Add RCS Strong Verification Documentation #137822
Conversation
jfreden
added
>docs
elasticsearchmachine
added
Team:Docs
|
Pinging @elastic/es-security (Team:Security) |
|
Pinging @elastic/core-docs (Team:Docs) |
🔍 Preview links for changed docs |
ℹ️ Important: Docs version tagging👋 Thanks for updating the docs! Just a friendly reminder that our docs are now cumulative. This means all 9.x versions are documented on the same page and published off of the main branch, instead of creating separate pages for each minor version. We use applies_to tags to mark version-specific features and changes. Expand for a quick overviewWhen to use applies_to tags:✅ At the page level to indicate which products/deployments the content applies to (mandatory) What NOT to do:❌ Don't remove or replace information that applies to an older version 🤔 Need help?
|
shainaraskas
left a comment
shainaraskas
left a comment
There was a problem hiding this comment.
a few questions and comments. overall, it would be good to understand whether these settings would apply to anything other than vanilla self-managed to vanilla self-managed connections.
cc-ing @eedugon because he's deep into this area and should probably also take a look
docs/reference/elasticsearch/configuration-reference/remote-clusters.md
Outdated
Show resolved
Hide resolved
docs/reference/elasticsearch/configuration-reference/remote-clusters.md
Outdated
Show resolved
Hide resolved
docs/reference/elasticsearch/configuration-reference/remote-clusters.md
Outdated
Show resolved
Hide resolved
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) Password for the truststore specified by `cluster.remote.signing.truststore.path`. | ||
|
|
||
| `cluster.remote.signing.truststore.algorithm` | ||
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to the default algorithm for the Java KeyManagerFactory. |
There was a problem hiding this comment.
would people know where this is? what options does this setting accept?
There was a problem hiding this comment.
Changed it to specify the algorithm. Thanks!
docs/reference/elasticsearch/configuration-reference/remote-clusters.md
Outdated
Show resolved
Hide resolved
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Since the key might not be encrypted, this value is optional. | ||
|
|
||
| `cluster.remote.<cluster_alias>.signing.certificate` | ||
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. |
There was a problem hiding this comment.
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. | |
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. |
docs/reference/elasticsearch/configuration-reference/remote-clusters.md
Outdated
Show resolved
Hide resolved
docs/reference/elasticsearch/configuration-reference/remote-clusters.md
Outdated
Show resolved
Hide resolved
docs/reference/elasticsearch/configuration-reference/remote-clusters.md
Outdated
Show resolved
Hide resolved
|
|
||
| ### Request signing settings [remote-cluster-request-signing] | ||
|
|
||
| The following per-cluster settings are used on the local cluster to sign outgoing cross-cluster requests. A private key and certificate |
There was a problem hiding this comment.
Might want to clarify here that it will sign outgoing cross-cluster requests for connections to a certain alias (not global)
…usters.md Co-authored-by: shainaraskas <[email protected]>
…usters.md Co-authored-by: shainaraskas <[email protected]>
…usters.md Co-authored-by: shainaraskas <[email protected]>
…usters.md Co-authored-by: shainaraskas <[email protected]>
…usters.md Co-authored-by: shainaraskas <[email protected]>
…usters.md Co-authored-by: shainaraskas <[email protected]>
…usters.md Co-authored-by: shainaraskas <[email protected]>
|
Thanks for the great review @shainaraskas !
This is general purpose but was built specifically for a customer running on ECH. Does that answer your question? Should this be added somewhere else to cover the ECH configuration in detail? |
|
I got a comment from Alex on the allowlist PR saying to be sure to include that these settings are cloud configurable https://github.com/elastic/cloud/pull/148921#pullrequestreview-3449669258 |
There was a problem hiding this comment.
Looks great! I've added a few minor comments for your consideration.
