remote-clusters-privileges-api-key.asciidoc 2.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
  1. [[remote-clusters-privileges-api-key]]
  2. === Configure roles and users
  3. To use a remote cluster for {ccr} or {ccs}, you need to create user roles with
  4. <<roles-remote-indices-priv,remote indices privileges>> on the local cluster.
  5. You can manage users and roles from Stack Management in {kib} by selecting
  6. *Security > Roles* from the side navigation. You can also use the
  7. <<security-role-apis,role management APIs>> to add, update, remove, and retrieve
  8. roles dynamically.
  9. The following examples use the <<security-api-put-role>> API. You must have at
  10. least the `manage_security` cluster privilege to use this API.
  11. NOTE: The cross-cluster API key used by the local cluster to connect the remote
  12. cluster must have sufficient privileges to cover all remote indices privileges
  13. required by individual users.
  14. ==== Configure privileges for {ccr}
  15. Assuming the remote cluster is connected under the name of `my_remote_cluster`,
  16. the following request creates a role called `remote-replication` on the local
  17. cluster that allows replicating the remote `leader-index` index:
  18. [source,console]
  19. ----
  20. POST /_security/role/remote-replication
  21. {
  22. "cluster": [
  23. "manage_ccr"
  24. ],
  25. "remote_indices": [
  26. {
  27. "clusters": [ "my_remote_cluster" ],
  28. "names": [
  29. "leader-index"
  30. ],
  31. "privileges": [
  32. "cross_cluster_replication"
  33. ]
  34. }
  35. ]
  36. }
  37. ----
  38. // TEST[skip:TODO]
  39. After creating the local `remote-replication` role, use the
  40. <<security-api-put-user>> API to create a user on the local cluster cluster and
  41. assign the `remote-replication` role. For example, the following request assigns
  42. the `remote-replication` role to a user named `cross-cluster-user`:
  43. [source,console]
  44. ----
  45. POST /_security/user/cross-cluster-user
  46. {
  47. "password" : "l0ng-r4nd0m-p@ssw0rd",
  48. "roles" : [ "remote-replication" ]
  49. }
  50. ----
  51. // TEST[skip:TODO]
  52. Note that you only need to create this user on the local cluster.
  53. ==== Configure privileges for {ccs}
  54. Assuming the remote cluster is connected under the name of `my_remote_cluster`,
  55. the following request creates a `remote-search` role on the local cluster that
  56. allows searching the remote `target-index` index:
  57. [source,console]
  58. ----
  59. POST /_security/role/remote-search
  60. {
  61. "remote_indices": [
  62. {
  63. "clusters": [ "my_remote_cluster" ],
  64. "names": [
  65. "target-index"
  66. ],
  67. "privileges": [
  68. "read",
  69. "read_cross_cluster",
  70. "view_index_metadata"
  71. ]
  72. }
  73. ]
  74. }
  75. ----
  76. // TEST[skip:TODO]
  77. After creating the `remote-search` role, use the <<security-api-put-user>> API
  78. to create a user on the local cluster and assign the `remote-search` role. For
  79. example, the following request assigns the `remote-search` role to a user named
  80. `cross-search-user`:
  81. [source,console]
  82. ----
  83. POST /_security/user/cross-search-user
  84. {
  85. "password" : "l0ng-r4nd0m-p@ssw0rd",
  86. "roles" : [ "remote-search" ]
  87. }
  88. ----
  89. // TEST[skip:TODO]
  90. Note that you only need to create this user on the local cluster.