[DOCS] Update remote cluster docs #77043
Conversation
|
Pinging @elastic/es-docs (Team:Docs) |
|
Pinging @elastic/es-distributed (Team:Distributed) |
|
Pinging @elastic/es-security (Team:Security) |
|
@elasticmachine update branch |
There was a problem hiding this comment.
Thanks for working on this topic, Adam. Some (many?) of the comments are probably on existing texts which you just moved around. I am OK if you prefer to skip them for this PR and have them addressed in follow-ups.
I think one major thing we'd like to achieve with this PR is to make the help docs read more logically and connected for the remote cluster and features enabled by it. Hence the order of introducing each concept is important. It seems to me that we should start with "brief intro of remote cluster, what are they and relevant concept", then "configuring security for cluster connection", including both TLS setup and enabling xpack.security.enabled. This is then followed by "configuring remote clusters with Cluster Settings update API etc", then "configuring individual privileges" for CCR and CCS.
It's also worthwhile to have a few sentences to briefly talk about the main security limitation of remote clusters, i.e. they are effectively one security domain and you cannot restrict user's access purely from the remote cluster. Similar questions have been asked and answered many times previously. So I think it's helpful to clear user confusions.
docs/reference/modules/cluster/remote-clusters-connect.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-connect.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-connect.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-settings.asciidoc
Outdated
Show resolved
Hide resolved
x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc
Outdated
Show resolved
Hide resolved
| On the remote cluster that contains the leader index, the `ccr_user` requires | ||
| the `read_ccr` cluster privilege, and `monitor` and `read` privileges on the | ||
| leader index. |
There was a problem hiding this comment.
I raised #61308 as a bug for CCR privileges a while back. Not sure if it is still valid today. I can check it later.
x-pack/docs/en/security/authentication/remote-clusters-privileges.asciidoc
Outdated
Show resolved
Hide resolved
|
@elasticmachine update branch |
|
@elasticmachine update branch |
docs/reference/modules/cluster/remote-clusters-security.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-security.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-connect.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-connect.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-connect.asciidoc
Outdated
Show resolved
Hide resolved
x-pack/docs/en/security/authentication/remote-clusters-privileges.asciidoc
Outdated
Show resolved
Hide resolved
|
@elasticmachine update branch |
| clusters. Furthermore, a local user with administrative privileges at the | ||
| operating system level can alter `elasticsearch.yml`. A malicious user with | ||
| these privileges has potential access to private keys that could give them the | ||
| ability to take over a remote cluster. To use {ccr} and {ccs} safely, |
There was a problem hiding this comment.
It still does not read straightforward to me because it seems to suggest "alter elasticsearch.yml" is a reason for having "potential access to private keys". But these two things are separate. Maybe it's just me? I'd suggest the following change:
| clusters. Furthermore, a local user with administrative privileges at the | |
| operating system level can alter `elasticsearch.yml`. A malicious user with | |
| these privileges has potential access to private keys that could give them the | |
| ability to take over a remote cluster. To use {ccr} and {ccs} safely, | |
| clusters. Furthermore, a local administrator at the operating system level with sufficient access | |
| to Elasticsearch config files and private keys can potentially take over a remote cluster. To use {ccr} and {ccs} safely, |
Also, I wonder whether we should take this sentence out from here because Enabing security at the Elasticsearch level does not help mitigating this threat. I think we can move it to the end of this paragraph after we finishing talking about ES level security first, something like:
Enabling and configuring security is important on both local and remote clusters. When connecting a local cluster to remote clusters, an Elasticsearch superuser (such as the elastic user) gains total read access to the remote clusters. To use cross-cluster replication and cross-cluster search safely, enable security on all connected clusters and configure Transport Layer Security (TLS) on at least the transport level on every node. Furthermore, a local administrator at the operating system level with sufficient access to Elasticsearch config files and private keys can potentially take over a remote cluster. Therefore you should treat the operating system level security for both clusters with equal importance.
I added the sentence in bold as a very generic advice for OS level security. Otherwise, it feels that we raise an issue without offering any recommendation. Please feel free to paraphrase.
There was a problem hiding this comment.
