Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS][ESQL][8.14] Add API key based security model info for ESQL CCS #109155

Merged
merged 9 commits into from
Jun 3, 2024
Merged

[DOCS][ESQL][8.14] Add API key based security model info for ESQL CCS #109155

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
be28bc4
[DOCS][ESQL][8.14] Add API key based security model info for ESQL CCS
leemthompo May 29, 2024
f565563
Add overview of both security models, tweak per review
leemthompo May 30, 2024
9e61001
Add practical info about differences when choosing security model
leemthompo May 30, 2024
e6aef46
Copyedit, formatting
leemthompo May 30, 2024
c429b95
Add cluster privilege
leemthompo May 30, 2024
03d40b9
Clarify
leemthompo May 30, 2024
6c3e2a5
Updates per review
leemthompo May 31, 2024
b69c0fe
Add color per review
leemthompo May 31, 2024
62e97fc
Apply Jakes's latest suggestions
leemthompo Jun 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions docs/reference/esql/esql-across-clusters.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,28 +59,31 @@ The following example API call creates a role that can query remote indices usin
----
POST /_security/role/remote1
{
"cluster": ["cross_cluster_search"], <2>
leemthompo marked this conversation as resolved.
Show resolved Hide resolved
"indices": [
{
"names" : [""], <2>
"names" : [""], <3>
"privileges": ["read"]
}
],
"remote_indices": [ <3>
"remote_indices": [ <4>
{
"names": [ "logs-*" ],
leemthompo marked this conversation as resolved.
Show resolved Hide resolved
"privileges": [ "read","read_cross_cluster" ], <1>
"clusters" : ["my_remote_cluster"] <4>
"clusters" : ["my_remote_cluster"] <5>
}
]
}
----

<1> The `read_cross_cluster` privilege is always required when using {esql} across clusters with the API key based security model.
<2> Typically, users will have permissions to read both local and remote indices. However, for cases where the role is intended to ONLY search the remote cluster, the `read` permission is still required for the local cluster. To provide read access to the local cluster, but disallow reading any indices in the local cluster, the `names` field may be an empty string.
<3> The indices allowed read access to the remote cluster. The configured <<security-api-create-cross-cluster-api-key,cross-cluster API key>> must also allow this index to be read.
<4> The remote clusters to which these privileges apply. This remote cluster must be configured with a <<security-api-create-cross-cluster-api-key,cross-cluster API key>> and connected to the remote cluster before the remote index can be queried.
<2> The `cross_cluster_search` cluster privilege is also required.
leemthompo marked this conversation as resolved.
Show resolved Hide resolved
<3> Typically, users will have permissions to read both local and remote indices. However, for cases where the role is intended to ONLY search the remote cluster, the `read` permission is still required for the local cluster. To provide read access to the local cluster, but disallow reading any indices in the local cluster, the `names` field may be an empty string.
<4> The indices allowed read access to the remote cluster. The configured <<security-api-create-cross-cluster-api-key,cross-cluster API key>> must also allow this index to be read.
<5> The remote clusters to which these privileges apply. This remote cluster must be configured with a <<security-api-create-cross-cluster-api-key,cross-cluster API key>> and connected to the remote cluster before the remote index can be queried.
Verify connection using the <<cluster-remote-info, Remote cluster info>> API.


[discrete]
[[ccq-remote-cluster-setup]]
==== Remote cluster setup
Expand Down