|
|
@@ -0,0 +1,265 @@
|
|
|
+[[remote-clusters-migrate]]
|
|
|
+=== Migrate remote clusters from certificate to API key authentication
|
|
|
+
|
|
|
+++++
|
|
|
+<titleabbrev>Migrate from certificate to API key authentication</titleabbrev>
|
|
|
+++++
|
|
|
+
|
|
|
+The API key based security model for remote clusters offers administrators more
|
|
|
+fine-grained access controls compared to the TLS certificate based security
|
|
|
+model. For that reason, you may want to migrate from the certificate based
|
|
|
+security model to the API key based model.
|
|
|
+
|
|
|
+While it is possible to migrate by defining a new remote cluster connection,
|
|
|
+using a new alias, this has several downsides:
|
|
|
+
|
|
|
+- For {ccr}, it's not possible to change the leader cluster alias for existing
|
|
|
+tasks. As a result, with a new remote cluster, follower indices would need to be
|
|
|
+re-created from scratch.
|
|
|
+- For {ccs}, transform and anomaly detection jobs do allow updating the remote
|
|
|
+cluster alias. However, if the job was created with wildcards, for example
|
|
|
+`*:source_index`, and `superuser`, adding a new remote cluster will cause the
|
|
|
+job to do double the amount of work and potentially skew results with
|
|
|
+duplications.
|
|
|
+
|
|
|
+For these reasons, you may prefer to migrate a remote cluster in-place, by
|
|
|
+following these steps:
|
|
|
+
|
|
|
+. <<remote-clusters-migration-prerequisites,Review the prerequisites>>
|
|
|
+. <<remote-clusters-migration-remote-cluster>>
|
|
|
+. <<remote-clusters-migration-stop>>
|
|
|
+. <<remote-clusters-migration-reconnect>>
|
|
|
+. <<remote-clusters-migration-resume>>
|
|
|
+. <<remote-clusters-migration-disable-cert>>
|
|
|
+
|
|
|
+[[remote-clusters-migration-prerequisites]]
|
|
|
+==== Prerequisites
|
|
|
+
|
|
|
+* The nodes of the local and remote clusters must be on version 8.10 or later.
|
|
|
+* The local and remote clusters must have an appropriate license. For more
|
|
|
+information, refer to https://www.elastic.co/subscriptions.
|
|
|
+
|
|
|
+[[remote-clusters-migration-remote-cluster]]
|
|
|
+==== Reconfigure the remote cluster and generate a cross-cluster API key
|
|
|
+
|
|
|
+On the remote cluster:
|
|
|
+
|
|
|
+include::remote-clusters-api-key.asciidoc[tag=remote-cluster-steps]
|
|
|
+
|
|
|
+[[remote-clusters-migration-stop]]
|
|
|
+==== Stop cross-cluster operations
|
|
|
+
|
|
|
+On the local cluster, stop any persistent tasks that refer to the remote
|
|
|
+cluster:
|
|
|
+
|
|
|
+* Use the <<stop-transform>> API to stop any transforms.
|
|
|
+* Use the <<ml-close-job>> API to close any anomaly detection jobs.
|
|
|
+* Use the <<ccr-pause-auto-follow-pattern>> API to pause any auto-follow {ccr}.
|
|
|
+* Use the <<ccr-post-pause-follow>> API to pause any manual {ccr} or existing
|
|
|
+indices that were created from the auto-follow pattern.
|
|
|
+
|
|
|
+[[remote-clusters-migration-reconnect]]
|
|
|
+==== Reconnect to the remote cluster
|
|
|
+
|
|
|
+On the local cluster:
|
|
|
+
|
|
|
+. Enhance any roles used by local cluster users with the required
|
|
|
+<<roles-remote-indices-priv,remote indices privileges>> for {ccr} and {ccs}.
|
|
|
+Refer to <<remote-clusters-privileges-api-key>>. Note:
|
|
|
+
|
|
|
+** You only need to assign additional `remote_indices` privileges to existing
|
|
|
+roles used for cross-cluster operations. You should be able to copy these
|
|
|
+privileges from the original roles on the remote cluster, where they are defined
|
|
|
+under the certification based security model.
|
|
|
+** The roles on the local cluster can't exceed the `access` privilege granted by
|
|
|
+the cross-cluster API key. Any extra local privileges will be suppressed by the
|
|
|
+cross-cluster API key's privileges.
|
|
|
+** No update is needed if the {ccr} or {ccs} tasks have been configured with a
|
|
|
+`superuser` role. The `superuser` role is automatically updated to allow access
|
|
|
+to all remote indices.
