I have deployed Elasticsearch 7.7.1. I have created certificate which includes CN=my-certificate-cn and configured transport layer with it.
I have created two roles - ccr_leader and ccr_follower in accordance with the documentation and also corrected it a bit based on your proposal for defect that I opened before, looks like in below example:
This error should have nothing to do with CCR. It complains about the user does not have the permission to setup CCR (updating the settings) instead of CCR itself.
What is your my-certificate-cn user? How is it configured and what privileges does it have? Could you please provide the response to the GET _security/_authenticate API for this user?
It is kind of not related to CCR, but prerequisite step for CCR is add "remote config" (alias and list of the seeds).
Actually I have only two roles defined ccr_leader and ccr_follower, I mentioned it above.
However I forgot to include role mappings that I defined as well. I am using pki realm
The ccr_follower and ccr_leader roles are meant to be used by CCR, not for setting it up. For setting it up using the cluster updating API, you need a more privileged role that has the all cluster privilege as documented:
If you are managing connecting to the remote cluster via the cluster update settings API, you will also need a user with the all cluster privilege.
The above sentence is a bit easy to miss, but you can find it right after the sample code of the local ccr_user role.
Granting superuser role to your CCR user works as you have found out. But I'd recommend you to have a separate user for this purpose. Otherwise, the CCR itself will run with superuser privilege which is generally unnecessary and non-ideal.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.