You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/reference/security/authentication/remote-clusters-privileges-cert.asciidoc
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,8 +33,8 @@ On the remote cluster that contains the leader index, the {ccr} role requires
33
33
the `read_ccr` cluster privilege, and `monitor` and `read` privileges on the
34
34
leader index.
35
35
36
-
NOTE: If requests are authenticated with an <<security-api-create-api-key, API key>>, the API key
37
-
requires the above privileges on the **local** cluster, instead of the remote.
36
+
NOTE: When using a user <<security-api-create-api-key, API key>>, the required privileges must be granted on the **local cluster** only. The remote cluster will authorize based on the privileges embedded in the API key; **it does not use roles**. As a result, an API key may have broader or more limited access than the same user’s current role on the remote cluster.
37
+
For stricter and more predictable access control, consider using the <<remote-clusters-api-key, cross-cluster API key trust model>>, which gives remote clusters full control over what data is accessible via cross-cluster operations. See <<remote-clusters-migration>>
38
38
39
39
NOTE: If requests are issued <<run-as-privilege,on behalf of other users>>,
40
40
then the authenticating user must have the `run_as` privilege on the remote
@@ -136,8 +136,8 @@ local and remote clusters, and then create a user with the required roles.
136
136
On the remote cluster, the {ccs} role requires the `read` and
137
137
`read_cross_cluster` privileges for the target indices.
138
138
139
-
NOTE: If requests are authenticated with an <<security-api-create-api-key, API key>>, the API key
140
-
requires the above privileges on the **local** cluster, instead of the remote.
139
+
NOTE: When using a user <<security-api-create-api-key, API key>>, the required privileges must be granted on the **local cluster** only. The remote cluster will authorize based on the privileges embedded in the API key; **it does not use roles**. As a result, an API key may have broader or more limited access than the same user’s current role on the remote cluster.
140
+
For stricter and more predictable access control, consider using the <<remote-clusters-api-key, cross-cluster API key trust model>>, which gives remote clusters full control over what data is accessible via cross-cluster operations. See <<remote-clusters-migration>>
141
141
142
142
NOTE: If requests are issued <<run-as-privilege,on behalf of other users>>,
143
143
then the authenticating user must have the `run_as` privilege on the remote
@@ -299,4 +299,4 @@ POST /_security/role/logstash-reader
0 commit comments