Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Describe the issue : While configuring Cross Cluster replication and while starting we are getting below error
{
Configuration : I have created a separate user for replication and assigned the required roles and permissions
Relevant Logs or Screenshots :
{
Please someone have a look and do the needful
Thanks,
Mohammad Jafar Raza
Anthony
September 8, 2025, 12:32pm
2
@mohammadjafarraza can you provide the users, roles and role_mappings configuration on both clusters. You can use securityadmin.sh with -r (retrieve) option to obtain these. Redact any sensitive details.
Dear @Anthony
Please find below the required details for both Cluster.
Cluster1
InternalUser.Yml
replication_user:
“logstash”
“snapshotrestore”
“admin”
“cross_cluster_replication_leader_full_access”
“kibanauser”
“readall”
“readall”
“anomaly_full_access”
Roles.yml
observability_read_access:
“cluster:admin/opensearch/observability/get”
“cluster:admin/opensearch/snapshot_management/policy/explain”
“cluster:admin/opensearch/snapshot_management/policy/get”
“cluster:admin/opensearch/snapshot_management/policy/search”
“cluster:admin/repository/get”
“cluster:admin/snapshot/get”
“cluster:admin/opensearch/observability/create”
“cluster:admin/opensearch/observability/delete”
“cluster:admin/opensearch/observability/get”
“cluster:admin/opensearch/observability/update”
index_patterns:
“*”
“manage_point_in_time”
“cluster:admin/opensearch/flow_framework/*”
“cluster_monitor”
index_patterns:
“*”
“indices:admin/aliases/get”
“indices:admin/mappings/get”
“indices_monitor”
index_patterns:
“*”
“indices:admin/plugins/replication/index/setup/validate”
“indices:data/read/plugins/replication/changes”
“indices:data/read/plugins/replication/file_chunk”
“cluster:admin/opensearch/ppl”
index_patterns:
“*”
“indices:admin/mappings/get”
“indices:data/read/search*”
“indices:monitor/settings/get”
“cluster:admin/opensearch/securityanalytics/alerts/get”
“cluster:admin/opensearch/securityanalytics/correlationAlerts/get”
“cluster:admin/opensearch/securityanalytics/correlations/findings”
“cluster:admin/opensearch/securityanalytics/correlations/list”
“cluster:admin/opensearch/securityanalytics/detector/get”
“cluster:admin/opensearch/securityanalytics/detector/search”
“cluster:admin/opensearch/securityanalytics/findings/get”
“cluster:admin/opensearch/securityanalytics/logtype/search”
“cluster:admin/opensearch/securityanalytics/mapping/get”
“cluster:admin/opensearch/securityanalytics/mapping/view/get”
“cluster:admin/opensearch/securityanalytics/rule/get”
“cluster:admin/opensearch/securityanalytics/rule/search”
“cluster:admin/opensearch/securityanalytics/threatintel/alerts/get”
“cluster:admin/opensearch/securityanalytics/threatintel/iocs/findings/get”
“cluster:admin/opensearch/securityanalytics/threatintel/iocs/list”
“cluster:admin/opensearch/securityanalytics/threatintel/monitors/search”
“cluster:admin/opensearch/securityanalytics/threatintel/sources/get”
“cluster:admin/opensearch/securityanalytics/threatintel/sources/search”
“cluster:admin/opensearch/securityanalytics/alerts/*”
“cluster:admin/opensearch/securityanalytics/connections/*”
“cluster:admin/opensearch/securityanalytics/correlationAlerts/*”
“cluster:admin/opensearch/securityanalytics/correlations/*”
“cluster:admin/opensearch/securityanalytics/detector/*”
“cluster:admin/opensearch/securityanalytics/findings/*”
“cluster:admin/opensearch/securityanalytics/logtype/*”
“cluster:admin/opensearch/securityanalytics/mapping/*”
“cluster:admin/opensearch/securityanalytics/rule/*”
“cluster:admin/opensearch/securityanalytics/threatintel/*”
index_patterns:
“*”
“indices:admin/mapping/put”
“indices:admin/mappings/get”
“cluster:admin/knn_delete_model_action”
“cluster:admin/knn_get_model_action”
“cluster:admin/knn_remove_model_from_cache_action”
“cluster:admin/knn_search_model_action”
“cluster:admin/knn_stats_action”
“cluster:admin/knn_training_job_route_decision_info_action”
“cluster:admin/knn_training_job_router_action”
“cluster:admin/knn_training_model_action”
“cluster:admin/knn_update_model_graveyard_action”
“cluster:admin/knn_warmup_action”
“cluster:admin/opensearch/flow_framework/workflow/get”
“cluster:admin/opensearch/flow_framework/workflow/search”
“cluster:admin/opensearch/flow_framework/workflow_state/get”
“cluster:admin/opensearch/flow_framework/workflow_state/search”
“cluster:admin/opensearch/flow_framework/workflow_step/get”
