CCR requires unnecessary manage privilege #76690
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:CCR and Remote Clusters
Team:Kibana Management
Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more
Summary
A user needs monitor and manage_ccr cluster privileges to view and create follower indices and view auto-follow patterns. WIthout the monitor privilege they get an error for the "cluster:monitor/ccr/follow_info" action.
Note: you need privileges on the remote cluster to create auto-follow patterns. You need to have an identical user on the remote cluster that has the
read_ccr
cluster privilege in addition tomonitor
andread
privileges on the leader indices (see the docs). Missing these privileges results in the error[security_exception] insufficient privileges to follow index [f*], privilege for action [indices:monitor/stats] is missing, privilege for action [indices:data/read/xpack/ccr/shard_changes] is missing
.A user needs the manage cluster privilege in order to use Remote Clusters. The monitor privilege is sufficient for viewing remote clusters (without it they get an error for the "cluster:monitor/remote/info" action), but they need manage to edit them.
Oddly enough, the user needs index privileges for a follower index to view it in Index Management (the equivalent of requesting
GET <index>
), but doesn't need them to view the same follower index in CCR (the equivalent of requestingGET <index>/_ccr/info
).Changes to make
The text was updated successfully, but these errors were encountered: