Cross cluster search with secured clusters


We’ve successfully connected our local cluster with the remote cluster and can do searches in the dev console. However, we can’t refresh the index pattern in Kibana (behind the hoods we see a 404 when trying this). This seems to also apply while creating the index pattern as Kibana claims this in step 2 in the UI:

Step 2 of 2: Configure settings
Specify settings for your \*:logs-\* index pattern.
The indices which match this index pattern don't contain any time fields.

The end result is that we can’t get the timestamp field, or any other field, set.

Our best guess is that we’re missing permissions or have something incorrectly configured but we have not managed to figure out what and thus reaching out in the hopes of someone being able to help us.

Please let me know which information I can provide to better help understand this issue.

Any insights into this are greatly appreciated.

1 Like

So, to share some more details in the hopes of someone picking this up:

The error we get (from within Kibana) when trying to create the index pattern is this call that returns a 404*%3Acluster-*&meta_fields=_source&meta_fields=_id&meta_fields=_type&meta_fields=_index&meta_fields=_score

Does anyone know which permissions might be missing from a user for the above mentioned call to succeed?

What ODFE version are you on?

ODFE version is: 1.13.0

I’ve done some testing and repro your issue. I’m getting the same screen in Step 2 as your are, no matter if security plugin is installed or removed.

It looks like as ODFE limitation or bug not related to security.

I’ve checked in ELK 7.10.2 with security disabled and was able to select time filed and create the index pattern.

Thank you so much for investigating this, what would be the next step?

Also, in Elastic 7.11 this flow is changing as the cached mapping is removed. Is this something that potentially might make it into a future OpenDistro release? Or do I need to file a bug and/or feature request somewhere?

Since this is not security issue. I would file it either as a bug if it was in previous odfe version or feature request if was never implemented.

Can’t find anything in odfe documentation and can’t tell you anything about future release as I’m not odfe dev.

This has been working before around 1.10 or so. Did a detour on our setup and stopped using remote clusters for a while.
But thanks, I’ll try and create a bug report for this.

Would you (or someone else) be able do advice on which repo the bug should be reported, especially as it’s not security related?

It is working on 1.9.0, 1.10.1, 1.11. Fails on 1.12.0, 1.13.0 and 1.13.1

Hi! Is there any workaround for this in the meantime?


Hi @orsifacundo. I’m not aware of any.

Hi @orsifacundo.

Here a work-around was suggested: Cross cluster search with secured local and remote clusters - #2 by alexz00

Just want to update saying that the mentioned work-around does indeed work!

And, after some more testing: If the index pattern is created from code and you do supply a field mapping for the ‘@timestamp’ field then you don’t have to refresh it from Kibana.

I guess you should not rely on the automatic mapping anyways but it has been more convenient. So, instead of patching the Kibana index directly and updating the title you can also do something like this:

      "title": "<my_index_pattern>",
      "timeFieldName": "@timestamp",
      "fields": "[{\"count\": 0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]"

And use the saved_objects API in Kibana to create the index pattern with that JSON body, as long as the timeFieldName can be mapped to something in fields it will work.

Referencing the open bug for this issue:

So, a fix is coming in 1.13.2!

Awesome. I’ll give it a try!.

I ended up loading the index pattern via API with the following call:

curl -sS -k -u <ODFE_USER>:<ODFE_PASS> -XPOST “https://<KIBANA_IP>/api/saved_objects/index-pattern/<REMOTE_CLUSTER_NAME>:<INDEX_PATTERN>” -H ‘Content-Type: application/json’ -H ‘kbn-xsrf: true’ -d @new-pattern.json

Thanks for sharing the other solution.


Nice, this issue has also been fixed in ODFE 1.13.2!