Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 8dd563134c
Branches Tags
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
ccs-clients-integrations
/
cross-cluster.asciidoc

cross-cluster.asciidoc 4.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. [[cross-cluster-configuring]]
    2. 

  2. === {ccs-cap} and security
    3. 

  3. 

  4. <<modules-cross-cluster-search,{ccs-cap}>> enables
    5. 

  5. federated search across multiple clusters. When using cross cluster search
    6. 

  6. with secured clusters, all clusters must have the {es} {security-features}
    7. 

  7. enabled.
    8. 

  8. 

  9. The local cluster (the cluster used to initiate cross cluster search) must be
    10. 

  10. allowed to connect to the remote clusters, which means that the CA used to
    11. 

  11. sign the SSL/TLS key of the local cluster must be trusted by the remote
    12. 

  12. clusters.
    13. 

  13. 

  14. User authentication is performed on the local cluster and the user and user's
    15. 

  15. roles are passed to the remote clusters. A remote cluster checks the user's
    16. 

  16. roles against its local role definitions to determine which indices the user
    17. 

  17. is allowed to access.
    18. 

  18. 

  19. 

  20. [WARNING]
    21. 

  21. This feature was added as Beta in {es} `v5.3` with further improvements made in
    22. 

  22. 5.4 and 5.5. It requires gateway eligible nodes to be on `v5.5` onwards.
    23. 

  23. 

  24. To use cross cluster search with secured clusters:
    25. 

  25. 

  26. * Enable the {es} {security-features} on every node in each connected cluster.
    27. 

  27. For more information about the `xpack.security.enabled` setting, see
    28. 

  28. <<security-settings>>.
    29. 

  29. 

  30. * Enable encryption globally. To encrypt communications, you must enable
    31. 

  31.   <<encrypt-internode-communication,enable SSL/TLS>> on every node.
    32. 

  32. 

  33. * Enable a trust relationship between the cluster used for performing cross
    34. 

  34.   cluster search (the local cluster) and all remote clusters.  This can be done
    35. 

  35.   either by:
    36. 

  36. +
    37. 

  37.   ** Using the same certificate authority to generate certificates for all
    38. 

  38.     connected clusters, or
    39. 

  39.   ** Adding the CA certificate from the local cluster as a trusted CA in
    40. 

  40.     each remote cluster (see <<transport-tls-ssl-settings>>).
    41. 

  41. 

  42. 

  43. * On the local cluster, ensure that users are assigned to (at least) one role
    44. 

  44.   that exists on the remote clusters.  On the remote clusters, use that role
    45. 

  45.   to define which indices the user may access.  (See <<authorization>>).
    46. 

  46. 

  47. * Configure the local cluster to connect to remote clusters as described
    48. 

  48.   in <<configuring-remote-clusters>>.
    49. 

  49.   For example, the following configuration adds two remote clusters
    50. 

  50.   to the local cluster:
    51. 

  51. +
    52. 

  52. --
    53. 

  53. [source,console]
    54. 

  54. -----------------------------------------------------------
    55. 

  55. PUT _cluster/settings
    56. 

  56. {
    57. 

  57.   "persistent": {
    58. 

  58.     "cluster": {
    59. 

  59.       "remote": {
    60. 

  60.         "one": {
    61. 

  61.           "seeds": [ "10.0.1.1:9300" ]
    62. 

  62.         },
    63. 

  63.         "two": {
    64. 

  64.           "seeds": [ "10.0.2.1:9300" ]
    65. 

  65.         }
    66. 

  66.       }
    67. 

  67.     }
    68. 

  68.   }
    69. 

  69. }
    70. 

  70. -----------------------------------------------------------
    71. 

  71. --
    72. 

  72. 

  73. 

  74. 

  75. [[cross-cluster-configuring-example]]
    76. 

  76. ==== Example configuration of cross cluster search
    77. 

  77. 

  78. In the following example, we will configure the user `alice` to have permissions
    79. 

  79. to search any data stream or index starting with `logs-` in cluster `two` from
    80. 

  80. cluster `one`.
    81. 

  81. 

  82. First, enable cluster `one` to perform cross cluster search on remote cluster
    83. 

  83. `two` by running the following request as the superuser on cluster `one`:
    84. 

  84. 

  85. [source,console]
    86. 

  86. -----------------------------------------------------------
    87. 

  87. PUT _cluster/settings
    88. 

  88. {
    89. 

  89.   "persistent": {
    90. 

  90.     "cluster.remote.two.seeds": [ "10.0.2.1:9300" ]
    91. 

  91.   }
    92. 

  92. }
    93. 

  93. -----------------------------------------------------------
    94. 

  94. 

  95. Next, set up a role called `cluster_two_logs` on both cluster `one` and
    96. 

  96. cluster `two`.
    97. 

  97. 

  98. On cluster `one`, this role does not need any special privileges:
    99. 

  99. 

  100. [source,console]
    101. 

  101. -----------------------------------------------------------
    102. 

  102. POST /_security/role/cluster_two_logs
    103. 

  103. {
    104. 

  104. }
    105. 

  105. -----------------------------------------------------------
    106. 

  106. 

  107. On cluster `two`, this role allows the user to query local indices called
    108. 

  108. `logs-` from a remote cluster:
    109. 

  109. 

  110. [source,console]
    111. 

  111. -----------------------------------------------------------
    112. 

  112. POST /_security/role/cluster_two_logs
    113. 

  113. {
    114. 

  114.   "cluster": [],
    115. 

  115.   "indices": [
    116. 

  116.     {
    117. 

  117.       "names": [
    118. 

  118.         "logs-*"
    119. 

  119.       ],
    120. 

  120.       "privileges": [
    121. 

  121.         "read",
    122. 

  122.         "read_cross_cluster"
    123. 

  123.       ]
    124. 

  124.     }
    125. 

  125.   ]
    126. 

  126. }
    127. 

  127. -----------------------------------------------------------
    128. 

  128. 

  129. Finally, create a user on cluster `one` and apply the `cluster_two_logs` role:
    130. 

  130. 

  131. [source,console]
    132. 

  132. -----------------------------------------------------------
    133. 

  133. POST /_security/user/alice
    134. 

  134. {
    135. 

  135.   "password" : "somepasswordhere",
    136. 

  136.   "roles" : [ "cluster_two_logs" ],
    137. 

  137.   "full_name" : "Alice",
    138. 

  138.   "email" : "alice@example.com",
    139. 

  139.   "enabled": true
    140. 

  140. }
    141. 

  141. -----------------------------------------------------------
    142. 

  142. 

  143. With all of the above setup, the user `alice` is able to search indices in
    144. 

  144. cluster `two` as follows:
    145. 

  145. 

  146. [source,console]
    147. 

  147. -----------------------------------------------------------
    148. 

  148. GET two:logs-2017.04/_search
    149. 

  149. {
    150. 

  150.   "query": {
    151. 

  151.     "match_all": {}
    152. 

  152.   }
    153. 

  153. }
    154. 

  154. -----------------------------------------------------------
    155. 

  155. // TEST[skip:todo]
    156. 

  156. 

  157. include::cross-cluster-kibana.asciidoc[]
    158.