diff --git a/docs/reference/esql/esql-across-clusters.asciidoc b/docs/reference/esql/esql-across-clusters.asciidoc index 8bc1e2a83fc19..d13b3db1c73ea 100644 --- a/docs/reference/esql/esql-across-clusters.asciidoc +++ b/docs/reference/esql/esql-across-clusters.asciidoc @@ -54,11 +54,6 @@ Refer to <> for prerequisi [[esql-ccs-security-model-api-key]] ===== API key authentication -[NOTE] -==== -`ENRICH` is *not supported* in this version when using {esql} with the API key based security model. -==== - The following information pertains to using {esql} across clusters with the <>. You'll need to follow the steps on that page for the *full setup instructions*. This page only contains additional information specific to {esql}. API key based cross-cluster search (CCS) enables more granular control over allowed actions between clusters. @@ -71,6 +66,7 @@ You will need to: Using {esql} with the API key based security model requires some additional permissions that may not be needed when using the traditional query DSL based search. The following example API call creates a role that can query remote indices using {esql} when using the API key based security model. +The final privilege, `remote_cluster`, is required to allow remote enrich operations. [source,console] ---- @@ -89,7 +85,17 @@ POST /_security/role/remote1 "privileges": [ "read","read_cross_cluster" ], <4> "clusters" : ["my_remote_cluster"] <5> } - ] + ], + "remote_cluster": [ <6> + { + "privileges": [ + "monitor_enrich" + ], + "clusters": [ + "my_remote_cluster" + ] + } + ] } ---- @@ -100,6 +106,7 @@ POST /_security/role/remote1 <5> The remote clusters to which these privileges apply. This remote cluster must be configured with a <> and connected to the remote cluster before the remote index can be queried. Verify connection using the <> API. +<6> Required to allow remote enrichment. Without this, the user cannot read from the `.enrich` indices on the remote cluster. The `remote_cluster` security privilege was introduced in version *8.15.0*. You will then need a user or API key with the permissions you created above. The following example API call creates a user with the `remote1` role. @@ -114,6 +121,11 @@ POST /_security/user/remote_user Remember that all cross-cluster requests from the local cluster are bound by the cross cluster API key’s privileges, which are controlled by the remote cluster's administrator. +[TIP] +==== +Cross cluster API keys created in versions prior to 8.15.0 will need to replaced or updated to add the new permissions required for {esql} with ENRICH. +==== + [discrete] [[ccq-remote-cluster-setup]] ==== Remote cluster setup @@ -174,9 +186,11 @@ clusters, aiming to minimize computation or inter-cluster data transfer. Ensurin the policy exists with consistent data on both the local cluster and the remote clusters is critical for ES|QL to produce a consistent query result. -[NOTE] +[TIP] ==== -Enrich across clusters is *not supported* in this version when using {esql} with the <>. +Enrich in {esql} across clusters using the API key based security model was introduced in version *8.15.0*. +Cross cluster API keys created in versions prior to 8.15.0 will need to replaced or updated to use the new required permissions. +Refer to the example in the <> section. ==== In the following example, the enrich with `hosts` policy can be executed on