Configure privileges for cross-cluster replication
editConfigure privileges for cross-cluster replication
editThe cross-cluster replication user requires different cluster and index privileges on the remote cluster and local cluster. Use the following requests to create separate roles on the local and remote clusters, and then create a user with the required roles.
Remote cluster
editOn the remote cluster that contains the leader index, the cross-cluster replication role requires
the read_ccr cluster privilege, and monitor and read privileges on the
leader index.
If requests are authenticated with an API key, the API key requires the above privileges on the local cluster, instead of the remote.
If requests are issued on behalf of other users,
then the authenticating user must have the run_as privilege on the remote
cluster.
The following request creates a remote-replication role on the remote cluster:
resp = client.security.put_role(
name="remote-replication",
cluster=[
"read_ccr"
],
indices=[
{
"names": [
"leader-index-name"
],
"privileges": [
"monitor",
"read"
]
}
],
)
print(resp)
const response = await client.security.putRole({
name: "remote-replication",
cluster: ["read_ccr"],
indices: [
{
names: ["leader-index-name"],
privileges: ["monitor", "read"],
},
],
});
console.log(response);
POST /_security/role/remote-replication
{
"cluster": [
"read_ccr"
],
"indices": [
{
"names": [
"leader-index-name"
],
"privileges": [
"monitor",
"read"
]
}
]
}
Local cluster
editOn the local cluster that contains the follower index, the remote-replication
role requires the manage_ccr cluster privilege, and monitor, read, write,
and manage_follow_index privileges on the follower index.
The following request creates a remote-replication role on the local cluster:
resp = client.security.put_role(
name="remote-replication",
cluster=[
"manage_ccr"
],
indices=[
{
"names": [
"follower-index-name"
],
"privileges": [
"monitor",
"read",
"write",
"manage_follow_index"
]
}
],
)
print(resp)
const response = await client.security.putRole({
name: "remote-replication",
cluster: ["manage_ccr"],
indices: [
{
names: ["follower-index-name"],
privileges: ["monitor", "read", "write", "manage_follow_index"],
},
],
});
console.log(response);
POST /_security/role/remote-replication
{
"cluster": [
"manage_ccr"
],
"indices": [
{
"names": [
"follower-index-name"
],
"privileges": [
"monitor",
"read",
"write",
"manage_follow_index"
]
}
]
}
After creating the remote-replication role on each cluster, use the
create or update users API to create a user on
the local cluster cluster and assign the remote-replication role. For
example, the following request assigns the remote-replication role to a user
named cross-cluster-user:
resp = client.security.put_user(
username="cross-cluster-user",
password="l0ng-r4nd0m-p@ssw0rd",
roles=[
"remote-replication"
],
)
print(resp)
const response = await client.security.putUser({
username: "cross-cluster-user",
password: "l0ng-r4nd0m-p@ssw0rd",
roles: ["remote-replication"],
});
console.log(response);
POST /_security/user/cross-cluster-user
{
"password" : "l0ng-r4nd0m-p@ssw0rd",
"roles" : [ "remote-replication" ]
}
You only need to create this user on the local cluster.