Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: e241a91a4e
Branches Tags
elasticsearch
/
docs
/
reference
/
modules
/
cluster
/
remote-clusters-api-key.asciidoc

remote-clusters-api-key.asciidoc 8.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198 
  1. [[remote-clusters-api-key]]
    2. 

  2. === Add remote clusters using API key authentication
    3. 

  3. 

  4. beta::[]
    5. 

  5. 

  6. API key authentication enables a local cluster to authenticate itself with a
    7. 

  7. remote cluster via a <<security-api-create-cross-cluster-api-key,cross-cluster
    8. 

  8. API key>>. The API key needs to be created by an administrator of the remote
    9. 

  9. cluster. The local cluster is configured to provide this API key on each request
    10. 

  10. to the remote cluster. The remote cluster verifies the API key and grants
    11. 

  11. access, based on the API key's privileges.
    12. 

  12. 

  13. All cross-cluster requests from the local cluster are bound by the API key's
    14. 

  14. privileges, regardless of local users associated with the requests. For example,
    15. 

  15. if the API key only allows read access to `my-index` on the remote cluster, even
    16. 

  16. a superuser from the local cluster is limited by this constraint. This mechanism
    17. 

  17. enables the remote cluster's administrator to have full control over who can
    18. 

  18. access what data with cross-cluster search and/or cross-cluster replication. The
    19. 

  19. remote cluster's administrator can be confident that no access is possible
    20. 

  20. beyond what is explicitly assigned to the API key.
    21. 

  21. 

  22. On the local cluster side, not every local user needs to access every piece of
    23. 

  23. data allowed by the API key. An administrator of the local cluster can further
    24. 

  24. configure additional permission constraints on local users so each user only
    25. 

  25. gets access to the necessary remote data. Note it is only possible to further
    26. 

  26. reduce the permissions allowed by the API key for individual local users. It is
    27. 

  27. impossible to increase the permissions to go beyond what is allowed by the API
    28. 

  28. key.
    29. 

  29. 

  30. In this model, cross-cluster operations use <<remote_cluster.port,a dedicated
    31. 

  31. server port>> (remote cluster interface) for communication between clusters. A
    32. 

  32. remote cluster must enable this port for local clusters to connect. Configure
    33. 

  33. Transport Layer Security (TLS) for this port to maximize security (as explained
    34. 

  34. in <<remote-clusters-security-api-key>>).
    35. 

  35. 

  36. The local cluster must trust the remote cluster on the remote cluster interface.
    37. 

  37. This means that the local cluster trusts the remote cluster's certificate
    38. 

  38. authority (CA) that signs the server certificate used by the remote cluster
    39. 

  39. interface. When establishing a connection, all nodes from the local cluster that
    40. 

  40. participate in cross-cluster communication verify certificates from nodes on the
    41. 

  41. other side, based on the TLS trust configuration.
    42. 

  42. 

  43. To add a remote cluster using API key authentication:
    44. 

  44. 

  45. . <<remote-clusters-prerequisites-api-key,Review the prerequisites>>
    46. 

  46. . <<remote-clusters-security-api-key>>
    47. 

  47. . <<remote-clusters-connect-api-key>>
    48. 

  48. . <<remote-clusters-privileges-api-key>>
    49. 

  49. 

  50. If you run into any issues, refer to <<remote-clusters-troubleshooting>>.
    51. 

  51. 

  52. [[remote-clusters-prerequisites-api-key]]
    53. 

  53. ==== Prerequisites
    54. 

  54. 

  55. * The {es} security features need to be enabled on both clusters, on every node.
    56. 

  56. Security is enabled by default. If it's disabled, set `xpack.security.enabled`
    57. 

  57. to `true` in `elasticsearch.yml`. Refer to <<general-security-settings>>.
    58. 

  58. * The nodes of the local and remote clusters must be on version 8.10 or later.
    59. 