“restapi:admin/actiongroups”
“restapi:admin/allowlist”
“restapi:admin/config/update”
“restapi:admin/internalusers”
“restapi:admin/nodesdn”
“restapi:admin/roles”
“restapi:admin/rolesmapping”
“restapi:admin/ssl/certs/info”
“restapi:admin/ssl/certs/reload”
“restapi:admin/tenants”
“cluster:admin/plugin/forecast/*”
“cluster:admin/settings/update”
“cluster_monitor”
index_patterns:
“*”
“indices:admin/aliases/get”
“indices:admin/mapping/get”
“indices:admin/mapping/put”
“indices:admin/mappings/fields/get*”
“indices:admin/mappings/get”
“indices:admin/resolve/index”
“indices:data/read*”
“indices:data/read/field_caps*”
“indices:data/read/search”
“indices:data/write*”
“indices_monitor”
index_patterns:
“*”
“indices:admin/shards/search_shards”
“indices:data/read/search”
“cluster:admin/opendistro/ad/detector/info”
“cluster:admin/opendistro/ad/detector/search”
“cluster:admin/opendistro/ad/detector/validate”
“cluster:admin/opendistro/ad/detectors/get”
“cluster:admin/opendistro/ad/result/search”
“cluster:admin/opendistro/ad/result/topAnomalies”
“cluster:admin/opendistro/ad/tasks/search”
“cluster:admin/opendistro/reports/instance/get”
“cluster:admin/opendistro/reports/instance/list”
“cluster:admin/opendistro/reports/menu/download”
“cluster:admin/opensearch/notifications/feature/publish”
“cluster:admin/opensearch/snapshot_management/*”
“cluster:admin/repository/*”
“cluster:admin/snapshot/*”
“cluster:admin/opendistro/asynchronous_search/*”
index_patterns:
“*”
“indices:data/read/search*”
“cluster:admin/opensearch/search_relevance/*”
index_patterns:
“*”
“indices:admin/mappings/get”
“indices:data/read/search*”
“cluster:admin/opensearch/ml/*”
“cluster_monitor”
index_patterns:
“*”
“indices_monitor”
“cluster:admin/opendistro/reports/definition/create”
“cluster:admin/opendistro/reports/definition/delete”
“cluster:admin/opendistro/reports/definition/get”
“cluster:admin/opendistro/reports/definition/list”
“cluster:admin/opendistro/reports/definition/on_demand”
“cluster:admin/opendistro/reports/definition/update”
“cluster:admin/opendistro/reports/instance/get”
“cluster:admin/opendistro/reports/instance/list”
“cluster:admin/opendistro/reports/menu/download”
“cluster:admin/opendistro/replication/*”
“cluster:monitor/*”
“indices:admin/plugins/replication/*”
index_patterns:
“follower-01”
“read”
“write”
“manage”
index_patterns:
“leader-01”
“read”
“cluster:admin/geospatial/datasource/*”
“cluster:admin/opendistro/notebooks/get”
“cluster:admin/opendistro/notebooks/list”
“cluster:admin/opensearch/securityanalytics/alerts/*”
“cluster:admin/opensearch/securityanalytics/correlationAlerts/*”
“cluster:admin/opensearch/securityanalytics/threatintel/alerts/*”
“cluster:admin/opendistro/replication/*”
“cluster:monitor/*”
“indices:admin/plugins/replication/*”
index_patterns:
“follower-01”
“read”
“write”
“manage”
index_patterns:
“leader-01”
“read”
“cluster:admin/ltr/*”
“cluster:admin/opendistro/alerting/*”
“cluster:admin/opensearch/alerting/*”
“cluster:admin/opensearch/notifications/feature/publish”
“cluster_monitor”
index_patterns:
“*”
“leader-index-*”
“indices:admin/aliases/get”
“indices:admin/mappings/get”
“indices_monitor”
“cluster:admin/opendistro/alerting/alerts/get”
“cluster:admin/opendistro/alerting/destination/get”
“cluster:admin/opendistro/alerting/monitor/get”
“cluster:admin/opendistro/alerting/monitor/search”
“cluster:admin/opensearch/alerting/comments/search”
“cluster:admin/opensearch/alerting/findings/get”
“cluster:admin/opensearch/alerting/remote/indexes/get”
“cluster:admin/opensearch/alerting/workflow/get”
“cluster:admin/opensearch/alerting/workflow_alerts/get”
“cluster:admin/plugins/replication*”
“indices:data/read/cross_cluster*”
“cluster:admin/plugins/replication/autofollow/update”
index_patterns:
“*”
“indices:admin/plugins/replication/index/pause”
“indices:admin/plugins/replication/index/resume”
“indices:admin/plugins/replication/index/setup/validate”
“indices:admin/plugins/replication/index/start”
“indices:admin/plugins/replication/index/status_check”
“indices:admin/plugins/replication/index/stop”
“indices:admin/plugins/replication/index/update”
“indices:data/write/plugins/replication/changes”
“cluster:admin/opensearch/notifications/*”
“cluster:admin/opensearch/ml/config/get”
“cluster:admin/opensearch/ml/execute”
“cluster:admin/opensearch/ml/predict”
“cluster:admin/opensearch/ppl”
“cluster:admin/opensearch/notifications/channels/get”
