Cross-cluster search security exception in Chrome

Elasticsearch version (bin/elasticsearch --version):
Version: 6.2.2, Build: 10b1edd/2018-02-16T19:01:30.685723Z, JVM: 1.8.0_121
Version: 5.6.6, Build: 7d99d36/2018-01-09T23:55:47.880Z, JVM: 1.8.0_121

Plugins installed: [x-pack, repository-hdfs]

JVM version (java -version):
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-tdc1-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

OS version (uname -a if on a Unix-like system):
SLES Linux 3.0.101-0.113.TDC.1.R.0-default SMP Fri Dec 9 04:51:20 PST 2016 (ca32437) x86_64 x86_64 x86_64 GNU/Linux

Chrome version:
Version 65.0.3325.181 (Official Build) (64-bit)

Description of the problem including expected versus actual behavior:
We setup a proof of concept Cross-cluster search between our "local" 6x cluster and "remote" 5x cluster.
We were able to achieve the same results described in the examples.
However did some additional exploration of how cross-cluster search behaves.
In Chrome:
behaves as expected but searching the remote index alone

  "error": {
    "root_cause": [
        "type": "security_exception",
        "reason": "action [indices:admin/shards/search_shards] requires authentication",
        "header": {
          "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
    "type": "transport_exception",
    "reason": "unable to communicate with remote cluster [DEV35x]",
    "caused_by": {
      "type": "security_exception",
      "reason": "action [indices:admin/shards/search_shards] requires authentication",
      "header": {
        "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
  "status": 500

Chrome developer tools show that the authenticate header is not being sent in the request (missing a 401 check/response?).

The same call (searching the remote index alone) return results in Kibana DEV tools, Internet Explorer and curl.

While the behavior seems to be limited to Chrome I thought it was still good to share.
Thank you.

Steps to reproduce:

Initially both clusters were hosted on the same set of machines. Later tested on separate machines, today I tested between two 6x clusters and continue to see the security exception.

  1. Setup Cross-cluster search to a remote_cluster and create a remote_index where authentication will be required
  2. In Kibana DEV tools GET /remote_cluster:remote_index/_search should return results
  3. Access from Chrome https://elastichost:port/remote_cluster:remote_index/_search should return the security exception

I wasn't able to reproduce this, so I suspect it might be dependent on a particular chrome version/platform, but my guess is that it's a URL encoding issue.

Try encoding the : as %3A

1 Like

Thanks for taking a look at it. URL encoding is a good thought.
I tried out the %3A but still received the security exception.
If the issue appears to be limited to my particular browser I am not sure there is much more to do with this (and I think that is okay).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.