  59. * The local and remote clusters must have an appropriate license. For more
    60. 

  60. information, refer to https://www.elastic.co/subscriptions.
    61. 

  61. 

  62. [[remote-clusters-security-api-key]]
    63. 

  63. ==== Establish trust with a remote cluster
    64. 

  64. 

  65. ===== On the remote cluster
    66. 

  66. 

  67. // tag::remote-cluster-steps[]
    68. 

  68. . Enable the remote cluster server on every node of the remote cluster. In
    69. 

  69. `elasticsearch.yml`:
    70. 

  70. .. Set <<remote-cluster-network-settings,`remote_cluster_server.enabled`>> to
    71. 

  71. `true`.
    72. 

  72. .. Configure the bind and publish address for remote cluster server traffic, for
    73. 

  73. example using <<remote-cluster-network-settings,`remote_cluster.host`>>. Without
    74. 

  74. configuring the address, remote cluster traffic may be bound to the local
    75. 

  75. interface, and remote clusters running on other machines can't connect.
    76. 

  76. .. Optionally, configure the remote server port using
    77. 

  77. <<remote_cluster.port,`remote_cluster.port`>> (defaults to `9443`).
    78. 

  78. . Next, generate a certificate authority (CA) and a server certificate/key pair.
    79. 

  79. On one of the nodes of the remote cluster, from the directory where {es} has
    80. 

  80. been installed:
    81. 

  81. 

  82. .. Create a CA, if you don't have a CA already:
    83. 

  83. +
    84. 

  84. [source,sh]
    85. 

  85. ----
    86. 

  86. ./bin/elasticsearch-certutil ca --pem --out=cross-cluster-ca.zip --pass CA_PASSWORD
    87. 

  87. ----
    88. 

  88. +
    89. 

  89. Replace `CA_PASSWORD` with the password you want to use for the CA. You can
    90. 

  90. remove the `--pass` option and its argument if you are not deploying to a
    91. 

  91. production environment.
    92. 

  92. 

  93. .. Unzip the generated `cross-cluster-ca.zip` file. This compressed file
    94. 

  94. contains the following content:
    95. 

  95. +
    96. 

  96. [source,txt]
    97. 

  97. ----
    98. 

  98. /ca
    99. 

  99. |_ ca.crt
    100. 

  100. |_ ca.key
    101. 

  101. ----
    102. 

  102. 

  103. .. Generate a certificate and private key pair for the nodes in the remote
    104. 

  104. cluster:
    105. 

  105. +
    106. 

  106. [source,sh]
    107. 

  107. ----
    108. 

  108. ./bin/elasticsearch-certutil cert --out=cross-cluster.p12 --pass=CERT_PASSWORD --ca-cert=ca/ca.crt --ca-key=ca/ca.key --ca-pass=CA_PASSWORD --dns=example.com --ip=127.0.0.1
    109. 

  109. ----
    110. 

  110. +
    111. 

  111. * Replace `CA_PASSWORD` with the CA password from the previous step.
    112. 

  112. * Replace `CERT_PASSWORD` with the password you want to use for the generated
    113. 

  113. private key.
    114. 

  114. * Use the `--dns` option to specify the relevant DNS name for the certificate.
    115. 

  115. You can specify it multiple times for multiple DNS.
    116. 

  116. * Use the `--ip` option to specify the relevant IP address for the certificate.
    117. 

  117. You can specify it multiple times for multiple IP addresses.
    118. 

  118. 

  119. .. If the remote cluster has multiple nodes, you can either:
    120. 

  120. +
    121. 

  121. * create a single wildcard certificate for all nodes;
    122. 

  122. * or, create separate certificates for each node either manually or in batch
    123. 

  123. with the <<certutil-silent,silent mode>>.
    124. 

  124. 

  125. . On every node of the remote cluster:
    126. 

  126. .. Copy the `cross-cluster.p12` file from the earlier step to the `config`
    127. 

