mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-25 07:37:19 -04:00
6940673e8a
* [DOCS] Update remote cluster docs * Add files, rename files, write new stuff * Plethora of changes * Add test and update snippets * Redirects, moved files, and test updates * Moved file to x-pack for tests * Remove older CCS page and add redirects * Cleanup, link updates, and some rewrites * Update image * Incorporating user feedback and rewriting much of the remote clusters page * More changes from review feedback * Numerous updates, including request examples for CCS and Kibana * More changes from review feedback * Minor clarifications on security for remote clusters * Incorporate review feedback Co-authored-by: Yang Wang <ywangd@gmail.com> * Some review feedback and some editorial changes Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Yang Wang <ywangd@gmail.com>
50 lines
No EOL
2.6 KiB
Text
50 lines
No EOL
2.6 KiB
Text
[[remote-clusters-security]]
|
||
=== Configure remote clusters with security
|
||
To use {ccr} or {ccs} safely with remote clusters, enable security on all
|
||
connected clusters and configure Transport Layer Security (TLS) on every node.
|
||
Configuring TLS security on the transport interface is minimally required for
|
||
remote clusters. For additional security, configure TLS on the
|
||
<<security-basic-setup-https,HTTP interface>> as well.
|
||
|
||
All connected clusters must trust one another and be mutually authenticated
|
||
with TLS on the transport interface. This means that the local cluster
|
||
trusts the certificate authority (CA) of the remote cluster, and the remote
|
||
cluster trusts the CA of the local cluster. When establishing a connection, all
|
||
nodes will verify certificates from nodes on the other side. This mutual trust
|
||
is required to securely connect a remote cluster, because all connected nodes
|
||
effectively form a single security domain.
|
||
|
||
User authentication is performed on the local cluster and the user and user’s
|
||
roles names are passed to the remote clusters. A remote cluster checks the user’s
|
||
role names against its local role definitions to determine which indices the user is
|
||
allowed to access.
|
||
|
||
Before using {ccr} or {ccs} with secured {es} clusters, complete the following
|
||
configuration tasks:
|
||
|
||
. Enable the {es} {security-features} on every node in each connected cluster by
|
||
setting `xpack.security.enabled` to `true` in `elasticsearch.yml`. Refer to the
|
||
<<general-security-settings,{es} security settings>>.
|
||
|
||
. Configure Transport Layer Security (TLS) on every node to encrypt internode
|
||
traffic and authenticate nodes in the local cluster with nodes in all remote
|
||
clusters. Refer to
|
||
<<security-basic-setup,set up basic security for the {stack}>> for the required
|
||
steps to configure security.
|
||
+
|
||
NOTE: This procedure uses the same CA to generate certificates for all nodes.
|
||
Alternatively, you can add the certificates from the local cluster as a
|
||
trusted CA in each remote cluster. You must also add the certificates from
|
||
remote clusters as a trusted CA on the local cluster. Using the same CA to
|
||
generate certificates for all nodes simplifies this task.
|
||
|
||
After enabling and configuring security, you can
|
||
<<remote-clusters-connect,connect remote clusters>> from a local cluster.
|
||
|
||
With your clusters connected, you'll need to
|
||
<<remote-clusters-privileges,configure users and privileges>> on both the local
|
||
and remote clusters.
|
||
|
||
If you're configuring a remote cluster for {ccr}, you need to
|
||
<<ccr-getting-started-follower-index,configure a follower index>> on your local
|
||
cluster to replicate the leader index on a remote cluster. |