Security exception for remote cluster calls

Elastic Stack Elasticsearch
1

I have a local & a remote cluster running on the same host (localhost) to be used by the integration tests. It is basically a sidecar container running ES. These tests were passing for ES version 7.16.2, but when I tried using ES version 8.8.2 with no other changes, the tests started failing with -

{
  "error": {
    "root_cause": [
      {
        "type": "no_such_remote_cluster_exception",
        "reason": "no such remote cluster: [remote_cluster]"
      }
    ],
    "type": "no_such_remote_cluster_exception",
    "reason": "no such remote cluster: [remote_cluster]"
  },
  "status": 404
}

[remote_cluster is the name I have used in the tests for the remote cluster]

I have not set this setting in the elasticsearch.yml - xpack.security.enabled [From the answer here, by default security is in a half-on state, where it supports TLS (so it can join other nodes in the cluster) and then disables the rest of security (authentication, RBAC) when it determines that the cluster has a basic license.]

I tried to make a call using curl to the localhost and was getting this -

$ curl -XGET localhost:9207/_cat/indices/remote_cluster:*?pretty
{
  "error" : {
    "root_cause" : [
      {
        "type" : "illegal_argument_exception",
        "reason" : "Cross-cluster calls are not supported in this context but remote indices were requested: [remote_cluster:*]"
      }
    ],
    "type" : "illegal_argument_exception",
    "reason" : "Cross-cluster calls are not supported in this context but remote indices were requested: [remote_cluster:*]"
  },
  "status" : 400
}

Cross-cluster calls are not supported -> from this error and the official docs, thought about setting up the security to see if that changes anything. I used the anonymous-access with this role -

anonymous_role:
  cluster: [ 'all' ]
  indices:
    - names: [ '*' ]
      privileges: [ 'all' ]

and started ES service with -

-Expack.security.enabled=true
-Expack.security.authc.anonymous.roles=anonymous_role
-Expack.security.authc.anonymous.authz_exception=true

but then I'm getting this error in the tests now -

{
  "error": {
    "root_cause": [
      {
        "type": "no_such_remote_cluster_exception",
        "reason": "no such remote cluster: [remote_cluster]"
      }
    ],
    "type": "security_exception",
    "reason": "action [indices:data/read/search] is unauthorized for user [_anonymous] with effective roles [anonymous_role], this action is granted by the index privileges [read,all]",
    "caused_by": {
      "type": "no_such_remote_cluster_exception",
      "reason": "no such remote cluster: [remote_cluster]"
    }
  },
  "status": 403
}

When it says - this action is granted by the index privileges [read,all], shouldn't it have these privileges already when I gave all privilege for indices to this anonymous role?

If I do a curl to _cat indices now then it doesn't fail with any errors -

$ curl -XGET localhost:9207/_cat/indices?pretty
<empty output>

Any idea what is causing the calls to fail with this no_such_remote_cluster_exception?
I can provide any details that is needed to debug the issue.

1 Like
2

You don't have a remote cluster named remote_cluster

Check the Remote Cluster Info API to verify whether the remote cluster is really defined.

If not, you'll need to go back and check your setup steps.

3

oh you're right, I don't have any remote cluster named remote_cluster running. I misunderstood the test setup and thought both the local and remote clusters are running on the localhost. But even though I never had this remote_cluster, the tests for ES 7.16.2 were passing.

Is there a way around not checking whether the remote cluster exists or not when the indices to be searched includes remote_cluster:xyz? How was this working with ES 7.16? I have enabled the xpack.security in ES 8.8, is that why I might be getting this error now?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.