  127. directory. If you didn't create a wildcard certificate, make sure you copy the
    128. 

  128. correct node-specific p12 file.
    129. 

  129. .. Add following configuration to `elasticsearch.yml`:
    130. 

  130. +
    131. 

  131. [source,yaml]
    132. 

  132. ----
    133. 

  133. xpack.security.remote_cluster_server.ssl.enabled: true
    134. 

  134. xpack.security.remote_cluster_server.ssl.keystore.path: cross-cluster.p12
    135. 

  135. ----
    136. 

  136. 

  137. .. Add the SSL keystore password to the {es} keystore:
    138. 

  138. +
    139. 

  139. [source,sh]
    140. 

  140. ----
    141. 

  141. ./bin/elasticsearch-keystore add xpack.security.remote_cluster_server.ssl.keystore.secure_password
    142. 

  142. ----
    143. 

  143. +
    144. 

  144. When prompted, enter the `CERT_PASSWORD` from the earlier step.
    145. 

  145. 

  146. . Restart the remote cluster.
    147. 

  147. 

  148. . On the remote cluster, generate a cross-cluster API key that provides access
    149. 

  149. to the indices you want to use for {ccs} or {ccr}. You can use the
    150. 

  150. <<security-api-create-cross-cluster-api-key>> API or
    151. 

  151. {kibana-ref}/api-keys.html[Kibana].
    152. 

  152. 

  153. . Copy the encoded key (`encoded` in the response) to a safe location. You will
    154. 

  154. need it to connect to the remote cluster later.
    155. 

  155. // end::remote-cluster-steps[]
    156. 

  156. 

  157. ===== On the local cluster
    158. 

  158. 

  159. // tag::local-cluster-steps[]
    160. 

  160. . On every node of the local cluster:
    161. 

  161. 

  162. .. Copy the `ca.crt` file generated on the remote cluster earlier into the
    163. 

  163. `config` directory, renaming the file `remote-cluster-ca.crt`.
    164. 

  164. 

  165. .. Add following configuration to `elasticsearch.yml`:
    166. 

  166. +
    167. 

  167. [source,yaml]
    168. 

  168. ----
    169. 

  169. xpack.security.remote_cluster_client.ssl.enabled: true
    170. 

  170. xpack.security.remote_cluster_client.ssl.certificate_authorities: [ "remote-cluster-ca.crt" ]
    171. 

  171. ----
    172. 

  172. // end::local-cluster-steps[]
    173. 

  173. 

  174. .. Add the cross-cluster API key, created on the remote cluster earlier, to the
    175. 

  175. keystore:
    176. 

  176. +
    177. 

  177. [source,sh]
    178. 

  178. ----
    179. 

  179. ./bin/elasticsearch-keystore add cluster.remote.ALIAS.credentials
    180. 

  180. ----
    181. 

  181. +
    182. 

  182. Replace `ALIAS` with the same name that you will use to create the remote cluster entry
    183. 

  183. later. When prompted, enter the encoded cross-cluster API key created on the
    184. 

  184. remote cluster earlier.
    185. 

  185. 

  186. . Restart the local cluster to load changes to the keystore and settings.
    187. 

  187. 

  188. **Note:** If you are configuring only the cross-cluster API key, you can call the <<cluster-nodes-reload-secure-settings>> API, instead of restarting the cluster.
    189. 

  189. Configuring the `remote_cluster_client` settings in `elasticsearch.yml` still requires a restart.
    190. 

  190. 

  191. [[remote-clusters-connect-api-key]]
    192. 

  192. ==== Connect to a remote cluster
    193. 

  193. 

  194. :trust-mechanism: api-key
    195. 

  195. include::remote-clusters-connect.asciidoc[]
    196. 

  196. :!trust-mechanism:
    197. 

  197. 

  198. include::{es-repo-dir}/security/authentication/remote-clusters-privileges-api-key.asciidoc[leveloffset=+1]
    199.