Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS] Update "remote clusters" docs & security #72841

Closed
tvernum opened this issue May 7, 2021 · 8 comments
Closed

[DOCS] Update "remote clusters" docs & security #72841

tvernum opened this issue May 7, 2021 · 8 comments
Labels
>docs General docs changes >enhancement :Security/Security Security issues without another label Team:Docs Meta label for docs team Team:Security Meta label for security team

Comments

@tvernum
Copy link
Contributor

tvernum commented May 7, 2021
edited
Loading

Our current docs around CCS/CCR with security are pretty limited, and can be hard to read.
Given most usage of CCS/CCR is likely to be using security (and therefore SSL), it would be more helpful for users if these docs explained the security setup more clearly.

Current Issues

  • The security docs don't mention API Keys, but API Keys have a different security model than Users (API Keys don't have roles), and that affects how CCS/CCR security works.

Resolved issues:

  1. The setup docs for remote clusters don't mention TLS except in the tiny section on SNI, but (for on prem) setting up TLS trust between clusters is important and requires some explanation.
  2. Those docs also don't link to the CCS security docs.
  3. The security docs only refer to CCS and not CCR. It would be helpful to at least mention that this applies to CCR as well (and talk about permissions for CCR).
  4. The security docs don't mention that if the request is issued with run-as, the authenticating user needs to have the run-as privilege on the remote cluster.
  5. The docs don't mention Service Accounts which do not have roles, only privileges. (We need to decide whether we support CCS/CCR for Service Account)

We might need to tackle those items one-by-one.
@tvernum tvernum added >bug >docs General docs changes :Distributed/CCR Issues around the Cross Cluster State Replication features :Security/Security Security issues without another label labels May 7, 2021
@elasticmachine elasticmachine added Team:Docs Meta label for docs team Team:Distributed Meta label for distributed team Team:Security Meta label for security team labels May 7, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-docs (Team:Docs)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-distributed (Team:Distributed)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@tvernum tvernum added >enhancement and removed >bug labels May 10, 2021
@tvernum
Copy link
Contributor Author

tvernum commented May 14, 2021

Related : #40724

@lockewritesdocs lockewritesdocs mentioned this issue Sep 3, 2021
Merged
@lockewritesdocs
Copy link
Contributor

@tvernum, I think that #77043 covers all of the points that you outlined, which the exception of API keys. I think that we should handle that item separately.

@lockewritesdocs
Copy link
Contributor

@tvernum, the updated remote cluster docs cover the items listed in this issue, with the exception of API keys:

The security docs don't mention API Keys, but API Keys have a different security model than Users (API Keys don't have roles), and that affects how CCS/CCR security works.

Do you want to cross off the items except for API keys and have this issue focus on that remaining piece of work for CCR/CCS?

Additionally, there's also #70702, which seeks to provide an introduction to API keys and explain how they work in greater detail. It's tangential to this work, but is its own initiative.

@rylnd rylnd mentioned this issue Oct 29, 2021
Closed
@pmuellr pmuellr mentioned this issue Dec 15, 2021
Closed
@debadair debadair changed the title Update "remote clusters" docs & security [DOCS] Update "remote clusters" docs & security Apr 27, 2022
@tlrx tlrx removed :Distributed/CCR Issues around the Cross Cluster State Replication features Team:Distributed Meta label for distributed team labels Aug 9, 2022
@tlrx
Copy link
Member

tlrx commented Aug 9, 2022

I'm removing the CCR label because we think the @elastic/es-security team is in a better position to move forward this issue.

@lockewritesdocs
Copy link
Contributor

Given that #70702 covers the work for writing about API keys and that the security model for CCR and CCS is changing, I'm going to mark this issue as closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>docs General docs changes >enhancement :Security/Security Security issues without another label Team:Docs Meta label for docs team Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tlrx @tvernum @elasticmachine @lockewritesdocs