“cluster:admin/opensearch/notifications/configs/get”
“cluster:admin/opensearch/notifications/features”
“cluster:admin/knn_get_model_action”
“cluster:admin/knn_search_model_action”
“cluster:admin/knn_stats_action”
“cluster:admin/opendistro/asynchronous_search/get”
“cluster:admin/opendistro/ism/*”
“cluster:admin/opendistro/rollup/*”
“cluster:admin/opendistro/transform/*”
“cluster:admin/opensearch/controlcenter/lron/*”
“cluster:admin/opensearch/notifications/channels/get”
“cluster:admin/opensearch/notifications/feature/publish”
index_patterns:
“*”
“indices:admin/opensearch/ism/*”
“indices:internal/plugins/replication/index/stop”
“cluster:admin/opensearch/ml/config/get”
“cluster:admin/opensearch/ml/connectors/get”
“cluster:admin/opensearch/ml/connectors/search”
“cluster:admin/opensearch/ml/controllers/get”
“cluster:admin/opensearch/ml/memory/conversation/get”
“cluster:admin/opensearch/ml/memory/conversation/interaction/search”
“cluster:admin/opensearch/ml/memory/conversation/list”
“cluster:admin/opensearch/ml/memory/conversation/search”
“cluster:admin/opensearch/ml/memory/interaction/get”
“cluster:admin/opensearch/ml/memory/interaction/list”
“cluster:admin/opensearch/ml/memory/trace/get”
“cluster:admin/opensearch/ml/model_groups/get”
“cluster:admin/opensearch/ml/model_groups/search”
“cluster:admin/opensearch/ml/models/get”
“cluster:admin/opensearch/ml/models/search”
“cluster:admin/opensearch/ml/profile/nodes”
“cluster:admin/opensearch/ml/stats/nodes”
“cluster:admin/opensearch/ml/tasks/get”
“cluster:admin/opensearch/ml/tasks/search”
“cluster:admin/opensearch/ml/tools/get”
“cluster:admin/opensearch/ml/tools/list”
“cluster:admin/opendistro/reports/definition/get”
“cluster:admin/opendistro/reports/definition/list”
“cluster:admin/opendistro/reports/instance/get”
“cluster:admin/opendistro/reports/instance/list”
“cluster:admin/opendistro/reports/menu/download”
“cluster:admin/ingest/pipeline/delete”
“cluster:admin/ingest/pipeline/put”
“cluster:admin/opendistro/ad/*”
“cluster_monitor”
index_patterns:
“*”
“indices:admin/aliases/get”
“indices:admin/mappings/fields/get”
“indices:admin/mappings/fields/get*”
“indices:admin/mappings/get”
“indices:admin/resolve/index”
“indices:admin/setting/put”
“indices:data/read/field_caps*”
“indices:data/read/search”
“indices_monitor”
“indices:admin/plugins/replication/index/setup/validate”
“indices:data/read/plugins/replication/file_chunk”
“indices:data/read/plugins/replication/changes”
“cluster:admin/opendistro/replication/*”
“cluster:monitor/*”
“indices:admin/plugins/replication/*”
index_patterns:
“*”
“read”
“write”
“manage”
“indices:admin/plugins/replication/*”
“cluster:admin/plugin/forecast/forecaster/info”
“cluster:admin/plugin/forecast/forecaster/stats”
“cluster:admin/plugin/forecast/forecaster/suggest”
“cluster:admin/plugin/forecast/forecaster/validate”
“cluster:admin/plugin/forecast/forecasters/get”
“cluster:admin/plugin/forecast/forecasters/info”
“cluster:admin/plugin/forecast/forecasters/search”
“cluster:admin/plugin/forecast/result/topForecasts”
“cluster:admin/plugin/forecast/tasks/search”
index_patterns:
“opensearch-forecast-result*”
“indices:admin/mappings/fields/get*”
“indices:admin/resolve/index”
“indices:data/read*”
“cluster:admin/geospatial/datasource/get”
“cluster:admin/ltr/caches/stats”
“cluster:admin/ltr/featurestore/list”
“cluster:admin/ltr/stats”
“cluster:admin/opendistro/alerting/alerts/*”
“cluster:admin/opendistro/alerting/chained_alerts/*”
“cluster:admin/opendistro/alerting/workflow_alerts/*”
“cluster:admin/opensearch/alerting/comments/*”
“cluster:admin/opensearch/search_relevance/experiment/get”
“cluster:admin/opensearch/search_relevance/judgment/get”
“cluster:admin/opensearch/search_relevance/queryset/get”
“cluster:admin/opensearch/search_relevance/search_configuration/get”
“cluster:admin/opendistro/notebooks/create”
“cluster:admin/opendistro/notebooks/delete”
“cluster:admin/opendistro/notebooks/get”
“cluster:admin/opendistro/notebooks/list”
“cluster:admin/opendistro/notebooks/update”
“cluster:admin/opensearch/insights/live_queries/*”
“cluster:admin/opensearch/insights/top_queries/*”
index_patterns:
“top_queries-*”
“indices_all”
Role_mapping.yml
replication_role:
“CN=dramnelalvr01.gosi.ins,O=General Organization for Social Insurance,ST=Ar Riyā
“CN=dramnelalvr02.gosi.ins,O=General Organization for Social Insurance,ST=Ar Riyā
“CN=dramnelalvr03.gosi.ins,O=General Organization for Social Insurance,ST=Ar Riyā
