62 lines
2.2 KiB
Plaintext
62 lines
2.2 KiB
Plaintext
|
[[cross-cluster-configuring]]
|
||
|
=== Cross Cluster Search and Security
|
||
|
|
||
|
{ref}/modules-cross-cluster-search.html[Cross Cluster Search] enables
|
||
|
federated search across multiple clusters. When using cross cluster search
|
||
|
with secured clusters, all clusters must have {security} enabled.
|
||
|
|
||
|
The local cluster (the cluster used to initiate cross cluster search) must be
|
||
|
allowed to connect to the remote clusters, which means that the CA used to
|
||
|
sign the SSL/TLS key of the local cluster must be trusted by the remote
|
||
|
clusters.
|
||
|
|
||
|
User authentication is performed on the local cluster and the user and user's
|
||
|
roles are passed to the remote clusters. A remote cluster checks the user's
|
||
|
roles against its local role definitions to determine which indices the user
|
||
|
is allowed to access.
|
||
|
|
||
|
To use cross cluster search with secured clusters:
|
||
|
|
||
|
* Install {xpack} on every node in each connected cluster.
|
||
|
|
||
|
* Enable encryption globally. To encrypt communications, you must enable
|
||
|
<<ssl-tls,enable SSL/TLS>> on every node.
|
||
|
|
||
|
* Enable a trust relationship between the cluster used for performing cross
|
||
|
cluster search (the local cluster) and all remote clusters. This can be done
|
||
|
either by:
|
||
|
+
|
||
|
** Using the same certificate authority to generate certificates for all
|
||
|
connected clusters, or
|
||
|
** Adding the CA certificate from the local cluster as a trusted CA in
|
||
|
each remote cluster (see <<transport-tls-ssl-settings>>).
|
||
|
|
||
|
* Configure the local cluster to connect to remote clusters as described
|
||
|
in {ref}/modules-cross-cluster-search.html#_configuring_cross_cluster_search[Configuring Cross Cluster Search].
|
||
|
For example, the following configuration adds two remote clusters
|
||
|
to the local cluster:
|
||
|
+
|
||
|
[source,js]
|
||
|
-----------------------------------------------------------
|
||
|
PUT _cluster/settings
|
||
|
{
|
||
|
"persistent": {
|
||
|
"search": {
|
||
|
"remote": {
|
||
|
"cluster_one": {
|
||
|
"seeds": [ "10.0.1.1:9300" ]
|
||
|
},
|
||
|
"cluster_two": {
|
||
|
"seeds": [ "10.0.2.1:9300" ]
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
-----------------------------------------------------------
|
||
|
|
||
|
* On the local cluster, ensure that users are assigned to (at least) one role
|
||
|
that exists on the remote clusters. On the remote clusters, use that role
|
||
|
to define which indices the user may access. (See <<authorization>>).
|
||
|
|