elasticsearch icon indicating copy to clipboard operation
elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon elastic

ES|QL when executed over CCS requires "read" local privilege for any (or none) local indices

Open jakelandis opened this issue 1 year ago • 4 comments

Description

When executing ES|QL over CCS (new and tech preview in 8.14) the permissions require that the user have "read" access defined for the local cluster.

The following are the minimum local cluster privileges required :

indices": [
    { 
      "names" : [""],
      "privileges": ["read"]
    }
  ],

to allow ES|QL to work over CCS. (empty names is not needed, empty or any names will work). This requirement is due to an internal implementation detail for how the local actions are authorized before the work travels across clusters.

Ideally, only the following permissions (example for API key based CCS) are needed:

  "remote_indices": [
    {
      "names": [ "logs-*" ],
      "privileges": [ "read","read_cross_cluster" ],
      "clusters" : ["my_remote_cluster"]
    }
  ],

with no local permission required.

cc: @dnhatn @quux00

jakelandis avatar May 16 '24 16:05 jakelandis

Pinging @elastic/es-security (Team:Security)

elasticsearchmachine avatar May 16 '24 16:05 elasticsearchmachine

Pinging @elastic/es-analytical-engine (Team:Analytics)

elasticsearchmachine avatar May 16 '24 16:05 elasticsearchmachine

nit: in two places in the description you have "CSS" - that should be CCS?

quux00 avatar May 16 '24 18:05 quux00

nit: in two places in the description you have "CSS" - that should be CCS?

IDK LGTM LOL JK (updated the OP) 😃

jakelandis avatar May 16 '24 19:05 jakelandis