“connection:my-connection-alias”
“*”
“kibanauser”
“replicator_admin”
“readall”
“snapshotrestore”
“replicator_admin”
“replicationAdmin_role”
“admin”
“cross_cluster_replication_leader_full_access”
“logstash”
“admin”
“replicator_admin”
“replicator”
“kibanaserver”
Thanks,
Mohammad Jafar Raza
Anthony
September 9, 2025, 9:58am
5
@mohammadjafarraza can you please surround the configuration in code tags
Dear @Anthony I am unable to understand what are you looking for the same.
Thanks,
Mohammad Jafar Raza
Anthony
September 9, 2025, 10:19am
7
Please use the code block to provide configuration
Cluster1
---
replication_user:
hash: "$2y$fff12$.OE3NqbqelK3bl01Dk2cOuAlODchEZz9VpejPJ7aVg/T0P006d6vm"
reserved: false
hidden: false
backend_roles: []
attributes: {}
description: "User for cross cluster replication"
opendistro_security_roles: []
static: false
logstash:
hash: "$2a$12$u1ShR4lfff4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
hidden: false
backend_roles:
- "logstash"
attributes: {}
description: "Demo logstash user, using external role mapping"
opendistro_security_roles: []
static: false
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLfffCuWf/ALc0.v7W"
reserved: false
hidden: false
backend_roles:
- "snapshotrestore"
attributes: {}
description: "Demo snapshotrestore user, using external role mapping"
opendistro_security_roles: []
static: false
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2y$12$lBsaf8kffdkkrLHBloVDwJZ.YinUnqgQvF2NQm6vmgLENKoeBdTESsS"
reserved: true
hidden: false
backend_roles:
- "admin"
attributes: {}
description: "Demo admin user"
opendistro_security_roles: []
static: false
kibanaserver:
hash: "$2a$12$4AcgAt3xffwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
hidden: false
backend_roles: []
attributes: {}
description: "Demo OpenSearch Dashboards user"
opendistro_security_roles: []
static: false
replicator_admin:
hash: "$2y$12$4ko5I33L.ffbOAxzGmvx/3bOCLfNwms58KqDJlC.7a3dRuMe8nxjdJ2"
reserved: false
hidden: false
backend_roles:
- "cross_cluster_replication_leader_full_access"
attributes: {}
opendistro_security_roles: []
static: false
kibanaro:
hash: "$2a$12$JJSXNfffTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
hidden: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo OpenSearch Dashboards read only user, using external role mapping"
opendistro_security_roles: []
static: false
readall:
hash: "$2a$12$ae4ycwzwvLtZxwffZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
hidden: false
backend_roles:
- "readall"
attributes: {}
description: "Demo readall user, using external role mapping"
opendistro_security_roles: []
static: false
anomalyadmin:
hash: "$2y$12$TRwAAJgnNoff67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
reserved: false
hidden: false
backend_roles: []
attributes: {}
description: "Demo anomaly admin user, using internal role"
opendistro_security_roles:
- "anomaly_full_access"
static: false
---
observability_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/observability/get"
index_permissions: []
tenant_permissions: []
static: false
snapshot_management_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/snapshot_management/policy/explain"
- "cluster:admin/opensearch/snapshot_management/policy/get"
- "cluster:admin/opensearch/snapshot_management/policy/search"
- "cluster:admin/repository/get"
- "cluster:admin/snapshot/get"
index_permissions: []
tenant_permissions: []
static: false
_meta:
type: "roles"
config_version: 2
observability_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/observability/create"
- "cluster:admin/opensearch/observability/delete"
- "cluster:admin/opensearch/observability/get"
- "cluster:admin/opensearch/observability/update"
index_permissions: []
tenant_permissions: []
static: false
point_in_time_full_access:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "manage_point_in_time"
tenant_permissions: []
static: false
flow_framework_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/flow_framework/*"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/aliases/get"
- "indices:admin/mappings/get"
- "indices_monitor"
tenant_permissions: []
static: false
cross_cluster_replication_leader_full_access:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/read/plugins/replication/changes"
- "indices:data/read/plugins/replication/file_chunk"
tenant_permissions: []
static: false
