|
|
|
|
|
|
|
User authentication is performed on the local cluster and the user and user's
|
|
|
|
roles are passed to the remote clusters. A remote cluster checks the user's
|
|
|
|
roles against its local role definitions to determine which indices the user
|
|
|
|
is allowed to access.
|
|
|
|
|
2017-04-27 07:32:22 -04:00
|
|
|
NOTE: For the moment, cross cluster search with security enabled does not
|
|
|
|
support using wildcards for either cluster or index names.
|
|
|
|
|
2017-04-11 04:08:12 -04:00
|
|
|
To use cross cluster search with secured clusters:
|
|
|
|
|
|
|
|
* Install {xpack} on every node in each connected cluster.
|
|
|
|
|
|
|
|
* Enable encryption globally. To encrypt communications, you must enable
|
|
|
|
<<ssl-tls,enable SSL/TLS>> on every node.
|
|
|
|
|
|
|
|
* Enable a trust relationship between the cluster used for performing cross
|
|
|
|
cluster search (the local cluster) and all remote clusters. This can be done
|
|
|
|
either by:
|
|
|
|
+
|
|
|
|
** Using the same certificate authority to generate certificates for all
|
|
|
|
connected clusters, or
|
|
|
|
** Adding the CA certificate from the local cluster as a trusted CA in
|
|
|
|
each remote cluster (see <<transport-tls-ssl-settings>>).
|
|
|
|
|
|
|
|
* Configure the local cluster to connect to remote clusters as described
|
|
|
|
in {ref}/modules-cross-cluster-search.html#_configuring_cross_cluster_search[Configuring Cross Cluster Search].
|
|
|
|
For example, the following configuration adds two remote clusters
|
|
|
|
to the local cluster:
|
|
|
|
+
|
|
|
|
[source,js]
|
|
|
|
-----------------------------------------------------------
|
|
|
|
PUT _cluster/settings
|
|
|
|
{
|
|
|
|
"persistent": {
|
|
|
|
"search": {
|
|
|
|
"remote": {
|
|
|
|
"cluster_one": {
|
|
|
|
"seeds": [ "10.0.1.1:9300" ]
|
|
|
|
},
|
|
|
|
"cluster_two": {
|
|
|
|
"seeds": [ "10.0.2.1:9300" ]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
|
|
|
* On the local cluster, ensure that users are assigned to (at least) one role
|
|
|
|
that exists on the remote clusters. On the remote clusters, use that role
|
|
|
|
to define which indices the user may access. (See <<authorization>>).
|
|
|
|
|
2017-04-21 07:37:34 -04:00
|
|
|
==== Example Configuration of Cross Cluster Search
|
|
|
|
|
|
|
|
In the following example, we will configure the user `alice` to have permissions
|
|
|
|
to search any index starting with `logs-` in cluster `two` from cluster `one`.
|
|
|
|
|
|
|
|
First, enable cluster `one` to perform cross cluster search on remote cluster
|
|
|
|
`two` by running the following request as the superuser on cluster `one`:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
-----------------------------------------------------------
|
|
|
|
PUT _cluster_settings
|
|
|
|
{
|
|
|
|
"persistent": {
|
|
|
|
"search.remote.two.seeds": [ "10.0.2.1:9300" ]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
|
|
|
Next, set up a role called `cluster_two_logs` on both cluster `one` and
|
|
|
|
cluster `two`.
|
|
|
|
|
|
|
|
On cluster `one`, this role allows the user to query indices called `logs-` on
|
|
|
|
cluster `two`:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
-----------------------------------------------------------
|
|
|
|
POST /_xpack/security/role/cluster_two_logs
|
|
|
|
{
|
|
|
|
"indices": [
|
|
|
|
{
|
|
|
|
"names": [
|
|
|
|
"two:logs-*"
|
|
|
|
],
|
|
|
|
"privileges": [
|
|
|
|
"read"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
|
|
|
On cluster `two`, this role allows the user to query local indices called
|
|
|
|
`logs-` from a remote cluster:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
-----------------------------------------------------------
|
|
|
|
POST /_xpack/security/role/cluster_two_logs
|
|
|
|
{
|
|
|
|
"cluster": [
|
|
|
|
"transport_client"
|
|
|
|
],
|
|
|
|
"indices": [
|
|
|
|
{
|
|
|
|
"names": [
|
2017-04-27 07:32:22 -04:00
|
|
|
"logs-*"
|
2017-04-21 07:37:34 -04:00
|
|
|
],
|
|
|
|
"privileges": [
|
|
|
|
"read",
|
|
|
|
"read_cross_cluster",
|
2017-04-27 07:32:22 -04:00
|
|
|
"view_index_metadata"
|
2017-04-21 07:37:34 -04:00
|
|
|
]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
|
|
|
Finally, create a user on cluster `one` and apply the `cluster_two_logs` role:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
-----------------------------------------------------------
|
|
|
|
POST /_xpack/security/user/alice
|
|
|
|
{
|
|
|
|
"password" : "somepassword",
|
|
|
|
"roles" : [ "cluster_two_logs" ],
|
|
|
|
"full_name" : "Alice",
|
|
|
|
"email" : "alice@example.com",
|
|
|
|
"enabled": true
|
|
|
|
}
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
|
|
|
With all of the above setup, the user `alice` is able to search indices in
|
|
|
|
cluster `two` as follows:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
-----------------------------------------------------------
|
2017-04-27 07:32:22 -04:00
|
|
|
GET two:logs-2017.04/_search <1>
|
2017-04-21 07:37:34 -04:00
|
|
|
{
|
|
|
|
"query": {
|
|
|
|
"match_all": {}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
-----------------------------------------------------------
|
2017-04-27 07:32:22 -04:00
|
|
|
|