跨集群搜索 #

跨集群搜索正是它听起来的样子：它允许集群中的任何节点对其他集群执行搜索请求。Easysearch 支持开箱即用的跨集群搜索。

身份验证流程 #

当跨集群搜索通过 协调集群 访问 远程集群 时：

安全模块对协调集群上的用户进行身份验证。
安全模块在协调集群上获取用户的后端角色。
请求调用（包括经过身份验证的用户）将转发到远程集群。
在远程群集上评估用户的权限。

远程群集和协调集群可以分别配置不同的身份验证和授权配置，但我们建议在两者上使用相同的设置。

权限信息 #

要查询远程集群上的索引，除了 READ 或 SEARCH 权限外，用户还需要具有以下索引权限：

indices:admin/shards/search_shards

role.yml 样例配置 #

humanresources:
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    "humanresources":
      "*":
        - READ
        - indices:admin/shards/search_shards # needed for CCS

配置流程 #

分别启动两个集群，如下：

➜  curl -k  'https://localhost:9200/_cluster/health?pretty' -u admin:admin
{
  "cluster_name" : "easysearch",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 1,
  "active_shards" : 1,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
➜  curl -k  'https://localhost:9201/_cluster/health?pretty' -u admin:admin
{
  "cluster_name" : "my-application22",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 1,
  "active_shards" : 1,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

在协调群集上，添加远程群集名称和 IP 地址（端口为 9300）：

curl -k -XPUT -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9200/_cluster/settings' -d '
{
  "persistent": {
    "cluster.remote": {
      "cluster1": {
        "seeds": ["127.0.0.1:9300"]
      },
      "cluster2": {
          "seeds": ["127.0.0.1:9301"]
        }
    }
  }
}'

在远程集群内索引一个文档：

curl -XPUT -k -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9201/books/_doc/1' -d '{"Dracula": "Bram Stoker"}'

At this point, cross-cluster search works. You can test it using the admin user:

✗ curl -XGET -k -u 'admin:admin' 'https://localhost:9200/cluster2:books/_search?pretty'
{
  "took" : 57,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "_clusters" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "cluster2:books",
        "_type" : "_doc",
        "_id" : "1",
        "_score" : 1.0,
        "_source" : {
          "Dracula" : "Bram Stoker"
        }
      }
    ]
  }
}

To continue testing, create a new user on both clusters:

curl -XPUT -k -u 'admin:admin' 'https://localhost:9200/_security/user/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}'
curl -XPUT -k -u 'admin:admin' 'https://localhost:9201/_security/user/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}'

Then run the same search as before with booksuser :

curl -XGET -k -u booksuser:password 'https://localhost:9200/cluster2:books/_search?pretty'
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [indices:admin/shards/search_shards, indices:data/read/search] and User [name=booksuser, roles=[], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [indices:admin/shards/search_shards, indices:data/read/search] and User [name=booksuser, roles=[], requestedTenant=null]"
  },
  "status" : 403
}

请注意权限错误。在远程群集上，创建具有适当权限的角色，并将 booksuser 映射到该角色：

curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_security/role/booksrole' -d '{"indices":[{"names":["books"],"privileges":["indices:admin/shards/search_shards","indices:data/read/search"]}]}'
curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_security/role_mapping/booksrole' -d '{"users" : ["booksuser"]}'

curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9201/_security/role/booksrole' -d '{"indices":[{"names":["books"],"privileges":["indices:admin/shards/search_shards","indices:data/read/search"]}]}'
curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9201/_security/role_mapping/booksrole' -d '{"users" : ["booksuser"]}'

两个集群都必须具有该用户，但只有远程集群需要角色和映射；在这种情况下，协调群集处理身份验证（即 “此请求是否包含有效的用户凭据？”），远程群集处理授权（即 “此用户是否可以访问此数据？”）。

重新搜索一次：

curl -XGET -k -u booksuser:password 'https://localhost:9200/cluster2:books/_search?pretty'
{
  "took" : 5,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "_clusters" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "cluster2:books",
        "_type" : "_doc",
        "_id" : "1",
        "_score" : 1.0,
        "_source" : {
          "Dracula" : "Bram Stoker"
        }
      }
    ]
  }
}