Add RCS Strong Verification Documentation #3865
Conversation
🔍 Preview links for changed docs |
There was a problem hiding this comment.
couple of comments.
consider swapping steps 4 and 5 in the list of tasks (so all of the relationship tasks are done before the user/role tasks):
we might hint that these steps can be undertaken paired with steps 2 and 3 (because you'll be on those machines anyway setting up the trust relationship)
tagging in @eedugon as well because this is in the remote clusters space and Edu has been doing some work to refactor these docs. Just want to make sure we're not doing anything that would conflict with that work (edu: do you think this needs to be added to any of the other tutorials? not sure which ones piggyback on core elasticsearch remote cluster features)
|
|
||
|
|
||
| ## Remote cluster strong verification [remote-cluster-strong-verification] | ||
| preview::[] |
There was a problem hiding this comment.
this is the syntax used for the new docs system. we also want to specify which stack version contains this functionality because these docs are cumulative
| preview::[] | |
| ```{applies_to} | |
| deployment: | |
| self: preview 9.3 | |
| ``` |
| 1. The local cluster signs the request headers with its configured private key and sends the signature and certificate chain as header | ||
| in the request to the remote cluster | ||
| 2. The remote cluster verifies that the API key is valid | ||
| 3. If the API key has a certificate identity pattern configured, the remote cluster extracts the Distinguished Name (DN) from the | ||
| certificate chain's leaf certificate and matches it against the certificate identity pattern | ||
| 4. The remote cluster validates that the provided certificate chain is trusted | ||
| 5. The remote cluster validates the signature and checks that the certificate is not expired |
There was a problem hiding this comment.
| 1. The local cluster signs the request headers with its configured private key and sends the signature and certificate chain as header | |
| in the request to the remote cluster | |
| 2. The remote cluster verifies that the API key is valid | |
| 3. If the API key has a certificate identity pattern configured, the remote cluster extracts the Distinguished Name (DN) from the | |
| certificate chain's leaf certificate and matches it against the certificate identity pattern | |
| 4. The remote cluster validates that the provided certificate chain is trusted | |
| 5. The remote cluster validates the signature and checks that the certificate is not expired | |
| 1. The local cluster signs the request headers with its configured private key and sends the signature and certificate chain as header | |
| in the request to the remote cluster. | |
| 2. The remote cluster verifies that the API key is valid. | |
| 3. If the API key has a certificate identity pattern configured, the remote cluster extracts the Distinguished Name (DN) from the | |
| certificate chain's leaf certificate and matches it against the certificate identity pattern. | |
| 4. The remote cluster validates that the provided certificate chain is trusted. | |
| 5. The remote cluster validates the signature and checks that the certificate is not expired. |
| ``` | ||
| ::::{note} | ||
| Replace my_remote_cluster with your remote cluster alias and the paths with actual paths |
There was a problem hiding this comment.
| Replace my_remote_cluster with your remote cluster alias and the paths with actual paths | |
| Replace `my_remote_cluster` with your remote cluster alias, and the paths with the paths to your certificate and key files. |
| Note that you only need to create this user on the local cluster. | ||
|
|
||
|
|
||
| ## Remote cluster strong verification [remote-cluster-strong-verification] |
There was a problem hiding this comment.
There are a lot more settings specified in your reference PR. how does someone know from this procedure when to use those additional settings?
This adds documentation for the RCS Strong Verification feature added in elastic/elasticsearch#136299, elastic/elasticsearch#134137, elastic/elasticsearch#134893, elastic/elasticsearch#135674 and elastic/elasticsearch#134604.
Related settings docs PR: elastic/elasticsearch#137822