Cross cluster replication security. Mutual TLS query

ClusterA (leader)
keystore (includes server certificate with principal cn=ClusterA, signed by company CA)
truststore (company CA)
ClusterB (follower)
keystore (includes server certificate with principal cn=ClusterB, signed by company CA)
truststore (company CA)

Configured to work with native realm, meaning one way TLS + user and password.
Defined two roles - ccr_leader, ccr_follower with relevant privileges.
Assumption is that I developed process that can switch sites so follower become leader and leader become follower.

My security definition mappings look like this:

|user role
|ccr_user1 |ccr_leader
|ccr_user2 |ccr_follower

|user |role
|ccr_user1 |ccr_follower
|ccr_user2 |ccr_leader

ccr_user1 is used in case if I want SITE B to follow SITE A
ccr_user2 is used in case if I want SITE A to follow SITE B

As far as I understood user name is correlated between leader and follower. When I am issuing rest call /_follow and passing ccr_user1 to security header, this user propagated to the follower and then to the leader. So there is correlation among user that I am passing from my external client (script) in order to _follow, user on follower and user on the leader.

  1. Is my understanding correct???

Now, let's suppose I don't want to use user/password and want to add additional realm - pki.

I am adding role mappings like below:





  1. Is it possible to work with pki realm without user/password for CCR?
  2. If yes, and assuming my case when I want to switch sites, Is this predefined mapping is correct in case of PKI realm?
  3. When I am triggering _follow as a external client, I suppose the cn of this external client should not be correlated to the follower and leader pki users correct? In case of pki it muct be working in other way?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.