|
|
|
+** Tasks that are run as regular users with named roles are immediately updated
|
|
|
+with the new privileges. A task will load a new definition the next time it
|
|
|
+runs.
|
|
|
+** You need to restart tasks that are run using an API key (done in a later
|
|
|
+step).
|
|
|
+
|
|
|
+. If you've dynamically configured the remote cluster (via the cluster settings
|
|
|
+API):
|
|
|
+
|
|
|
+.. Retrieve the current remote cluster configuration, and store it in a safe
|
|
|
+place. You may need it later in case you need to
|
|
|
+<<remote-clusters-migration-rollback,roll back>>. Use the cluster settings API:
|
|
|
++
|
|
|
+[source,console]
|
|
|
+----
|
|
|
+GET /_cluster/settings?filter_path=persistent.cluster.remote
|
|
|
+----
|
|
|
+
|
|
|
+.. Remove the existing remote cluster definition by setting the remote cluster
|
|
|
+settings to `null`.
|
|
|
+
|
|
|
+. If you've statically configured the remote cluster (via `elasticsearch.yml`),
|
|
|
+copy the `cluster.remote` settings from `elasticsearch.yml`, and store them
|
|
|
+in a safe place. You may need them later in case you need to
|
|
|
+<<remote-clusters-migration-rollback,roll back>>.
|
|
|
+
|
|
|
+
|
|
|
+include::remote-clusters-api-key.asciidoc[tag=local-cluster-steps]
|
|
|
+
|
|
|
+.. Add the cross-cluster API key, created on the remote cluster earlier, to the
|
|
|
+keystore:
|
|
|
++
|
|
|
+[source,sh]
|
|
|
+----
|
|
|
+./bin/elasticsearch-keystore add cluster.remote.ALIAS.credentials
|
|
|
+----
|
|
|
++
|
|
|
+Replace `ALIAS` with the same alias that was used for cross-cluster operations
|
|
|
+before the migration. When prompted, enter the encoded cross-cluster API key
|
|
|
+created on the remote cluster earlier.
|
|
|
+
|
|
|
+. If you've dynamically configured the remote cluster (via the cluster settings
|
|
|
+API):
|
|
|
+
|
|
|
+.. Restart the local cluster to load changes to the keystore.
|
|
|
+
|
|
|
+.. Re-add the remote cluster. Use the same remote cluster alias, and change the
|
|
|
+transport port into the remote cluster port. For example:
|
|
|
++
|
|
|
+[source,console]
|
|
|
+----
|
|
|
+PUT /_cluster/settings
|
|
|
+{
|
|
|
+ "persistent" : {
|
|
|
+ "cluster" : {
|
|
|
+ "remote" : {
|
|
|
+ "my_remote" : { <1>
|
|
|
+ "mode": "proxy",
|
|
|
+ "proxy_address": "my.remote.cluster.com:9443" <2>
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+----
|
|
|
+// TEST[skip:TODO]
|
|
|
+<1> The remote cluster alias. Use the same alias that was used before the
|
|
|
+migration.
|
|
|
+<2> The remote cluster address with the remote cluster port, which defaults to
|
|
|
+`9443`.
|
|
|
+
|
|
|
+. If you've statically configured the remote cluster (via `elasticsearch.yml`):
|
|
|
+
|
|
|
+.. Update the `cluster.remote` settings in `elasticsearch.yml` on each node of
|
|
|
+the local cluster. Change the port into the remote cluster port, which defaults
|
|
|
+to `9443`.
|
|
|
+
|
|
|
+.. Restart the local cluster to load changes to the keystore and settings.
|
|
|
+
|
|
|
+. Use the <<cluster-remote-info,remote cluster info API>> to verify that the
|
|
|
+local cluster has successfully connected to the remote cluster:
|
|
|
++
|
|
|
+[source,console]
|
|
|
+----
|
|
|
+GET /_remote/info
|
|
|
+----
|
|
|
+// TEST[skip:TODO]
|
|
|
++
|
|
|
+The API response should indicate that the local cluster has connected to the
|
|
|
+remote cluster:
|
|
|
++
|
|
|
+[source,console-result]
|
|
|
+----
|
|
|
+{
|
|
|
+ "my_remote": {
|
|
|
+ "connected": true, <1>
|
|
|
+ "mode": "proxy",
|
|
|
+ "proxy_address": "my.remote.cluster.com:9443",
|
|
|
+ "server_name": "",
|
|
|
+ "num_proxy_sockets_connected": 0,
|
|
|
+ "max_proxy_socket_connections": 18,
|
|
|
+ "initial_connect_timeout": "30s",
|
|
|
+ "skip_unavailable": false,
|
|
|
+ "cluster_credentials": "::es_redacted::" <2>
|
|
|
+ }
|
|
|
+}
|
|
|
+----
|
|
|
+// TEST[skip:TODO]
|
|
|
+<1> The remote cluster is connected.
