跨集群搜索 #
跨集群搜索正是它听起来的样子:它允许集群中的任何节点对其他集群执行搜索请求。Easysearch 支持开箱即用的跨集群搜索。
身份验证流程 #
当跨集群搜索通过 协调集群 访问 远程集群 时:
- 安全模块对协调集群上的用户进行身份验证。
- 安全模块在协调集群上获取用户的后端角色。
- 请求调用(包括经过身份验证的用户)将转发到远程集群。
- 在远程群集上评估用户的权限。
远程群集和协调集群可以分别配置不同的身份验证和授权配置,但我们建议在两者上使用相同的设置。
权限信息 #
要查询远程集群上的索引,除了 READ
或 SEARCH
权限外,用户还需要具有以下索引权限:
indices:admin/shards/search_shards
role.yml 样例配置 #
humanresources:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
"humanresources":
"*":
- READ
- indices:admin/shards/search_shards # needed for CCS
配置流程 #
分别启动两个集群,如下:
➜ curl -k 'https://localhost:9200/_cluster/health?pretty' -u admin:admin
{
"cluster_name" : "easysearch",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 1,
"active_shards" : 1,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
➜ curl -k 'https://localhost:9201/_cluster/health?pretty' -u admin:admin
{
"cluster_name" : "my-application22",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 1,
"active_shards" : 1,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
在协调群集上,添加远程群集名称和 IP 地址(端口为 9300):
curl -k -XPUT -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9200/_cluster/settings' -d '
{
"persistent": {
"cluster.remote": {
"cluster1": {
"seeds": ["127.0.0.1:9300"]
},
"cluster2": {
"seeds": ["127.0.0.1:9301"]
}
}
}
}'
在远程集群内索引一个文档:
curl -XPUT -k -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9201/books/_doc/1' -d '{"Dracula": "Bram Stoker"}'
At this point, cross-cluster search works. You can test it using the admin
user:
✗ curl -XGET -k -u 'admin:admin' 'https://localhost:9200/cluster2:books/_search?pretty'
{
"took" : 57,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"_clusters" : {
"total" : 1,
"successful" : 1,
"skipped" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "cluster2:books",
"_type" : "_doc",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"Dracula" : "Bram Stoker"
}
}
]
}
}
To continue testing, create a new user on both clusters:
curl -XPUT -k -u 'admin:admin' 'https://localhost:9200/_security/user/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}'
curl -XPUT -k -u 'admin:admin' 'https://localhost:9201/_security/user/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}'
Then run the same search as before with booksuser
:
curl -XGET -k -u booksuser:password 'https://localhost:9200/cluster2:books/_search?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [indices:admin/shards/search_shards, indices:data/read/search] and User [name=booksuser, roles=[], requestedTenant=null]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [indices:admin/shards/search_shards, indices:data/read/search] and User [name=booksuser, roles=[], requestedTenant=null]"
},
"status" : 403
}
请注意权限错误。在远程群集上,创建具有适当权限的角色,并将 booksuser
映射到该角色:
curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_security/role/booksrole' -d '{"indices":[{"names":["books"],"privileges":["indices:admin/shards/search_shards","indices:data/read/search"]}]}'
curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_security/role_mapping/booksrole' -d '{"users" : ["booksuser"]}'
curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9201/_security/role/booksrole' -d '{"indices":[{"names":["books"],"privileges":["indices:admin/shards/search_shards","indices:data/read/search"]}]}'
curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9201/_security/role_mapping/booksrole' -d '{"users" : ["booksuser"]}'
两个集群都必须具有该用户,但只有远程集群需要角色和映射;在这种情况下,协调群集处理身份验证(即 “此请求是否包含有效的用户凭据?”),远程群集处理授权(即 “此用户是否可以访问此数据?”)。
重新搜索一次:
curl -XGET -k -u booksuser:password 'https://localhost:9200/cluster2:books/_search?pretty'
{
"took" : 5,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"_clusters" : {
"total" : 1,
"successful" : 1,
"skipped" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "cluster2:books",
"_type" : "_doc",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"Dracula" : "Bram Stoker"
}
}
]
}
}