mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-17 18:35:25 +00:00
Adjust the last bullet item to be above the code block for better readability and to avoid it being skimmed over
157 lines
4.8 KiB
Plaintext
157 lines
4.8 KiB
Plaintext
[[cross-cluster-configuring]]
|
|
=== Cross cluster search and security
|
|
|
|
{ref}/modules-cross-cluster-search.html[Cross cluster search] enables
|
|
federated search across multiple clusters. When using cross cluster search
|
|
with secured clusters, all clusters must have the {es} {security-features}
|
|
enabled.
|
|
|
|
The local cluster (the cluster used to initiate cross cluster search) must be
|
|
allowed to connect to the remote clusters, which means that the CA used to
|
|
sign the SSL/TLS key of the local cluster must be trusted by the remote
|
|
clusters.
|
|
|
|
User authentication is performed on the local cluster and the user and user's
|
|
roles are passed to the remote clusters. A remote cluster checks the user's
|
|
roles against its local role definitions to determine which indices the user
|
|
is allowed to access.
|
|
|
|
|
|
[WARNING]
|
|
This feature was added as Beta in {es} `v5.3` with further improvements made in
|
|
5.4 and 5.5. It requires gateway eligible nodes to be on `v5.5` onwards.
|
|
|
|
To use cross cluster search with secured clusters:
|
|
|
|
* Enable the {es} {security-features} on every node in each connected cluster.
|
|
For more information about the `xpack.security.enabled` setting, see
|
|
{ref}/security-settings.html[Security Settings in {es}].
|
|
|
|
* Enable encryption globally. To encrypt communications, you must enable
|
|
<<ssl-tls,enable SSL/TLS>> on every node.
|
|
|
|
* Enable a trust relationship between the cluster used for performing cross
|
|
cluster search (the local cluster) and all remote clusters. This can be done
|
|
either by:
|
|
+
|
|
** Using the same certificate authority to generate certificates for all
|
|
connected clusters, or
|
|
** Adding the CA certificate from the local cluster as a trusted CA in
|
|
each remote cluster (see {ref}/security-settings.html#transport-tls-ssl-settings[Transport TLS settings]).
|
|
|
|
|
|
* On the local cluster, ensure that users are assigned to (at least) one role
|
|
that exists on the remote clusters. On the remote clusters, use that role
|
|
to define which indices the user may access. (See <<authorization>>).
|
|
|
|
* Configure the local cluster to connect to remote clusters as described
|
|
in {ref}/modules-remote-clusters.html#configuring-remote-clusters[Configuring Remote Clusters].
|
|
For example, the following configuration adds two remote clusters
|
|
to the local cluster:
|
|
+
|
|
--
|
|
[source,console]
|
|
-----------------------------------------------------------
|
|
PUT _cluster/settings
|
|
{
|
|
"persistent": {
|
|
"cluster": {
|
|
"remote": {
|
|
"cluster_one": {
|
|
"seeds": [ "10.0.1.1:9300" ]
|
|
},
|
|
"cluster_two": {
|
|
"seeds": [ "10.0.2.1:9300" ]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
-----------------------------------------------------------
|
|
--
|
|
|
|
|
|
|
|
==== Example Configuration of Cross Cluster Search
|
|
|
|
In the following example, we will configure the user `alice` to have permissions
|
|
to search any index starting with `logs-` in cluster `two` from cluster `one`.
|
|
|
|
First, enable cluster `one` to perform cross cluster search on remote cluster
|
|
`two` by running the following request as the superuser on cluster `one`:
|
|
|
|
[source,console]
|
|
-----------------------------------------------------------
|
|
PUT _cluster/settings
|
|
{
|
|
"persistent": {
|
|
"cluster.remote.cluster_two.seeds": [ "10.0.2.1:9300" ]
|
|
}
|
|
}
|
|
-----------------------------------------------------------
|
|
|
|
Next, set up a role called `cluster_two_logs` on both cluster `one` and
|
|
cluster `two`.
|
|
|
|
On cluster `one`, this role does not need any special privileges:
|
|
|
|
[source,console]
|
|
-----------------------------------------------------------
|
|
POST /_security/role/cluster_two_logs
|
|
{
|
|
}
|
|
-----------------------------------------------------------
|
|
|
|
On cluster `two`, this role allows the user to query local indices called
|
|
`logs-` from a remote cluster:
|
|
|
|
[source,console]
|
|
-----------------------------------------------------------
|
|
POST /_security/role/cluster_two_logs
|
|
{
|
|
"cluster": [],
|
|
"indices": [
|
|
{
|
|
"names": [
|
|
"logs-*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"read_cross_cluster"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
-----------------------------------------------------------
|
|
|
|
Finally, create a user on cluster `one` and apply the `cluster_two_logs` role:
|
|
|
|
[source,console]
|
|
-----------------------------------------------------------
|
|
POST /_security/user/alice
|
|
{
|
|
"password" : "somepassword",
|
|
"roles" : [ "cluster_two_logs" ],
|
|
"full_name" : "Alice",
|
|
"email" : "alice@example.com",
|
|
"enabled": true
|
|
}
|
|
-----------------------------------------------------------
|
|
|
|
With all of the above setup, the user `alice` is able to search indices in
|
|
cluster `two` as follows:
|
|
|
|
[source,console]
|
|
-----------------------------------------------------------
|
|
GET two:logs-2017.04/_search <1>
|
|
{
|
|
"query": {
|
|
"match_all": {}
|
|
}
|
|
}
|
|
-----------------------------------------------------------
|
|
// TEST[skip:todo]
|
|
//TBD: Is there a missing description of the <1> callout above?
|
|
|
|
include::cross-cluster-kibana.asciidoc[]
|