-
Notifications
You must be signed in to change notification settings - Fork 157
[D&M] ECE roles tokens pages merged #528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 3 commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
f43fca6
roles tokens page merged from original docs
eedugon 3608c26
applies_to and links updated
eedugon 2c8c5ca
Merge remote-tracking branch 'origin/main' into ece_tokens
eedugon 44b3e01
Update deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md
eedugon f93589d
links reviewed
eedugon 99b3fc5
raw content cleaned
eedugon 1e9ac2c
Merge branch 'main' into ece_tokens
eedugon 4ae332f
unneeded links removed
eedugon 51d169d
Merge branch 'main' into ece_tokens
eedugon eaa14c0
Merge branch 'main' into ece_tokens
eedugon File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
100 changes: 89 additions & 11 deletions
100
deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,25 +1,103 @@ | ||
| --- | ||
| applies_to: | ||
| deployment: | ||
| ece: all | ||
| mapped_urls: | ||
| - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-generate-roles-token.html | ||
| - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-revoke-roles-token.html | ||
| --- | ||
|
|
||
| # Generate roles tokens | ||
| # Manage roles tokens | ||
|
|
||
| % What needs to be done: Refine | ||
| At the end of the {{ece}} installation process on the first host, you are provided with a roles token. This token can be used to install {{ece}} on additional hosts, but it does not include any role permissions. | ||
|
|
||
| % GitHub issue: https://github.com/elastic/docs-projects/issues/339 | ||
| You can [assign roles](./assign-roles-to-hosts.md) to the additional hosts through the Cloud UI later on, but this role assignment is a manual process. | ||
|
|
||
| % Scope notes: merge these two pages | ||
| For automation purposes, you need to generate a new *ephemeral* or *persistent* token with the right role permissions, so that you can install {{ece}} on hosts and add the right roles at the same time. | ||
|
|
||
| % Use migrated content from existing pages that map to this page: | ||
| In this section, you'll learn how to perform the following tasks: | ||
|
|
||
| % - [ ] ./raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md | ||
| % - [ ] ./raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md | ||
| * [](#ece-generate-roles-token) | ||
| * [](#ece-revoke-roles-token) | ||
|
|
||
| ⚠️ **This page is a work in progress.** ⚠️ | ||
| ## Ephemeral and persistent roles tokens | ||
|
|
||
| The documentation team is working to combine content pulled from the following pages: | ||
| Ephemeral and persistent tokens differ as follows: | ||
|
|
||
| * [/raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md](/raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md) | ||
| * [/raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md](/raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md) | ||
| Ephemeral token | ||
| : Available for use during {{ece}} installation on additional hosts for one hour before the token is revoked automatically. Cannot be revoked manually. | ||
|
|
||
| Persistent token | ||
| : Available for use during {{ece}} installation on additional hosts indefinitely. [Can be revoked](./generate-roles-tokens.md) at any time. | ||
|
|
||
| The permitted roles are the same as those you can [assign in the Cloud UI](./assign-roles-to-hosts.md): | ||
|
|
||
| `allocator` | ||
| : Allocates the available computing resources to Elasticsearch nodes or Kibana instances. In larger installations, a majority of the machines will be allocators. | ||
|
|
||
| `coordinator` | ||
| : Serves as a distributed coordination system and resource scheduler. | ||
|
|
||
| `proxy` | ||
| : Manages communication between a user and an Elasticsearch or Kibana instance. | ||