ppl_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ppl"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/mappings/get"
- "indices:data/read/search*"
- "indices:monitor/settings/get"
tenant_permissions: []
static: false
security_analytics_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/securityanalytics/alerts/get"
- "cluster:admin/opensearch/securityanalytics/correlationAlerts/get"
- "cluster:admin/opensearch/securityanalytics/correlations/findings"
- "cluster:admin/opensearch/securityanalytics/correlations/list"
- "cluster:admin/opensearch/securityanalytics/detector/get"
- "cluster:admin/opensearch/securityanalytics/detector/search"
- "cluster:admin/opensearch/securityanalytics/findings/get"
- "cluster:admin/opensearch/securityanalytics/logtype/search"
- "cluster:admin/opensearch/securityanalytics/mapping/get"
- "cluster:admin/opensearch/securityanalytics/mapping/view/get"
- "cluster:admin/opensearch/securityanalytics/rule/get"
- "cluster:admin/opensearch/securityanalytics/rule/search"
- "cluster:admin/opensearch/securityanalytics/threatintel/alerts/get"
- "cluster:admin/opensearch/securityanalytics/threatintel/iocs/findings/get"
- "cluster:admin/opensearch/securityanalytics/threatintel/iocs/list"
- "cluster:admin/opensearch/securityanalytics/threatintel/monitors/search"
- "cluster:admin/opensearch/securityanalytics/threatintel/sources/get"
- "cluster:admin/opensearch/securityanalytics/threatintel/sources/search"
index_permissions: []
tenant_permissions: []
static: false
security_analytics_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/securityanalytics/alerts/*"
- "cluster:admin/opensearch/securityanalytics/connections/*"
- "cluster:admin/opensearch/securityanalytics/correlationAlerts/*"
- "cluster:admin/opensearch/securityanalytics/correlations/*"
- "cluster:admin/opensearch/securityanalytics/detector/*"
- "cluster:admin/opensearch/securityanalytics/findings/*"
- "cluster:admin/opensearch/securityanalytics/logtype/*"
- "cluster:admin/opensearch/securityanalytics/mapping/*"
- "cluster:admin/opensearch/securityanalytics/rule/*"
- "cluster:admin/opensearch/securityanalytics/threatintel/*"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/mapping/put"
- "indices:admin/mappings/get"
tenant_permissions: []
static: false
knn_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/knn_delete_model_action"
- "cluster:admin/knn_get_model_action"
- "cluster:admin/knn_remove_model_from_cache_action"
- "cluster:admin/knn_search_model_action"
- "cluster:admin/knn_stats_action"
- "cluster:admin/knn_training_job_route_decision_info_action"
- "cluster:admin/knn_training_job_router_action"
- "cluster:admin/knn_training_model_action"
- "cluster:admin/knn_update_model_graveyard_action"
- "cluster:admin/knn_warmup_action"
index_permissions: []
tenant_permissions: []
static: false
flow_framework_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/flow_framework/workflow/get"
- "cluster:admin/opensearch/flow_framework/workflow/search"
- "cluster:admin/opensearch/flow_framework/workflow_state/get"
- "cluster:admin/opensearch/flow_framework/workflow_state/search"
- "cluster:admin/opensearch/flow_framework/workflow_step/get"
index_permissions: []
tenant_permissions: []
static: false
security_rest_api_full_access:
reserved: true
hidden: false
cluster_permissions:
- "restapi:admin/actiongroups"
- "restapi:admin/allowlist"
- "restapi:admin/config/update"
- "restapi:admin/internalusers"
- "restapi:admin/nodesdn"
- "restapi:admin/roles"
- "restapi:admin/rolesmapping"
- "restapi:admin/ssl/certs/info"
- "restapi:admin/ssl/certs/reload"
- "restapi:admin/tenants"
index_permissions: []
tenant_permissions: []
static: false
forecast_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/plugin/forecast/*"
- "cluster:admin/settings/update"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/aliases/get"
- "indices:admin/mapping/get"
- "indices:admin/mapping/put"
- "indices:admin/mappings/fields/get*"
- "indices:admin/mappings/get"
- "indices:admin/resolve/index"
- "indices:data/read*"
- "indices:data/read/field_caps*"
- "indices:data/read/search"
- "indices:data/write*"
- "indices_monitor"
tenant_permissions: []
static: false
kibana_read_only:
reserved: true
hidden: false
cluster_permissions: []
index_permissions: []
tenant_permissions: []
static: false
cross_cluster_search_remote_full_access:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/shards/search_shards"
