Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CCR requires unnecessary manage privilege #76690

Open
cjcenizal opened this issue Sep 3, 2020 · 3 comments
Open

CCR requires unnecessary manage privilege #76690

cjcenizal opened this issue Sep 3, 2020 · 3 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:CCR and Remote Clusters Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more

Comments

@cjcenizal
Copy link
Contributor

cjcenizal commented Sep 3, 2020

Summary

A user needs monitor and manage_ccr cluster privileges to view and create follower indices and view auto-follow patterns. WIthout the monitor privilege they get an error for the "cluster:monitor/ccr/follow_info" action.

Note: you need privileges on the remote cluster to create auto-follow patterns. You need to have an identical user on the remote cluster that has the read_ccr cluster privilege in addition to monitor and read privileges on the leader indices (see the docs). Missing these privileges results in the error [security_exception] insufficient privileges to follow index [f*], privilege for action [indices:monitor/stats] is missing, privilege for action [indices:data/read/xpack/ccr/shard_changes] is missing.

image

A user needs the manage cluster privilege in order to use Remote Clusters. The monitor privilege is sufficient for viewing remote clusters (without it they get an error for the "cluster:monitor/remote/info" action), but they need manage to edit them.

Oddly enough, the user needs index privileges for a follower index to view it in Index Management (the equivalent of requesting GET <index>), but doesn't need them to view the same follower index in CCR (the equivalent of requesting GET <index>/_ccr/info).

Changes to make

@cjcenizal cjcenizal added bug Fixes for quality problems that affect the customer experience Feature:CCR and Remote Clusters Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more labels Sep 3, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/es-ui (Team:Elasticsearch UI)

@cjcenizal
Copy link
Contributor Author

Relates to #70120

@alisonelizabeth alisonelizabeth removed the Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more label Sep 16, 2024
@botelastic botelastic bot added the needs-team Issues missing a team label label Sep 16, 2024
@alisonelizabeth alisonelizabeth added the Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more label Sep 16, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-management (Team:Kibana Management)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Feature:CCR and Remote Clusters Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more
Projects
None yet
Development

No branches or pull requests

3 participants