CCR user permission issue. [indices:admin/seq_no/renew_retention_lease] is unauthorized for user [ccr_user]

Elastic Stack Elasticsearch
,
1

I have two clusters 7.7.1 deployed, tested CCR, using super user.
Now I defined ccr_user with two newly created roles (ccr_leader, ccr_follower), which I am using on both leader and follower clusters.

Roles looks like below:

   ccr_leader:
      cluster:
        - read_ccr
        - monitor
      indices:
        - names: '*'
          privileges:
            - monitor
            - read

    ccr_follower:
      cluster:
        - manage_ccr
        - monitor
      indices:
        - names: '*'
          privileges:
            - monitor
            - read
            - write
            - manage_follow_index

Issue happens, when follower tries to replicate the data. Exception in logs that I see:

[2021-06-22T18:41:29,967][WARN ][o.e.x.c.a.ShardFollowTasksExecutor] [elasticsearch-1] [my_index][0] background management of retention lease [logging-elasticsearch/my_index/OtuNSHhqSuKJRGZcobw6tQ-following-leader_cluster2/my_index/RXo3DIJySPGMU62AbOMzRw] failed while following
org.elasticsearch.ElasticsearchSecurityException: **action [indices:admin/seq_no/renew_retention_lease]** is unauthorized for user [ccr_user]
        at org.elasticsearch.xpack.core.security.support.Exceptions.authorizationError(Exceptions.java:34) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService.denialException(AuthorizationService.java:597) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService.access$300(AuthorizationService.java:92) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.handleFailure(AuthorizationService.java:644) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:630) ~[?:?]
        at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:600) ~[?:?]
        at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:43) ~[elasticsearch-7.7.1.jar:7.7.1]

I found issue opened here - CCR exception on retention lease renewal · Issue #61308 · elastic/elasticsearch · GitHub
Don't sure where it is staying... So I have few questions:

  1. Is it bug?
  2. Is it fixed in other versions?
  3. What permissions/priveleges I need to add to my roles?
2

I don't know CCR well, but I would definitely recommend upgrading to 7.13, as latest, and trying again. There may or may not have been a fix, but it's always good to be running latest when possible.

3

Yes it is a bug and it is not fixed yet. For now you can work around this by either grant manage privilege or explicitly add the action name for the remote index, e.g.:

ccr_leader:
    cluster:
      - read_ccr
      - monitor
    indices:
      - names: '*'
        privileges:
          - read
          - manage
1 Like
4

manage permissions on leader role or on follower role ???
In my case I am assigning both roles to the same user but still I thought it is issue that follower does not have privilege's.

5

The privilege must be given to the role that is used on the leader cluster. You can read more about history rention here.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.