I’m posting a follow up on this as I’ve been looking at this and have posted an update in https://github.com/opensearch-project/alerting/issues/207
Versions: opendistro elasticsearch: 1.13.3 and opendistro kibana: 1.13.2 - but looking to migrate to OpenSearch shortly.
I have a working cross cluster search index pattern :*filebeat-* which covers two remote clusters. This can be queried in the ‘Discover’ tab.
Error from the calling cluster:
Caused by: org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:data/read/search] and User [name=plugin, backend_roles=, requestedTenant=null]
Error on the remote cluster:
[2022-05-31T10:50:54,422][INFO ][c.a.o.s.p.PrivilegesEvaluator] [remote-cluster] No index-level perm match for User [name=plugin, backend_roles=, requestedTenant=null] Resolved [aliases=, allIndices=[filebeat-2022.05.28, filebeat-2022.05.26, filebeat-2022.05.29, filebeat-2022.05.27, filebeat-2022.05.31, filebeat-2022.05.30, filebeat-2022.05.25], types=[*], originalRequested=[filebeat-*], remoteIndices=] [Action [indices:data/read/search]] [RolesChecked [own_index]]
[2022-05-31T10:50:54,422][INFO ][c.a.o.s.p.PrivilegesEvaluator] [remote-cluster] No permissions for [indices:data/read/search]
My first response was to try and add the missing permission to the User
plugin - only that user doesn’t exist as an internal user that I can see, and given it’s name I am assuming is something that plugins use internally.
Can anyone shed any light on this - perhaps this is more a Security topic.
Can anyone suggest or think of a workaround here that will allow users to define alerts through the UI. Perhaps this is fixed in the most recently OpenSearch released (which I am in the process of installing myself).