Security exception for remote cluster calls

I have a local & a remote cluster running on the same host (localhost) to be used by the integration tests. It is basically a sidecar container running ES. These tests were passing for ES version 7.16.2, but when I tried using ES version 8.8.2 with no other changes, the tests started failing with -

{
  "error": {
    "root_cause": [
      {
        "type": "no_such_remote_cluster_exception",
        "reason": "no such remote cluster: [remote_cluster]"
      }
    ],
    "type": "no_such_remote_cluster_exception",
    "reason": "no such remote cluster: [remote_cluster]"
  },
  "status": 404
}

[remote_cluster is the name I have used in the tests for the remote cluster]

I have not set this setting in the elasticsearch.yml - xpack.security.enabled [From the answer here, by default security is in a half-on state, where it supports TLS (so it can join other nodes in the cluster) and then disables the rest of security (authentication, RBAC) when it determines that the cluster has a basic license.]

I tried to make a call using curl to the localhost and was getting this -

$ curl -XGET localhost:9207/_cat/indices/remote_cluster:*?pretty
{
  "error" : {
    "root_cause" : [
      {
        "type" : "illegal_argument_exception",
        "reason" : "Cross-cluster calls are not supported in this context but remote indices were requested: [remote_cluster:*]"
      }
    ],
    "type" : "illegal_argument_exception",
    "reason" : "Cross-cluster calls are not supported in this context but remote indices were requested: [remote_cluster:*]"
  },
  "status" : 400
}

Cross-cluster calls are not supported -> from this error and the official docs, thought about setting up the security to see if that changes anything. I used the anonymous-access with this role -

anonymous_role:
  cluster: [ 'all' ]
  indices:
    - names: [ '*' ]
      privileges: [ 'all' ]

and started ES service with -

-Expack.security.enabled=true
-Expack.security.authc.anonymous.roles=anonymous_role
-Expack.security.authc.anonymous.authz_exception=true

but then I'm getting this error in the tests now -

{
  "error": {
    "root_cause": [
      {
        "type": "no_such_remote_cluster_exception",
        "reason": "no such remote cluster: [remote_cluster]"
      }
    ],
    "type": "security_exception",
    "reason": "action [indices:data/read/search] is unauthorized for user [_anonymous] with effective roles [anonymous_role], this action is granted by the index privileges [read,all]",
    "caused_by": {
      "type": "no_such_remote_cluster_exception",
      "reason": "no such remote cluster: [remote_cluster]"
    }
  },
  "status": 403
}

When it says - this action is granted by the index privileges [read,all], shouldn't it have these privileges already when I gave all privilege for indices to this anonymous role?

If I do a curl to _cat indices now then it doesn't fail with any errors -

$ curl -XGET localhost:9207/_cat/indices?pretty
<empty output>

Any idea what is causing the calls to fail with this no_such_remote_cluster_exception?
I can provide any details that is needed to debug the issue.

1 Like

You don't have a remote cluster named remote_cluster

Check the Remote Cluster Info API to verify whether the remote cluster is really defined.

If not, you'll need to go back and check your setup steps.

oh you're right, I don't have any remote cluster named remote_cluster running. I misunderstood the test setup and thought both the local and remote clusters are running on the localhost. But even though I never had this remote_cluster, the tests for ES 7.16.2 were passing.

Is there a way around not checking whether the remote cluster exists or not when the indices to be searched includes remote_cluster:xyz? How was this working with ES 7.16? I have enabled the xpack.security in ES 8.8, is that why I might be getting this error now?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.