One thing that might be important is to mark the settings with the icon for cloud if they are available for ECE & ECH, but please confirm that with @shainaraskas , as I might be wrong ---> Update : this has been confirmed by @gmjehovich already, thanks!
docs/reference/elasticsearch/configuration-reference/remote-clusters.md
Outdated
Show resolved
Hide resolved
| private key and certificate must be configured for each remote cluster that requires signature verification. | ||
|
|
||
|
|
||
| ### PEM encoded files [remote-cluster-signing-pem-files] |
There was a problem hiding this comment.
| ### PEM encoded files [remote-cluster-signing-pem-files] | |
| #### PEM encoded files [remote-cluster-signing-pem-files] |
I think this should be inside Request signing settings. Please ignore otherwise!
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. | ||
|
|
||
|
|
||
| ### Java keystore files [remote-cluster-signing-keystore-files] |
There was a problem hiding this comment.
| ### Java keystore files [remote-cluster-signing-keystore-files] | |
| #### Java keystore files [remote-cluster-signing-keystore-files] |
I think this should be inside Request signing settings. Please ignore otherwise!
| ## Remote cluster strong verification settings [remote-cluster-signing-settings] | ||
| ```{applies_to} | ||
| deployment: | ||
| self: preview 9.3 |
There was a problem hiding this comment.
this should be stack now (aka "all deployment types") because you confirmed it works for cloud. :)
| self: preview 9.3 | |
| stack: preview 9.3 |
the reason I asked this is because, in your other PR, you added the content in a file specific to completely self-managed deployments. we'll need to refactor some stuff on that side so this information is surfaced appropriately. cc: @eedugon |
|
|
||
| `cluster.remote.signing.truststore.algorithm` | ||
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to | ||
| `SunX509`. |
There was a problem hiding this comment.
are there any limitations on what algorithms can be used?
There was a problem hiding this comment.
Yes, it's very limited SunX509 or PKIX are the common ones. This is copied from https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/security-settings#ref-pki-settings (truststore.algorithm)
bytebilly
left a comment
bytebilly
left a comment
There was a problem hiding this comment.
LGTM (pending discussion on the naming raised in the other doc PR)
…usters.md Co-authored-by: Edu González de la Herrán <[email protected]>
|
I've addressed all the comments and also talked to @eedugon over zoom. He's working on a refactor of this section so will go ahead and merge it as is and he will work further with organising this documentation. Thanks all! |
This adds documentation for the RCS Strong Verification feature added in elastic/elasticsearch#136299, elastic/elasticsearch#134137, elastic/elasticsearch#134893, elastic/elasticsearch#135674 and elastic/elasticsearch#134604. Related settings docs PR: elastic/elasticsearch#137822 --------- Co-authored-by: shainaraskas <[email protected]> Co-authored-by: Edu González de la Herrán <[email protected]>
…-json * upstream/main: (158 commits) Cleanup files from repo root folder (elastic#138030) Implement OpenShift AI integration for chat completion, embeddings, and reranking (elastic#136624) Optimize AsyncSearchErrorTraceIT to avoid failures (elastic#137716) Removes support for null TransportService in RemoteClusterService (elastic#137939) Mute org.elasticsearch.index.mapper.DateFieldMapperTests testSortShortcuts elastic#138018 rest-api-spec: fix type of enums (elastic#137521) Update Gradle wrapper to 9.2.0 (elastic#136155) Add RCS Strong Verification Documentation (elastic#137822) Use docvalue skippers on dimension fields (elastic#137029) Introduce INDEX_SHARD_COUNT_FORMAT (elastic#137210) Mute org.elasticsearch.xpack.inference.integration.AuthorizationTaskExecutorIT testCreatesChatCompletion_AndThenCreatesTextEmbedding elastic#138012 Fix ES|QL search context creation to use correct results type (elastic#137994) Improve Snapshot Logging (elastic#137470) Support extra output field in TOP function (elastic#135434) Remove NumericDoubleValues class (elastic#137884) [ML] Fix ML calendar event update scalability issues (elastic#136886) Task may be unregistered outside of the trace context in exceptional cases. (elastic#137865) Refine workaround for S3 repo analysis known issue (elastic#138000) Additional DEBUG logging on authc failures (elastic#137941) Cleanup index resolution (elastic#137867) ...
6 participants
This adds documentation for the RCS Strong Verification feature added in #136299, #134137, #134893, #135674 and #134604.