- "indices:data/read/search"
tenant_permissions: []
static: false
anomaly_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/ad/detector/info"
- "cluster:admin/opendistro/ad/detector/search"
- "cluster:admin/opendistro/ad/detector/validate"
- "cluster:admin/opendistro/ad/detectors/get"
- "cluster:admin/opendistro/ad/result/search"
- "cluster:admin/opendistro/ad/result/topAnomalies"
- "cluster:admin/opendistro/ad/tasks/search"
index_permissions: []
tenant_permissions: []
static: false
reports_instances_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/menu/download"
index_permissions: []
tenant_permissions: []
static: false
snapshot_management_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/notifications/feature/publish"
- "cluster:admin/opensearch/snapshot_management/*"
- "cluster:admin/repository/*"
- "cluster:admin/snapshot/*"
index_permissions: []
tenant_permissions: []
static: false
asynchronous_search_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/asynchronous_search/*"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:data/read/search*"
tenant_permissions: []
static: false
search_relevance_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/search_relevance/*"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/mappings/get"
- "indices:data/read/search*"
tenant_permissions: []
static: false
ml_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ml/*"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices_monitor"
tenant_permissions: []
static: false
reports_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/reports/definition/create"
- "cluster:admin/opendistro/reports/definition/delete"
- "cluster:admin/opendistro/reports/definition/get"
- "cluster:admin/opendistro/reports/definition/list"
- "cluster:admin/opendistro/reports/definition/on_demand"
- "cluster:admin/opendistro/reports/definition/update"
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/menu/download"
index_permissions: []
tenant_permissions: []
static: false
custom_replication_role:
reserved: false
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/replication/*"
- "cluster:monitor/*"
- "indices:admin/plugins/replication/*"
index_permissions:
- index_patterns:
- "follower-01"
fls: []
masked_fields: []
allowed_actions:
- "read"
- "write"
- "manage"
- index_patterns:
- "leader-01"
fls: []
masked_fields: []
allowed_actions:
- "read"
tenant_permissions: []
static: false
ip2geo_datasource_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/geospatial/datasource/*"
index_permissions: []
tenant_permissions: []
static: false
notebooks_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/notebooks/get"
- "cluster:admin/opendistro/notebooks/list"
index_permissions: []
tenant_permissions: []
static: false
security_analytics_ack_alerts:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/securityanalytics/alerts/*"
- "cluster:admin/opensearch/securityanalytics/correlationAlerts/*"
- "cluster:admin/opensearch/securityanalytics/threatintel/alerts/*"
index_permissions: []
tenant_permissions: []
static: false
replication_role:
reserved: false
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/replication/*"
- "cluster:monitor/*"
- "indices:admin/plugins/replication/*"
index_permissions:
- index_patterns:
- "follower-01"
fls: []
masked_fields: []
allowed_actions:
- "read"
- "write"
- "manage"
- index_patterns:
- "leader-01"
fls: []
masked_fields: []
allowed_actions:
- "read"
tenant_permissions: []
static: false
ltr_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/ltr/*"
index_permissions: []
tenant_permissions: []
static: false
alerting_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/alerting/*"
- "cluster:admin/opensearch/alerting/*"
- "cluster:admin/opensearch/notifications/feature/publish"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
- "leader-index-*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/aliases/get"
- "indices:admin/mappings/get"
- "indices_monitor"
tenant_permissions: []
static: false
alerting_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/alerting/alerts/get"
- "cluster:admin/opendistro/alerting/destination/get"
- "cluster:admin/opendistro/alerting/monitor/get"
- "cluster:admin/opendistro/alerting/monitor/search"
- "cluster:admin/opensearch/alerting/comments/search"
- "cluster:admin/opensearch/alerting/findings/get"
- "cluster:admin/opensearch/alerting/remote/indexes/get"
