[DOC] Clarify supported realms when accessing remote monitoring clusters #77938
Conversation
Clarify supported realms when accessing remote monitoring clusters. According to #21611, any realm which relies on local Elasticsearch tokens cannot be used to authenticate to a remote monitoring cluster from the Kibana production instance.
|
Pinging @elastic/kibana-docs (Team:Docs) |
lcawl
added
Feature:Stack Monitoring
v8.0.0
release_note:skip
|
I think some clarification is required about which data collection methods this limitation applies to. Also whether the use of a separate Kibana instance for the monitoring cluster ameliorates the issue (as suggested in #21611 (comment)). Once those details are known, we should also add info to this main monitoring page: https://www.elastic.co/guide/en/elasticsearch/reference/master/monitoring-overview.html |
| @@ -13,6 +13,15 @@ At a minimum, you must have monitoring data for the {es} production cluster. | |||
| Once that data exists, {kib} can display monitoring data for other products in | |||
| the cluster. | |||
|
|
|||
| TIP: If you use a separate monitoring cluster to store the monitoring data, it | |||
| is strongly recommended that you use a separate {kib} instance to view it. If | |||
| you use SAML, Kerberos, PKI, or OpenID Connect realms on your production or | |||
There was a problem hiding this comment.
note: Sorry for not mentioning it earlier, but I think we also want to mention that users will also have to use a dedicated {kib} instance if Kibana is configured to use Token authentication provider (it may rely on {es} Native, Reserved, LDAP, AD or any other custom password-based realm under the hood). This provider isn't widely used right now, but it's the only option if users want to authenticate with LDAP/AD where OTP is a requirement and we eventually want to make it a default provider instead of Basic as well.
Something similar to this, but feel free to rephrase:
| you use SAML, Kerberos, PKI, or OpenID Connect realms on your production or | |
| you log in to {kib} using SAML, Kerberos, PKI, OpenID Connect, or Token authentication provider on your production or |
Some context around "realm" vs "authentication provider" since it may be a bit confusing: Elasticsearch's "realms" map 1-to-1 to Kibana's "authentication providers" most of the time, but not always (e.g. Token and Basic providers can rely on either native, or LDAP, or AD ES realms). That's the main reason why we didn't use term "realms" in Kibana.
There was a problem hiding this comment.
Thanks for the information! I've added the suggested text.
…ers (elastic#77938) Co-authored-by: lcawl <[email protected]>
…ers (elastic#77938) Co-authored-by: lcawl <[email protected]>
Summary
Clarify supported realms when accessing remote monitoring clusters.
According to #21611, any realm which relies on local Elasticsearch tokens cannot be used to authenticate to a remote monitoring cluster from the Kibana production instance.
Please let me know if we should review any wording or amend the list of supported realms.
For maintainers
Preview
https://kibana_77938.docs-preview.app.elstc.co/guide/en/kibana/master/monitoring-data.html