CCR user permission issue. action [cluster:admin/settings/update] is unauthorized for user [my-certificate-cn]

Armen_Petrosyan · July 19, 2021, 12:01pm

I have deployed Elasticsearch 7.7.1. I have created certificate which includes CN=my-certificate-cn and configured transport layer with it.

I have created two roles - ccr_leader and ccr_follower in accordance with the documentation and also corrected it a bit based on your proposal for defect that I opened before, looks like in below example:

es_roles:
  native:
    ccr_leader:
      cluster:
        - read_ccr
        - monitor
      indices:
        - names: '*'
          privileges:
            - manage
            - read
    ccr_follower:
      cluster:
        - manage_ccr
        - monitor
      indices:
        - names: '*'
          privileges:
            - monitor
            - read
            - write
            - manage_follow_index

In order to set up CCR I need to create "remote config" (_cluster/settings). When I am trying to do so, I receive an exception in response:

{
 "error" : {
   "root_cause" : [
     {
       "type" : "security_exception",
       "reason" : "action [cluster:admin/settings/update] is unauthorized for user [my-certificate-cn]"
     }
   ],
   "type" : "security_exception",
   "reason" : "action [cluster:admin/settings/update] is unauthorized for user [my-certificate-cn]"
 },
 "status" : 403
}

Is it defect, or maybe my role definitions are not correct?

Yang_Wang · July 19, 2021, 2:08pm

This error should have nothing to do with CCR. It complains about the user does not have the permission to setup CCR (updating the settings) instead of CCR itself.

What is your my-certificate-cn user? How is it configured and what privileges does it have? Could you please provide the response to the GET _security/_authenticate API for this user?

Armen_Petrosyan · July 20, 2021, 5:40am

It is kind of not related to CCR, but prerequisite step for CCR is add "remote config" (alias and list of the seeds).

Actually I have only two roles defined ccr_leader and ccr_follower, I mentioned it above.
However I forgot to include role mappings that I defined as well. I am using pki realm

es_role_mapping:
  ccr_follower:
    - "O=xxx,CN=my-certificate-cn"
  ccr_leader:
    - "O=xxx,CN=my-certificate-cn"

If I am adding new mapping with superuser role, everything is working fine. Like this:

es_role_mapping:
  ccr_follower:
    - "O=xxx,CN=my-certificate-cn"
  ccr_leader:
    - "O=xxx,CN=my-certificate-cn"
  superuser:
    - "O=xxx,CN=my-certificate-cn"

Yang_Wang · July 20, 2021, 11:53am

The ccr_follower and ccr_leader roles are meant to be used by CCR, not for setting it up. For setting it up using the cluster updating API, you need a more privileged role that has the all cluster privilege as documented:

If you are managing connecting to the remote cluster via the cluster update settings API, you will also need a user with the all cluster privilege.

The above sentence is a bit easy to miss, but you can find it right after the sample code of the local ccr_user role.

Granting superuser role to your CCR user works as you have found out. But I'd recommend you to have a separate user for this purpose. Otherwise, the CCR itself will run with superuser privilege which is generally unnecessary and non-ideal.

Armen_Petrosyan · July 21, 2021, 7:35am

Thanks a lot

system · August 18, 2021, 7:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.