|
|
|
+<2> If present, indicates the remote cluster has connected using API key
|
|
|
+authentication.
|
|
|
+
|
|
|
+[[remote-clusters-migration-resume]]
|
|
|
+==== Resume cross-cluster operations
|
|
|
+
|
|
|
+Resume any persistent tasks that you stopped earlier. Tasks should be restarted
|
|
|
+by the same user or API key that created the task before the migration. Ensure
|
|
|
+the roles of this user or API key have been updated with the required
|
|
|
+`remote_indices` privileges. For users, tasks capture the caller's credentials
|
|
|
+when started and run in that user's security context. For API keys, restarting a
|
|
|
+task will update the task with the updated API key.
|
|
|
+
|
|
|
+* Use the <<start-transform>> API to start any transforms.
|
|
|
+* Use the <<ml-open-job>> API to open any anomaly detection jobs.
|
|
|
+* Use the <<ccr-post-resume-follow>> API to resume any auto-follow {ccr}.
|
|
|
+* Use the <<ccr-resume-auto-follow-pattern>> API to resume any manual {ccr} or
|
|
|
+existing indices that were created from the auto-follow pattern.
|
|
|
+
|
|
|
+[[remote-clusters-migration-disable-cert]]
|
|
|
+==== Disable certificate based authentication and authorization
|
|
|
+
|
|
|
+//TODO: Add link to troubleshooting docs when they're published
|
|
|
+NOTE: Only proceed with this step if the migration has been proved successful on
|
|
|
+the local cluster. If the migration is unsuccessful, either find out what the
|
|
|
+problem is and attempt to fix it or <<remote-clusters-migration-rollback,roll
|
|
|
+back>>.
|
|
|
+
|
|
|
+Next, disable the certification based connection. Optionally, you can also
|
|
|
+revoke the authorization.
|
|
|
+
|
|
|
+. There is no particular setting to enable or disable a certificate based cross
|
|
|
+cluster connection, because it shares the same transport protocol with the
|
|
|
+intra-cluster node-to-node communication.
|
|
|
++
|
|
|
+One way a remote cluster administrator can stop an existing local cluster from
|
|
|
+connecting, is by changing TLS trust. The exact steps vary, depending on how the
|
|
|
+clusters have been configured. A generic solution is to
|
|
|
+<<encrypt-internode-communication,recreate the CA and certificate/key used by
|
|
|
+the remote transport interface>> so that any existing certificate/key, locally
|
|
|
+or distributed, is no longer trusted.
|
|
|
++
|
|
|
+Another solution is to apply IP filters to the transport interface, blocking
|
|
|
+traffic from outside the cluster.
|
|
|
+
|
|
|
+. Optionally, delete any roles on the remote cluster that were only used for
|
|
|
+cross-cluster operations. These roles are no longer used under the API key based
|
|
|
+security model.
|
|
|
+
|
|
|
+[[remote-clusters-migration-rollback]]
|
|
|
+==== Rollback
|
|
|
+
|
|
|
+If you need to roll back, follow these steps on the local cluster:
|
|
|
+
|
|
|
+. Stop any persistent tasks that refer to the remote cluster.
|
|
|
+
|
|
|
+. Remove the remote cluster definition by setting the remote cluster settings to
|
|
|
+`null`.
|
|
|
+
|
|
|
+. Remove the `remote_indices` privileges from any roles that were updated during
|
|
|
+the migration.
|
|
|
+
|
|
|
+. On each node, remove the `remote_cluster_client.ssl.*` settings from
|
|
|
+`elasticsearch.yml`.
|
|
|
+
|
|
|
+. Restart the local cluster to apply changes to the keystore and
|
|
|
+`elasticsearch.yml`.
|
|
|
+
|
|
|
+. On the local cluster, apply the original remote cluster settings. If the
|
|
|
+remote cluster connection has been configured statically (using the
|
|
|
+`elasticsearch.yml` file), restart the cluster.
|
|
|
+
|
|
|
+. Use the <<cluster-remote-info,remote cluster info API>> to verify that the
|
|
|
+local cluster has connected to the remote cluster. The response should have
|
|
|
+`"connected": true` and not have `"cluster_credentials": "::es_redacted::"`.
|
|
|
+
|
|
|
+. Restart any persistent tasks that you've stopped earlier.
|
Abdon Pijpelink