OpenSearch/docs/en/security/tribe-clients-integrations/cross-cluster.asciidoc

62 lines
2.2 KiB
Plaintext
Raw Normal View History

[[cross-cluster-configuring]]
=== Cross Cluster Search and Security
{ref}/modules-cross-cluster-search.html[Cross Cluster Search] enables
federated search across multiple clusters. When using cross cluster search
with secured clusters, all clusters must have {security} enabled.
The local cluster (the cluster used to initiate cross cluster search) must be
allowed to connect to the remote clusters, which means that the CA used to
sign the SSL/TLS key of the local cluster must be trusted by the remote
clusters.
User authentication is performed on the local cluster and the user and user's
roles are passed to the remote clusters. A remote cluster checks the user's
roles against its local role definitions to determine which indices the user
is allowed to access.
To use cross cluster search with secured clusters:
* Install {xpack} on every node in each connected cluster.
* Enable encryption globally. To encrypt communications, you must enable
<<ssl-tls,enable SSL/TLS>> on every node.
* Enable a trust relationship between the cluster used for performing cross
cluster search (the local cluster) and all remote clusters. This can be done
either by:
+
** Using the same certificate authority to generate certificates for all
connected clusters, or
** Adding the CA certificate from the local cluster as a trusted CA in
each remote cluster (see <<transport-tls-ssl-settings>>).
* Configure the local cluster to connect to remote clusters as described
in {ref}/modules-cross-cluster-search.html#_configuring_cross_cluster_search[Configuring Cross Cluster Search].
For example, the following configuration adds two remote clusters
to the local cluster:
+
[source,js]
-----------------------------------------------------------
PUT _cluster/settings
{
"persistent": {
"search": {
"remote": {
"cluster_one": {
"seeds": [ "10.0.1.1:9300" ]
},
"cluster_two": {
"seeds": [ "10.0.2.1:9300" ]
}
}
}
}
}
-----------------------------------------------------------
* On the local cluster, ensure that users are assigned to (at least) one role
that exists on the remote clusters. On the remote clusters, use that role
to define which indices the user may access. (See <<authorization>>).