Home Explore Help
Register Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 2268e383e8
Branches Tags
elasticsearch
/
docs
/
reference
/
modules
/
cluster
/
remote-clusters-api-key.asciidoc

remote-clusters-api-key.asciidoc 8.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201 
  1. [[remote-clusters-api-key]]
    2. 

  2. === Add remote clusters using API key authentication
    3. 

  3. 

  4. API key authentication enables a local cluster to authenticate itself with a
    5. 

  5. remote cluster via a <<security-api-create-cross-cluster-api-key,cross-cluster
    6. 

  6. API key>>. The API key needs to be created by an administrator of the remote
    7. 

  7. cluster. The local cluster is configured to provide this API key on each request
    8. 

  8. to the remote cluster. The remote cluster verifies the API key and grants
    9. 

  9. access, based on the API key's privileges.
    10. 

  10. 

  11. All cross-cluster requests from the local cluster are bound by the API key's
    12. 

  12. privileges, regardless of local users associated with the requests. For example,
    13. 

  13. if the API key only allows read access to `my-index` on the remote cluster, even
    14. 

  14. a superuser from the local cluster is limited by this constraint. This mechanism
    15. 

  15. enables the remote cluster's administrator to have full control over who can
    16. 

  16. access what data with cross-cluster search and/or cross-cluster replication. The
    17. 

  17. remote cluster's administrator can be confident that no access is possible
    18. 

  18. beyond what is explicitly assigned to the API key.
    19. 

  19. 

  20. On the local cluster side, not every local user needs to access every piece of
    21. 

  21. data allowed by the API key. An administrator of the local cluster can further
    22. 

  22. configure additional permission constraints on local users so each user only
    23. 

  23. gets access to the necessary remote data. Note it is only possible to further
    24. 

  24. reduce the permissions allowed by the API key for individual local users. It is
    25. 

  25. impossible to increase the permissions to go beyond what is allowed by the API
    26. 

  26. key.
    27. 

  27. 

  28. In this model, cross-cluster operations use <<remote_cluster.port,a dedicated
    29. 

  29. server port>> (remote cluster interface) for communication between clusters. A
    30. 

  30. remote cluster must enable this port for local clusters to connect. Configure
    31. 

  31. Transport Layer Security (TLS) for this port to maximize security (as explained
    32. 

  32. in <<remote-clusters-security-api-key>>).
    33. 

  33. 

  34. The local cluster must trust the remote cluster on the remote cluster interface.
    35. 

  35. This means that the local cluster trusts the remote cluster's certificate
    36. 

  36. authority (CA) that signs the server certificate used by the remote cluster
    37. 

  37. interface. When establishing a connection, all nodes from the local cluster that
    38. 

  38. participate in cross-cluster communication verify certificates from nodes on the
    39. 

  39. other side, based on the TLS trust configuration.
    40. 

  40. 

  41. To add a remote cluster using API key authentication:
    42. 

  42. 

  43. . <<remote-clusters-prerequisites-api-key,Review the prerequisites>>
    44. 

  44. . <<remote-clusters-security-api-key>>
    45. 

  45. . <<remote-clusters-connect-api-key>>
    46. 

  46. . <<remote-clusters-privileges-api-key>>
    47. 

  47. 

  48. If you run into any issues, refer to <<remote-clusters-troubleshooting>>.
    49. 

  49. 

  50. [[remote-clusters-prerequisites-api-key]]
    51. 

  51. ==== Prerequisites
    52. 

  52. 

  53. * The {es} security features need to be enabled on both clusters, on every node.
    54. 

  54. Security is enabled by default. If it's disabled, set `xpack.security.enabled`
    55. 

  55. to `true` in `elasticsearch.yml`. Refer to <<general-security-settings>>.
    56. 

  56. * The nodes of the local and remote clusters must be on version 8.10 or later.
    57. 

  57. * The local and remote clusters must have an appropriate license. For more
    58. 

  58. information, refer to https://www.elastic.co/subscriptions.
    59. 

  59. 