|
|
||
| `director` | ||
| : Manages the ZooKeeper datastore. This role is typically shared with the coordinator role. In production deployments it can be separated from a coordinator. | ||
|
|
||
| ## Generate roles tokens [ece-generate-roles-token] | ||
|
|
||
| To generate an ephemeral token for additional allocators: | ||
|
|
||
| ```sh | ||
| curl -H 'Content-Type: application/json' -u USER:PASSWORD https://COORDINATOR_HOST_IP:12443/api/v1/platform/configuration/security/enrollment-tokens -d '{ "persistent": false, "roles": [ "allocator"] }' | ||
| { | ||
| "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI0Njk3N2I3ZC1hM2U2LTQ2MDUtYjcwZC0xNzIzMTI5YWY4ZTQiLCJyb2xlcyI6WyJwcm94eSIsImFsbG9jYXRvciJdLCJpc3MiOiJib290c3RyYXAtaW5pdGlhbCIsImV4cCI6MTQ5MzY0NjIxM30.xsaRb72CsNMuXKy6Y-PJgqLc0qmjCljlB4Smcx_MRxg" | ||
| } | ||
| ``` | ||
|
|
||
| To generate a persistent token for additional allocators: | ||
|
|
||
| ```sh | ||
| curl -H 'Content-Type: application/json' -u USER:PASSWORD https://COORDINATOR_HOST_IP:12443/api/v1/platform/configuration/security/enrollment-tokens -d '{ "persistent": true, "roles": [ "allocator"] }' | ||
| { | ||
| "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI0Yzg5OTBkZi0xZmI3LTQ4MjAtYjg2OC02YmM5ZTg4NjA4MTQiLCJyb2xlcyI6WyJwcm94eSIsImFsbG9jYXRvciJdLCJpc3MiOiJib290c3RyYXAtaW5pdGlhbCJ9.mfTkO4j8uZJ-qwB2jmBuMScyYfLmcJpvKgSTLx2WV24", | ||
| "token_id": "4c8990df-1fb7-4820-b868-6bc9e8860814" | ||
| } | ||
| ``` | ||
|
|
||
| ## Revoke roles tokens [ece-revoke-roles-token] | ||
|
|
||
| At the end of the {{ece}} installation process on the first host, you are provided with a roles token. You can also generate new roles tokens yourself, either as ephemeral tokens that get deleted after 24 hours or as persistent tokens that get stored by {{ece}}. These tokens enable additional hosts to join an {{ece}} installation and should be kept secure or deleted if they are no longer needed. | ||
|
|
||
| If you delete all tokens and need to add further hosts to your installation later on, you can [generate a new token](../../../deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md) first. | ||
eedugon marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ::::{important} | ||
| During installation, an emergency token gets generated that enables you to install {{ece}} on additional hosts with all roles already assigned, except the allocator role. The emergency token can save your installation if all coordinators fail or are removed and you can no longer use the Cloud UI or the RESTful API. You should not delete this token. To learn more, check [Using the Emergency Roles Token](../../../troubleshoot/deployments/cloud-enterprise/use-emergency-roles-token.md). | ||
| :::: | ||
|
|
||
| To delete a token: | ||
|
|
||
| 1. Retrieve the list of available tokens through the RESTful API : | ||
|
|
||
| ```sh | ||
| curl -u USER:PASSWORD https://localhost:12443/api/v1/platform/configuration/security/enrollment-tokens | ||
| { | ||
| "tokens": [{ | ||
| "token_id": "5f9cad2f-c6e7-4ee2-8f6e-53225df45be5", | ||
| "roles": [] | ||
| }, { | ||
| "token_id": "4c8990df-1fb7-4820-b868-6bc9e8860814", | ||
| "roles": ["proxy", "allocator"] | ||
| }] | ||
| } | ||
| ``` | ||
|
|
||
| 2. Use the token ID to delete the tokens you no longer need, here `4c8990df-1fb7-4820-b868-6bc9e8860814`: | ||
eedugon marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ```sh | ||
| curl -XDELETE -u USER:PASSWORD 'https://localhost:12443/api/v1/platform/configuration/security/enrollment-tokens/4c8990df-1fb7-4820-b868-6bc9e8860814' | ||
| { | ||
| } | ||
| ``` | ||
|
|
||
| 3. Optional: To check that the token has been deleted, repeat Step 1 and make sure that the token is no longer listed. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.