Multi-Cluster Security

Connections to remote clusters are configured using a Repository Token that provides explicit access to the data within the view. Security across the multi-cluster views and connections are controlled by the Role Based Access Control (RBAC). See Managing Users & Permissions for more details.

Security between the multi-cluster view, local connection and remote connections are controlled as follows:

Access to the multi-cluster view is controlled through the use of a limited, read-only access token to a specific remote repository
Local connections to a local view are limited to read access by the multi-cluster view.
Remote connections to clusters within the Multi-Cluster view are controlled by the RBAC on the remote cluster, and provided per remote view with an explicit access token. The token controls access to a single view. When creating multiple multi-cluster views connecting to the same remote repository the same token can be re-used or you can create multiple tokens for more granular access control. For more information, see API Tokens
You can only have one remote connection to a cluster per multi-cluster view.

This information is summarized in the table below.

View Security	Requires Token	Access Controlled By
Multi-Cluster View	No	Multi-Cluster View Cluster
Local Connection	No	Multi-Cluster View Cluster
Remote Connection	Yes	Remote Cluster

The access token required for a remote connection can be revoked or deleted independently of other connections, removing access to the data from the multi-cluster view.

In addition to the security authorization for access to local and remote data within each cluster, network access must be provided between the upstream and downstream clusters. The exact list of ports required will depend on the configuration of the cluster, but should include the default query port, 443.

When running queries through Multi-Cluster search:

Queries will be executed as the user configured on the remote cluster for the corresponding API token, not the user on the parent cluster.
When viewing and auditing query execution:
- Use humio-audit on the parent cluster for any multi-cluster queries.
- Use humio-audit on child clusters for queries that are not multi-cluster.
Queries can be correlated by using the federationId in the audit log.

Falcon LogScale Self-Hosted 1.132.0-1.137.0 (Preview)

Self-Hosted Overview

Installing LogScale

Self-Hosted Admin.

Organization Essentials

Configuring Security

Authentication & Identity Providers

Users & Permissions

Cluster Management

Configuration Settings

Ingesting Data

LogScale Configuration Parameters

LogScale URLs & Endpoints

Limits & Standards

Data Analysis 1.132.0-1.137.0

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts

Multi-Cluster Security

Enter search term