- "cluster:admin/opensearch/alerting/workflow/get"
- "cluster:admin/opensearch/alerting/workflow_alerts/get"
- "cluster:admin/plugins/replication*"
- "indices:data/read/cross_cluster*"
index_permissions: []
tenant_permissions: []
static: false
cross_cluster_replication_follower_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/plugins/replication/autofollow/update"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/plugins/replication/index/pause"
- "indices:admin/plugins/replication/index/resume"
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:admin/plugins/replication/index/start"
- "indices:admin/plugins/replication/index/status_check"
- "indices:admin/plugins/replication/index/stop"
- "indices:admin/plugins/replication/index/update"
- "indices:data/write/plugins/replication/changes"
tenant_permissions: []
static: false
notifications_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/notifications/*"
index_permissions: []
tenant_permissions: []
static: false
query_assistant_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ml/config/get"
- "cluster:admin/opensearch/ml/execute"
- "cluster:admin/opensearch/ml/predict"
- "cluster:admin/opensearch/ppl"
index_permissions: []
tenant_permissions: []
static: false
notifications_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/notifications/channels/get"
- "cluster:admin/opensearch/notifications/configs/get"
- "cluster:admin/opensearch/notifications/features"
index_permissions: []
tenant_permissions: []
static: false
knn_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/knn_get_model_action"
- "cluster:admin/knn_search_model_action"
- "cluster:admin/knn_stats_action"
index_permissions: []
tenant_permissions: []
static: false
asynchronous_search_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/asynchronous_search/get"
index_permissions: []
tenant_permissions: []
static: false
index_management_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/ism/*"
- "cluster:admin/opendistro/rollup/*"
- "cluster:admin/opendistro/transform/*"
- "cluster:admin/opensearch/controlcenter/lron/*"
- "cluster:admin/opensearch/notifications/channels/get"
- "cluster:admin/opensearch/notifications/feature/publish"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/opensearch/ism/*"
- "indices:internal/plugins/replication/index/stop"
tenant_permissions: []
static: false
ml_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ml/config/get"
- "cluster:admin/opensearch/ml/connectors/get"
- "cluster:admin/opensearch/ml/connectors/search"
- "cluster:admin/opensearch/ml/controllers/get"
- "cluster:admin/opensearch/ml/memory/conversation/get"
- "cluster:admin/opensearch/ml/memory/conversation/interaction/search"
- "cluster:admin/opensearch/ml/memory/conversation/list"
- "cluster:admin/opensearch/ml/memory/conversation/search"
- "cluster:admin/opensearch/ml/memory/interaction/get"
- "cluster:admin/opensearch/ml/memory/interaction/list"
- "cluster:admin/opensearch/ml/memory/trace/get"
- "cluster:admin/opensearch/ml/model_groups/get"
- "cluster:admin/opensearch/ml/model_groups/search"
- "cluster:admin/opensearch/ml/models/get"
- "cluster:admin/opensearch/ml/models/search"
- "cluster:admin/opensearch/ml/profile/nodes"
- "cluster:admin/opensearch/ml/stats/nodes"
- "cluster:admin/opensearch/ml/tasks/get"
- "cluster:admin/opensearch/ml/tasks/search"
- "cluster:admin/opensearch/ml/tools/get"
- "cluster:admin/opensearch/ml/tools/list"
index_permissions: []
tenant_permissions: []
static: false
reports_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/reports/definition/get"
- "cluster:admin/opendistro/reports/definition/list"
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/menu/download"
index_permissions: []
tenant_permissions: []
static: false
anomaly_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/ingest/pipeline/delete"
- "cluster:admin/ingest/pipeline/put"
- "cluster:admin/opendistro/ad/*"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/aliases/get"
- "indices:admin/mappings/fields/get"
- "indices:admin/mappings/fields/get*"
- "indices:admin/mappings/get"
- "indices:admin/resolve/index"
- "indices:admin/setting/put"
- "indices:data/read/field_caps*"
- "indices:data/read/search"
- "indices_monitor"
tenant_permissions: []
static: false
replicationAdmin_role:
reserved: false
hidden: false
cluster_permissions:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/read/plugins/replication/file_chunk"
