Cross cluster search with secured clusters

robert · March 1, 2021, 2:58pm

Hi,

We’ve successfully connected our local cluster with the remote cluster and can do searches in the dev console. However, we can’t refresh the index pattern in Kibana (behind the hoods we see a 404 when trying this). This seems to also apply while creating the index pattern as Kibana claims this in step 2 in the UI:

Step 2 of 2: Configure settings
Specify settings for your \*:logs-\* index pattern.
The indices which match this index pattern don't contain any time fields.

The end result is that we can’t get the timestamp field, or any other field, set.

Our best guess is that we’re missing permissions or have something incorrectly configured but we have not managed to figure out what and thus reaching out in the hopes of someone being able to help us.

Please let me know which information I can provide to better help understand this issue.

Any insights into this are greatly appreciated.

robert · March 5, 2021, 8:56am

So, to share some more details in the hopes of someone picking this up:

The error we get (from within Kibana) when trying to create the index pattern is this call that returns a 404

https://redacted.host/api/index_patterns/_fields_for_wildcard?pattern=*%3Acluster-*&meta_fields=_source&meta_fields=_id&meta_fields=_type&meta_fields=_index&meta_fields=_score

Does anyone know which permissions might be missing from a user for the above mentioned call to succeed?

pablo · March 5, 2021, 11:54am

What ODFE version are you on?

robert · March 5, 2021, 12:41pm

ODFE version is: 1.13.0

pablo · March 10, 2021, 12:28pm

I’ve done some testing and repro your issue. I’m getting the same screen in Step 2 as your are, no matter if security plugin is installed or removed.

It looks like as ODFE limitation or bug not related to security.

I’ve checked in ELK 7.10.2 with security disabled and was able to select time filed and create the index pattern.

robert · March 10, 2021, 12:42pm

Thank you so much for investigating this, what would be the next step?

Also, in Elastic 7.11 this flow is changing as the cached mapping is removed. Is this something that potentially might make it into a future OpenDistro release? Or do I need to file a bug and/or feature request somewhere?

pablo · March 10, 2021, 12:47pm

Since this is not security issue. I would file it either as a bug if it was in previous odfe version or feature request if was never implemented.

Can’t find anything in odfe documentation and can’t tell you anything about future release as I’m not odfe dev.

robert · March 10, 2021, 12:49pm

This has been working before around 1.10 or so. Did a detour on our setup and stopped using remote clusters for a while.
But thanks, I’ll try and create a bug report for this.

robert · March 10, 2021, 12:54pm

Would you (or someone else) be able do advice on which repo the bug should be reported, especially as it’s not security related?

pablo · March 10, 2021, 1:26pm

It is working on 1.9.0, 1.10.1, 1.11. Fails on 1.12.0, 1.13.0 and 1.13.1

orsifacundo · March 11, 2021, 12:14am

Hi! Is there any workaround for this in the meantime?

Regards.

pablo · March 11, 2021, 1:59pm

Hi @orsifacundo. I’m not aware of any.

robert · March 25, 2021, 3:08pm

Hi @orsifacundo.

Here a work-around was suggested: Cross cluster search with secured local and remote clusters - #2 by alexz00

robert · March 29, 2021, 11:00am

Just want to update saying that the mentioned work-around does indeed work!

robert · March 29, 2021, 1:33pm

And, after some more testing: If the index pattern is created from code and you do supply a field mapping for the ‘@timestamp’ field then you don’t have to refresh it from Kibana.

I guess you should not rely on the automatic mapping anyways but it has been more convenient. So, instead of patching the Kibana index directly and updating the title you can also do something like this:

  {
    "attributes":
    {
      "title": "<my_index_pattern>",
      "timeFieldName": "@timestamp",
      "fields": "[{\"count\": 0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]"
    }
  }

And use the saved_objects API in Kibana to create the index pattern with that JSON body, as long as the timeFieldName can be mapped to something in fields it will work.

robert · April 6, 2021, 9:07am

Referencing the open bug for this issue:

https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/688

robert · April 6, 2021, 12:04pm

So, a fix is coming in 1.13.2!

orsifacundo · April 15, 2021, 6:47pm

Awesome. I’ll give it a try!.

I ended up loading the index pattern via API with the following call:

curl -sS -k -u <ODFE_USER>:<ODFE_PASS> -XPOST “https://<KIBANA_IP>/api/saved_objects/index-pattern/<REMOTE_CLUSTER_NAME>:<INDEX_PATTERN>” -H ‘Content-Type: application/json’ -H ‘kbn-xsrf: true’ -d @new-pattern.json

Thanks for sharing the other solution.

Regards.

robert · April 16, 2021, 6:31am

Nice, this issue has also been fixed in ODFE 1.13.2!

Topic		Replies	Views
Cross cluster search with secured local and remote clusters Open Source Elasticsearch and Kibana	4	1344	April 6, 2021
Kibana Cross Cluster Search Open Source Elasticsearch and Kibana	4	2025	October 22, 2021
Cannot create Index Patterns of remote clusters - Open Distro 1.12 version General Feedback	9	2585	April 6, 2021
Kibana user - Security setup Security	5	1979	October 10, 2019
Error fetching fields for index pattern metricbeat-* Security	13	1742	August 3, 2021

Cross cluster search with secured clusters

Related topics