elasticsearch icon indicating copy to clipboard operation
elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon elastic

[DOCS] Update "remote clusters" docs & security

Open tvernum opened this issue 4 years ago • 7 comments

Our current docs around CCS/CCR with security are pretty limited, and can be hard to read. Given most usage of CCS/CCR is likely to be using security (and therefore SSL), it would be more helpful for users if these docs explained the security setup more clearly.

Current Issues

  • The security docs don't mention API Keys, but API Keys have a different security model than Users (API Keys don't have roles), and that affects how CCS/CCR security works.

Resolved issues:

  1. ~The setup docs for remote clusters don't mention TLS except in the tiny section on SNI, but (for on prem) setting up TLS trust between clusters is important and requires some explanation.~
  2. ~Those docs also don't link to the CCS security docs.~
  3. ~The security docs only refer to CCS and not CCR. It would be helpful to at least mention that this applies to CCR as well (and talk about permissions for CCR).~
  4. ~The security docs don't mention that if the request is issued with run-as, the authenticating user needs to have the run-as privilege on the remote cluster.~
  5. ~The docs don't mention Service Accounts which do not have roles, only privileges.~ (We need to decide whether we support CCS/CCR for Service Account)

We might need to tackle those items one-by-one.

tvernum avatar May 07 '21 07:05 tvernum

Pinging @elastic/es-docs (Team:Docs)

elasticmachine avatar May 07 '21 07:05 elasticmachine

Pinging @elastic/es-distributed (Team:Distributed)

elasticmachine avatar May 07 '21 07:05 elasticmachine

Pinging @elastic/es-security (Team:Security)

elasticmachine avatar May 07 '21 07:05 elasticmachine

Related : https://github.com/elastic/elasticsearch/issues/40724

tvernum avatar May 14 '21 01:05 tvernum

@tvernum, I think that #77043 covers all of the points that you outlined, which the exception of API keys. I think that we should handle that item separately.

lockewritesdocs avatar Sep 09 '21 17:09 lockewritesdocs

@tvernum, the updated remote cluster docs cover the items listed in this issue, with the exception of API keys:

The security docs don't mention API Keys, but API Keys have a different security model than Users (API Keys don't have roles), and that affects how CCS/CCR security works.

Do you want to cross off the items except for API keys and have this issue focus on that remaining piece of work for CCR/CCS?

Additionally, there's also #70702, which seeks to provide an introduction to API keys and explain how they work in greater detail. It's tangential to this work, but is its own initiative.

lockewritesdocs avatar Oct 04 '21 12:10 lockewritesdocs

I'm removing the CCR label because we think the @elastic/es-security team is in a better position to move forward this issue.

tlrx avatar Aug 09 '22 10:08 tlrx

Given that #70702 covers the work for writing about API keys and that the security model for CCR and CCS is changing, I'm going to mark this issue as closed.

lockewritesdocs avatar Aug 15 '22 21:08 lockewritesdocs