Multi-Cluster Security

Connections to remote clusters are configured using a Repository Token that provides explicit access to the data within the view. Security across the multi-cluster views and connections are controlled by the Role Based Access Control (RBAC). See Managing Users & Permissions for more details.

Security between the multi-cluster view, local connection and remote connections are controlled as follows:

  • Access to the multi-cluster view is controlled through the use of a limited, read-only access token to a specific remote repository

  • Local connections to a local view are limited to read access by the multi-cluster view.

  • Remote connections to clusters within the Multi-Cluster view are controlled by the RBAC on the remote cluster, and provided per remote view with an explicit access token. The token controls access to a single view. When creating multiple multi-cluster views connecting to the same remote repository the same token can be re-used or you can create multiple tokens for more granular access control. For more information, see API Tokens

  • You can only have one remote connection to a cluster per multi-cluster view.

This information is summarized in the table below.

View Security Requires Token Access Controlled By
Multi-Cluster View No Multi-Cluster View Cluster
Local Connection No Multi-Cluster View Cluster
Remote Connection Yes Remote Cluster

The access token required for a remote connection can be revoked or deleted independently of other connections, removing access to the data from the multi-cluster view.

In addition to the security authorization for access to local and remote data within each cluster, network access must be provided between the upstream and downstream clusters. The exact list of ports required will depend on the configuration of the cluster, but should include the default query port, 443.

When running queries through Multi-Cluster search:

  • Queries will be executed as the user configured on the remote cluster for the corresponding API token, not the user on the parent cluster.

    When viewing and auditing query execution:

    • Use humio-audit on the parent cluster for any multi-cluster queries.

    • Use humio-audit on child clusters for queries that are not multi-cluster.

    Queries can be correlated by using the federationId in the audit log.