-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Update "remote clusters" docs & security #72841
Comments
Pinging @elastic/es-docs (Team:Docs) |
Pinging @elastic/es-distributed (Team:Distributed) |
Pinging @elastic/es-security (Team:Security) |
Related : #40724 |
@tvernum, the updated remote cluster docs cover the items listed in this issue, with the exception of API keys:
Do you want to cross off the items except for API keys and have this issue focus on that remaining piece of work for CCR/CCS? Additionally, there's also #70702, which seeks to provide an introduction to API keys and explain how they work in greater detail. It's tangential to this work, but is its own initiative. |
I'm removing the CCR label because we think the @elastic/es-security team is in a better position to move forward this issue. |
Given that #70702 covers the work for writing about API keys and that the security model for CCR and CCS is changing, I'm going to mark this issue as closed. |
Our current docs around CCS/CCR with security are pretty limited, and can be hard to read.
Given most usage of CCS/CCR is likely to be using security (and therefore SSL), it would be more helpful for users if these docs explained the security setup more clearly.
Current Issues
Resolved issues:
The setup docs for remote clusters don't mention TLS except in the tiny section on SNI, but (for on prem) setting up TLS trust between clusters is important and requires some explanation.Those docs also don't link to the CCS security docs.The security docs only refer to CCS and not CCR. It would be helpful to at least mention that this applies to CCR as well (and talk about permissions for CCR).The security docs don't mention that if the request is issued with run-as, the authenticating user needs to have the run-as privilege on the remote cluster.The docs don't mention Service Accounts which do not have roles, only privileges.(We need to decide whether we support CCS/CCR for Service Account)We might need to tackle those items one-by-one.
The text was updated successfully, but these errors were encountered: