Hi,
ES is a great product and effort overall I like it.
But it's not the first time I waste my time following the documentation example to finally figuring out it has lots of errors.
When trying to understand security over X cluster search, the documentation lacks testing it feels like:
https://www.elastic.co/guide/en/elastic-stack-overview/6.5/cross-cluster-configuring.html#_example_configuration_of_cross_cluster_search
On cluster one, this role does not need any special privileges:
It does need special privileges though. A new user with an empty role will get this:
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/xpack/security/token/create] is unauthorized for user [tony]"}],"
So on cluster one the full role must be defined.
On cluster two, this role allows the user to query local indices called logs- from a remote cluster:
The logs-* is not enough as the same error will show up:
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/xpack/security/token/create] is unauthorized for user [tony]"}],"
Putting `indices.names :["*"] fixed it.
`With all of the above setup, the user alice is able to search indices in cluster two as follows:
GET two:logs-2017.04/_search
{
"query": {
"match_all": {}
}
}
`
The query endpoint is wrong, it should be:
GET cluster_two:...
I finally got it to work by defining my own superuser role and I could not get it to just cross cluster search an index on a remote cluster from a local one with "read" and "read_cross_cluster" it just did not work.
I hope this will help to fix the doc or to tell me I did something wrong, open to either 
Cheers!
Johnny