  60. [[remote-clusters-security-api-key]]
    61. 

  61. ==== Establish trust with a remote cluster
    62. 

  62. 

  63. NOTE: If a remote cluster is part of an {ess} deployment, it has a valid certificate by default. 
    64. 

  64. You can therefore skip steps related to certificates in these instructions.
    65. 

  65. 

  66. [[remote-clusters-security-api-key-remote-action]]
    67. 

  67. ===== On the remote cluster
    68. 

  68. 

  69. // tag::remote-cluster-steps[]
    70. 

  70. . Enable the remote cluster server on every node of the remote cluster. In
    71. 

  71. `elasticsearch.yml`:
    72. 

  72. .. Set <<remote-cluster-network-settings,`remote_cluster_server.enabled`>> to
    73. 

  73. `true`.
    74. 

  74. .. Configure the bind and publish address for remote cluster server traffic, for
    75. 

  75. example using <<remote-cluster-network-settings,`remote_cluster.host`>>. Without
    76. 

  76. configuring the address, remote cluster traffic may be bound to the local
    77. 

  77. interface, and remote clusters running on other machines can't connect.
    78. 

  78. .. Optionally, configure the remote server port using
    79. 

  79. <<remote_cluster.port,`remote_cluster.port`>> (defaults to `9443`).
    80. 

  80. . Next, generate a certificate authority (CA) and a server certificate/key pair.
    81. 

  81. On one of the nodes of the remote cluster, from the directory where {es} has
    82. 

  82. been installed:
    83. 

  83. 

  84. .. Create a CA, if you don't have a CA already:
    85. 

  85. +
    86. 

  86. [source,sh]
    87. 

  87. ----
    88. 

  88. ./bin/elasticsearch-certutil ca --pem --out=cross-cluster-ca.zip --pass CA_PASSWORD
    89. 

  89. ----
    90. 

  90. +
    91. 

  91. Replace `CA_PASSWORD` with the password you want to use for the CA. You can
    92. 

  92. remove the `--pass` option and its argument if you are not deploying to a
    93. 

  93. production environment.
    94. 

  94. 

  95. .. Unzip the generated `cross-cluster-ca.zip` file. This compressed file
    96. 

  96. contains the following content:
    97. 

  97. +
    98. 

  98. [source,txt]
    99. 

  99. ----
    100. 

  100. /ca
    101. 

  101. |_ ca.crt
    102. 

  102. |_ ca.key
    103. 

  103. ----
    104. 

  104. 

  105. .. Generate a certificate and private key pair for the nodes in the remote
    106. 

  106. cluster:
    107. 

  107. +
    108. 

  108. [source,sh]
    109. 

  109. ----
    110. 

  110. ./bin/elasticsearch-certutil cert --out=cross-cluster.p12 --pass=CERT_PASSWORD --ca-cert=ca/ca.crt --ca-key=ca/ca.key --ca-pass=CA_PASSWORD --dns=example.com --ip=127.0.0.1
    111. 

  111. ----
    112. 

  112. +
    113. 

  113. * Replace `CA_PASSWORD` with the CA password from the previous step.
    114. 

  114. * Replace `CERT_PASSWORD` with the password you want to use for the generated
    115. 

  115. private key.
    116. 

  116. * Use the `--dns` option to specify the relevant DNS name for the certificate.
    117. 

  117. You can specify it multiple times for multiple DNS.
    118. 

  118. * Use the `--ip` option to specify the relevant IP address for the certificate.
    119. 

  119. You can specify it multiple times for multiple IP addresses.
    120. 

  120. 

  121. .. If the remote cluster has multiple nodes, you can either:
    122. 

  122. +
    123. 

  123. * create a single wildcard certificate for all nodes;
    124. 

  124. * or, create separate certificates for each node either manually or in batch
    125. 

  125. with the <<certutil-silent,silent mode>>.
    126. 

  126. 

  127. . On every node of the remote cluster:
    128. 

  128. .. Copy the `cross-cluster.p12` file from the earlier step to the `config`
    129. 

