github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-29 01:44:36 -04:00
Code Issues Projects Releases Packages Wiki Activity

Docs for hot-reloadable remote cluster credentials (#105483)

Browse source 
Docs PR to accompany
https://github.com/elastic/elasticsearch/pull/103215.

Resolves: ES-7625
This commit is contained in:
Nikolaj Volgushev 2024-02-15 12:02:13 +01:00 committed by GitHub
parent ac2e54d56e
commit e241a91a4e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 37 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

5
docs/reference/modules/cluster/remote-clusters-api-key.asciidoc
View file

@ -183,7 +183,10 @@ Replace `ALIAS` with the same name that you will use to create the remote cluste
later. When prompted, enter the encoded cross-cluster API key created on the later. When prompted, enter the encoded cross-cluster API key created on the
remote cluster earlier. remote cluster earlier.
. Restart the local cluster to load the keystore change. . Restart the local cluster to load changes to the keystore and settings.
**Note:** If you are configuring only the cross-cluster API key, you can call the <<cluster-nodes-reload-secure-settings>> API, instead of restarting the cluster.
Configuring the `remote_cluster_client` settings in `elasticsearch.yml` still requires a restart.
[[remote-clusters-connect-api-key]] [[remote-clusters-connect-api-key]]
==== Connect to a remote cluster ==== Connect to a remote cluster

2
docs/reference/modules/cluster/remote-clusters-migration.asciidoc
View file

@ -123,7 +123,7 @@ created on the remote cluster earlier.
. If you've dynamically configured the remote cluster (via the cluster settings . If you've dynamically configured the remote cluster (via the cluster settings
API): API):
.. Restart the local cluster to load changes to the keystore. .. Restart the local cluster to load changes to the keystore and settings.
.. Re-add the remote cluster. Use the same remote cluster alias, and change the .. Re-add the remote cluster. Use the same remote cluster alias, and change the
transport port into the remote cluster port. For example: transport port into the remote cluster port. For example:

5
docs/reference/modules/cluster/remote-clusters-settings.asciidoc
View file

@ -65,7 +65,8 @@ mode are described separately.
is used as the fallback setting. is used as the fallback setting.
`cluster.remote.<cluster_alias>.credentials` (<<secure-settings,Secure>>):: `cluster.remote.<cluster_alias>.credentials` (<<secure-settings,Secure>>, <<reloadable-secure-settings,Reloadable>>)::
[[remote-cluster-credentials-setting]]
beta:[] beta:[]
Per cluster setting for configuring <<remote-clusters-api-key,remote clusters with the API Key based model>>. Per cluster setting for configuring <<remote-clusters-api-key,remote clusters with the API Key based model>>.
@ -75,6 +76,8 @@ beta:[]
The presence (or not) of this setting determines which model a remote cluster uses. The presence (or not) of this setting determines which model a remote cluster uses.
If present, the remote cluster uses the API key based model. If present, the remote cluster uses the API key based model.
Otherwise, it uses the certificate based model. Otherwise, it uses the certificate based model.
If the setting is added, removed, or updated in the <<secure-settings,{es} keystore>> and reloaded via the
<<cluster-nodes-reload-secure-settings>> API, the cluster will automatically rebuild its connection to the remote.
[[remote-cluster-sniff-settings]] [[remote-cluster-sniff-settings]]
==== Sniff mode remote cluster settings ==== Sniff mode remote cluster settings

11
docs/reference/modules/cluster/remote-clusters-troubleshooting.asciidoc
View file

@ -275,7 +275,7 @@ This does not show up in the logs of the remote cluster.
====== Resolution ====== Resolution
Add the cross-cluster API key to {es} keystore on every node of the local Add the cross-cluster API key to {es} keystore on every node of the local
cluster. Restart the local cluster to reload the keystore. cluster. Use the <<cluster-nodes-reload-secure-settings>> API to reload the keystore.
[[remote-clusters-troubleshooting-wrong-api-key-type]] [[remote-clusters-troubleshooting-wrong-api-key-type]]
===== Using the wrong API key type ===== Using the wrong API key type
@ -302,8 +302,7 @@ This does not show up in the logs of the remote cluster.
Ask the remote cluster administrator to create and distribute a Ask the remote cluster administrator to create and distribute a
<<security-api-create-cross-cluster-api-key,cross-cluster API key>>. Replace the <<security-api-create-cross-cluster-api-key,cross-cluster API key>>. Replace the
existing API key in the {es} keystore with this cross-cluster API key on every existing API key in the {es} keystore with this cross-cluster API key on every
node of the local cluster. Restart the local cluster for keystore changes to node of the local cluster. Use the <<cluster-nodes-reload-secure-settings>> API to reload the keystore.
take effect.
[[remote-clusters-troubleshooting-non-valid-api-key]] [[remote-clusters-troubleshooting-non-valid-api-key]]
===== Invalid API key ===== Invalid API key
@ -334,8 +333,7 @@ The remote cluster logs `Authentication using apikey failed`:
Ask the remote cluster administrator to create and distribute a Ask the remote cluster administrator to create and distribute a
<<security-api-create-cross-cluster-api-key,cross-cluster API key>>. Replace the <<security-api-create-cross-cluster-api-key,cross-cluster API key>>. Replace the
existing API key in the {es} keystore with this cross-cluster API key on every existing API key in the {es} keystore with this cross-cluster API key on every
node of the local cluster. Restart the local cluster for keystore changes to node of the local cluster. Use the <<cluster-nodes-reload-secure-settings>> API to reload the keystore.
take effect.
[[remote-clusters-troubleshooting-insufficient-privileges]] [[remote-clusters-troubleshooting-insufficient-privileges]]
===== API key or local user has insufficient privileges ===== API key or local user has insufficient privileges
@ -366,8 +364,7 @@ This does not show up in any logs.
create and distribute a create and distribute a
<<security-api-create-cross-cluster-api-key,cross-cluster API key>>. Replace the <<security-api-create-cross-cluster-api-key,cross-cluster API key>>. Replace the
existing API key in the {es} keystore with this cross-cluster API key on every existing API key in the {es} keystore with this cross-cluster API key on every
node of the local cluster. Restart the local cluster for keystore changes to node of the local cluster. Use the <<cluster-nodes-reload-secure-settings>> API to reload the keystore.
take effect.
[[remote-clusters-troubleshooting-no-remote_indices-privileges]] [[remote-clusters-troubleshooting-no-remote_indices-privileges]]
===== Local user has no `remote_indices` privileges ===== Local user has no `remote_indices` privileges

1
docs/reference/setup/secure-settings.asciidoc
View file

@ -64,3 +64,4 @@ There are reloadable secure settings for:
* <<ref-jwt-settings, JWT realm>> * <<ref-jwt-settings, JWT realm>>
* <<ref-ad-settings, Active Directory realm>> * <<ref-ad-settings, Active Directory realm>>
* <<ref-ldap-settings, LDAP realm>> * <<ref-ldap-settings, LDAP realm>>
* <<remote-cluster-credentials-setting, Remote cluster credentials for the API key based security model>>