CCR user permission issue. [indices:admin/seq_no/renew_retention_lease] is unauthorized for user [ccr_user]

Armen_Petrosyan · June 22, 2021, 4:19pm

I have two clusters 7.7.1 deployed, tested CCR, using super user.
Now I defined ccr_user with two newly created roles (ccr_leader, ccr_follower), which I am using on both leader and follower clusters.

Roles looks like below:

   ccr_leader:
      cluster:
        - read_ccr
        - monitor
      indices:
        - names: '*'
          privileges:
            - monitor
            - read

    ccr_follower:
      cluster:
        - manage_ccr
        - monitor
      indices:
        - names: '*'
          privileges:
            - monitor
            - read
            - write
            - manage_follow_index

Issue happens, when follower tries to replicate the data. Exception in logs that I see:

[2021-06-22T18:41:29,967][WARN ][o.e.x.c.a.ShardFollowTasksExecutor] [elasticsearch-1] [my_index][0] background management of retention lease [logging-elasticsearch/my_index/OtuNSHhqSuKJRGZcobw6tQ-following-leader_cluster2/my_index/RXo3DIJySPGMU62AbOMzRw] failed while following
org.elasticsearch.ElasticsearchSecurityException: **action [indices:admin/seq_no/renew_retention_lease]** is unauthorized for user [ccr_user]
        at org.elasticsearch.xpack.core.security.support.Exceptions.authorizationError(Exceptions.java:34) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService.denialException(AuthorizationService.java:597) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService.access$300(AuthorizationService.java:92) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.handleFailure(AuthorizationService.java:644) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:630) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:600) ~[?:?]
        at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:43) ~[elasticsearch-7.7.1.jar:7.7.1]

I found issue opened here - CCR exception on retention lease renewal · Issue #61308 · elastic/elasticsearch · GitHub
Don't sure where it is staying... So I have few questions:

Is it bug?
Is it fixed in other versions?
What permissions/priveleges I need to add to my roles?

warkolm · June 22, 2021, 11:26pm

I don't know CCR well, but I would definitely recommend upgrading to 7.13, as latest, and trying again. There may or may not have been a fix, but it's always good to be running latest when possible.

Yang_Wang · June 23, 2021, 12:01am

Yes it is a bug and it is not fixed yet. For now you can work around this by either grant manage privilege or explicitly add the action name for the remote index, e.g.:

ccr_leader:
    cluster:
      - read_ccr
      - monitor
    indices:
      - names: '*'
        privileges:
          - read
          - manage

Armen_Petrosyan · June 23, 2021, 5:34am

manage permissions on leader role or on follower role ???
In my case I am assigning both roles to the same user but still I thought it is issue that follower does not have privilege's.

Yang_Wang · June 23, 2021, 8:12am

The privilege must be given to the role that is used on the leader cluster. You can read more about history rention here.

system · July 21, 2021, 8:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.