Cross-cluster security

Hello everyone!

I am setting up cross-cluster search between a local cluster and two remote clusters. Each cluster has three Elasticsearch nodes and a Fleet server, and the local cluster also includes a Kibana instance. I am following this guide for the setup.

When I try to generate a cross-cluster API key, I encounter the following error:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "current license is non-compliant for [advanced-remote-cluster-security]",
        "license.expired.feature" : "advanced-remote-cluster-security"
      }
    ],
    "type" : "security_exception",
    "reason" : "current license is non-compliant for [advanced-remote-cluster-security]",
    "license.expired.feature" : "advanced-remote-cluster-security"
  },
  "status" : 403
}

I have to use the API method because Kibana is not deployed on the remote clusters.

After verifying the license using the Get license API, I confirmed that I have an active basic subscription.

Is the "advanced-remote-cluster-security" feature not included in the basic license?

What is the request you used?

Not sure if this feature works with the basic license as the documention does not mention anything about it and the subscription page is not that good to know what exactly works or not in each subscription level.

When configuring the privileges from the documentation you can do only the cross-cluster search part, not the cross-cluster replication.

CCR is a paid feature and all clustes involved needs to have a license for it, Cross-cluster search works with the basic license.

But as mentioned it is not clear if this feature will not work because the cross-cluster replication functionalities.

Maybe someone from Elastic can provide more context as the documentation is not clear enough.

It's supposed to say on Subscriptions | Elastic Stack Products & Support | Elastic that this feature requires an enterprise license, but that hasn't been added yet (the feature itself is still beta). I've raised this omission with the relevant folks, hopefully it'll be fixed soon.

Anyway yes you can use the older mTLS-based model with the basic license, but not the API-key-based one.

2 Likes