  129. directory. If you didn't create a wildcard certificate, make sure you copy the
    130. 

  130. correct node-specific p12 file.
    131. 

  131. .. Add following configuration to `elasticsearch.yml`:
    132. 

  132. +
    133. 

  133. [source,yaml]
    134. 

  134. ----
    135. 

  135. xpack.security.remote_cluster_server.ssl.enabled: true
    136. 

  136. xpack.security.remote_cluster_server.ssl.keystore.path: cross-cluster.p12
    137. 

  137. ----
    138. 

  138. 

  139. .. Add the SSL keystore password to the {es} keystore:
    140. 

  140. +
    141. 

  141. [source,sh]
    142. 

  142. ----
    143. 

  143. ./bin/elasticsearch-keystore add xpack.security.remote_cluster_server.ssl.keystore.secure_password
    144. 

  144. ----
    145. 

  145. +
    146. 

  146. When prompted, enter the `CERT_PASSWORD` from the earlier step.
    147. 

  147. 

  148. . Restart the remote cluster.
    149. 

  149. 

  150. . On the remote cluster, generate a cross-cluster API key that provides access
    151. 

  151. to the indices you want to use for {ccs} or {ccr}. You can use the
    152. 

  152. <<security-api-create-cross-cluster-api-key>> API or
    153. 

  153. {kibana-ref}/api-keys.html[Kibana].
    154. 

  154. 

  155. . Copy the encoded key (`encoded` in the response) to a safe location. You will
    156. 

  156. need it to connect to the remote cluster later.
    157. 

  157. // end::remote-cluster-steps[]
    158. 

  158. 

  159. [[remote-clusters-security-api-key-local-actions]]
    160. 

  160. ===== On the local cluster
    161. 

  161. 

  162. // tag::local-cluster-steps[]
    163. 

  163. . On every node of the local cluster:
    164. 

  164. 

  165. .. Copy the `ca.crt` file generated on the remote cluster earlier into the
    166. 

  166. `config` directory, renaming the file `remote-cluster-ca.crt`.
    167. 

  167. 

  168. .. Add following configuration to `elasticsearch.yml`:
    169. 

  169. +
    170. 

  170. [source,yaml]
    171. 

  171. ----
    172. 

  172. xpack.security.remote_cluster_client.ssl.enabled: true
    173. 

  173. xpack.security.remote_cluster_client.ssl.certificate_authorities: [ "remote-cluster-ca.crt" ]
    174. 

  174. ----
    175. 

  175. // end::local-cluster-steps[]
    176. 

  176. 

  177. .. Add the cross-cluster API key, created on the remote cluster earlier, to the
    178. 

  178. keystore:
    179. 

  179. +
    180. 

  180. [source,sh]
    181. 

  181. ----
    182. 

  182. ./bin/elasticsearch-keystore add cluster.remote.ALIAS.credentials
    183. 

  183. ----
    184. 

  184. +
    185. 

  185. Replace `ALIAS` with the same name that you will use to create the remote cluster entry
    186. 

  186. later. When prompted, enter the encoded cross-cluster API key created on the
    187. 

  187. remote cluster earlier.
    188. 

  188. 

  189. . Restart the local cluster to load changes to the keystore and settings.
    190. 

  190. 

  191. **Note:** If you are configuring only the cross-cluster API key, you can call the <<cluster-nodes-reload-secure-settings>> API, instead of restarting the cluster.
    192. 

  192. Configuring the `remote_cluster_client` settings in `elasticsearch.yml` still requires a restart.
    193. 

  193. 

  194. [[remote-clusters-connect-api-key]]
    195. 

  195. ==== Connect to a remote cluster
    196. 

  196. 

  197. :trust-mechanism: api-key
    198. 

  198. include::remote-clusters-connect.asciidoc[]
    199. 

  199. :!trust-mechanism:
    200. 

  200. 

  201. include::{es-ref-dir}/security/authentication/remote-clusters-privileges-api-key.asciidoc[leveloffset=+1]
    202.