I split this information into two paragraphs:
Enabling and configuring security is important on both local and remote
clusters. When connecting a local cluster to remote clusters, an {es} superuser
(such as theelasticuser) on the local cluster gains total read access to the
remote clusters. To use {ccr} and {ccs} safely,
<<remote-clusters-security,enable security>> on all connected clusters
and configure Transport Layer Security (TLS) on at least the transport level on
every node.Furthermore, a local administrator at the operating system level
with sufficient access to {es} configuration files and private keys can
potentially take over a remote cluster. Ensure that your security strategy
includes securing local and remote clusters at the operating system level.
docs/reference/modules/cluster/remote-clusters-security.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-security.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-security.asciidoc
Outdated
Show resolved
Hide resolved
docs/reference/modules/cluster/remote-clusters-connect.asciidoc
Outdated
Show resolved
Hide resolved
| to add a remote cluster. You can also use this API to | ||
| <<configure-remote-clusters-dynamic,apply and update>> settings across the | ||
| entire remote cluster. To configure settings on individual nodes in a remote | ||
| cluster, define | ||
| <<configure-remote-clusters-static,static settings>> in `elasticsearch.yml`. |
There was a problem hiding this comment.
This still reads funny to me. I think what we want to say is:
| to add a remote cluster. You can also use this API to | |
| <<configure-remote-clusters-dynamic,apply and update>> settings across the | |
| entire remote cluster. To configure settings on individual nodes in a remote | |
| cluster, define | |
| <<configure-remote-clusters-static,static settings>> in `elasticsearch.yml`. | |
| to add a remote cluster. You use this API to dynamically | |
| <<configure-remote-clusters-dynamic,configure remote clusters>> for every node | |
| in the local cluster. To configure remote clusters for an individual node of the local cluster, | |
| define <<configure-remote-clusters-static,static settings>> in the node's `elasticsearch.yml`. |
There was a problem hiding this comment.
I'll change this to read:
Alternatively, use the <<cluster-update-settings,cluster update settings API>>
to add a remote cluster. You use this API to dynamically
<<configure-remote-clusters-dynamic,configure remote clusters>> for every node
in the local cluster. To configure remote clusters for individual nodes in the
local cluster, define <<configure-remote-clusters-static,static settings>> inelasticsearch.ymlfor each node.
docs/reference/modules/cluster/remote-clusters-connect.asciidoc
Outdated
Show resolved
Hide resolved
x-pack/docs/en/security/authentication/remote-clusters-privileges.asciidoc
Outdated
Show resolved
Hide resolved
x-pack/docs/en/security/authentication/remote-clusters-privileges.asciidoc
Outdated
Show resolved
Hide resolved
Co-authored-by: Yang Wang <ywangd@gmail.com>
|
@elasticmachine update branch |
💔 Backport failed
You can use sqren/backport to manually backport by running |
* [DOCS] Update remote cluster docs * Add files, rename files, write new stuff * Plethora of changes * Add test and update snippets * Redirects, moved files, and test updates * Moved file to x-pack for tests * Remove older CCS page and add redirects * Cleanup, link updates, and some rewrites * Update image * Incorporating user feedback and rewriting much of the remote clusters page * More changes from review feedback * Numerous updates, including request examples for CCS and Kibana * More changes from review feedback * Minor clarifications on security for remote clusters * Incorporate review feedback Co-authored-by: Yang Wang <ywangd@gmail.com> * Some review feedback and some editorial changes Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Yang Wang <ywangd@gmail.com> # Conflicts: # docs/reference/modules/network.asciidoc # docs/reference/modules/remote-clusters.asciidoc # x-pack/docs/en/security/ccs-clients-integrations/cross-cluster.asciidoc # x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [DOCS] Update remote cluster docs (#77043) (#78212) * [DOCS] Update remote cluster docs * Add files, rename files, write new stuff * Plethora of changes * Add test and update snippets * Redirects, moved files, and test updates * Moved file to x-pack for tests * Remove older CCS page and add redirects * Cleanup, link updates, and some rewrites * Update image * Incorporating user feedback and rewriting much of the remote clusters page * More changes from review feedback * Numerous updates, including request examples for CCS and Kibana * More changes from review feedback * Minor clarifications on security for remote clusters * Incorporate review feedback Co-authored-by: Yang Wang <ywangd@gmail.com> * Some review feedback and some editorial changes Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Yang Wang <ywangd@gmail.com> # Conflicts: # docs/reference/modules/network.asciidoc # docs/reference/modules/remote-clusters.asciidoc # x-pack/docs/en/security/ccs-clients-integrations/cross-cluster.asciidoc # x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> # Conflicts: # docs/reference/redirects.asciidoc * Remove link not applicable in redirects * Updating redirects * Actually updating redirects in the real file this time * Adding missing java client link Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This PR seeks to pull out CCR and CCS information that relates to using those features and integrate it as part of configuring remote clusters. This PR includes the following changes (and more):
Preview links
Remote clusters
Closes #40724
Relates to #72841