Configure remote clusters with security
editConfigure remote clusters with security
editTo use cross-cluster replication or cross-cluster search safely with remote clusters, enable security on all connected clusters and configure Transport Layer Security (TLS) on every node. Configuring TLS security on the transport interface is minimally required for remote clusters. For additional security, configure TLS on the HTTP interface as well.
All connected clusters must trust one another and be mutually authenticated with TLS on the transport interface. This means that the local cluster trusts the certificate authority (CA) of the remote cluster, and the remote cluster trusts the CA of the local cluster. When establishing a connection, all nodes will verify certificates from nodes on the other side. This mutual trust is required to securely connect a remote cluster, because all connected nodes effectively form a single security domain.
User authentication is performed on the local cluster and the user and user’s roles names are passed to the remote clusters. A remote cluster checks the user’s role names against its local role definitions to determine which indices the user is allowed to access.
Before using cross-cluster replication or cross-cluster search with secured Elasticsearch clusters, complete the following configuration tasks:
-
Enable the Elasticsearch security features on every node in each connected cluster by
setting
xpack.security.enabled
totrue
inelasticsearch.yml
. Refer to the Elasticsearch security settings. -
Configure Transport Layer Security (TLS) on every node to encrypt internode traffic and authenticate nodes in the local cluster with nodes in all remote clusters. Refer to set up basic security for the Elastic Stack for the required steps to configure security.
This procedure uses the same CA to generate certificates for all nodes. Alternatively, you can add the certificates from the local cluster as a trusted CA in each remote cluster. You must also add the certificates from remote clusters as a trusted CA on the local cluster. Using the same CA to generate certificates for all nodes simplifies this task.
After enabling and configuring security, you can connect remote clusters from a local cluster.
With your clusters connected, you’ll need to configure users and privileges on both the local and remote clusters.
If you’re configuring a remote cluster for cross-cluster replication, you need to configure a follower index on your local cluster to replicate the leader index on a remote cluster.