- "indices:data/read/plugins/replication/changes"
- "cluster:admin/opendistro/replication/*"
- "cluster:monitor/*"
- "indices:admin/plugins/replication/*"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "read"
- "write"
- "manage"
- "indices:admin/plugins/replication/*"
tenant_permissions: []
static: false
forecast_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/plugin/forecast/forecaster/info"
- "cluster:admin/plugin/forecast/forecaster/stats"
- "cluster:admin/plugin/forecast/forecaster/suggest"
- "cluster:admin/plugin/forecast/forecaster/validate"
- "cluster:admin/plugin/forecast/forecasters/get"
- "cluster:admin/plugin/forecast/forecasters/info"
- "cluster:admin/plugin/forecast/forecasters/search"
- "cluster:admin/plugin/forecast/result/topForecasts"
- "cluster:admin/plugin/forecast/tasks/search"
index_permissions:
- index_patterns:
- "opensearch-forecast-result*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/mappings/fields/get*"
- "indices:admin/resolve/index"
- "indices:data/read*"
tenant_permissions: []
static: false
security_rest_api_access:
reserved: true
hidden: false
cluster_permissions: []
index_permissions: []
tenant_permissions: []
static: false
ip2geo_datasource_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/geospatial/datasource/get"
index_permissions: []
tenant_permissions: []
static: false
ltr_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/ltr/caches/stats"
- "cluster:admin/ltr/featurestore/list"
- "cluster:admin/ltr/stats"
index_permissions: []
tenant_permissions: []
static: false
alerting_ack_alerts:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/alerting/alerts/*"
- "cluster:admin/opendistro/alerting/chained_alerts/*"
- "cluster:admin/opendistro/alerting/workflow_alerts/*"
- "cluster:admin/opensearch/alerting/comments/*"
index_permissions: []
tenant_permissions: []
static: false
search_relevance_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/search_relevance/experiment/get"
- "cluster:admin/opensearch/search_relevance/judgment/get"
- "cluster:admin/opensearch/search_relevance/queryset/get"
- "cluster:admin/opensearch/search_relevance/search_configuration/get"
index_permissions: []
tenant_permissions: []
static: false
notebooks_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/notebooks/create"
- "cluster:admin/opendistro/notebooks/delete"
- "cluster:admin/opendistro/notebooks/get"
- "cluster:admin/opendistro/notebooks/list"
- "cluster:admin/opendistro/notebooks/update"
index_permissions: []
tenant_permissions: []
static: false
query_insights_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/insights/live_queries/*"
- "cluster:admin/opensearch/insights/top_queries/*"
index_permissions:
- index_patterns:
- "top_queries-*"
fls: []
masked_fields: []
allowed_actions:
- "indices_all"
tenant_permissions: []
static: false
---
replication_role:
hosts: []
users:
- "CN=dramnelalvr01.gosi.ins,O=General Organization for Social Insurance,ST=Ar Riyā\
ḑ,C=SA"
- "CN=dramnelalvr02.gosi.ins,O=General Organization for Social Insurance,ST=Ar Riyā\
ḑ,C=SA"
- "CN=dramnelalvr03.gosi.ins,O=General Organization for Social Insurance,ST=Ar Riyā\
ḑ,C=SA"
- "connection:my-connection-alias"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
own_index:
hosts: []
users:
- "*"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
description: "Allow full access to an index named like the username"
kibana_user:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- "kibanauser"
and_backend_roles: []
description: "Maps kibanauser to kibana_user"
_meta:
type: "rolesmapping"
config_version: 2
all_access:
hosts: []
users:
- "replicator_admin"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
readall:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- "readall"
and_backend_roles: []
manage_snapshots:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- "snapshotrestore"
and_backend_roles: []
replicationAdmin_role:
hosts: []
users:
- "replicator_admin"
reserved: false
hidden: false
backend_roles:
- "replicationAdmin_role"
and_backend_roles: []
cross_cluster_replication_follower_full_access:
hosts: []
users:
- "admin"
reserved: false
hidden: false
backend_roles:
- "cross_cluster_replication_leader_full_access"
and_backend_roles: []
logstash:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- "logstash"
and_backend_roles: []
security_rest_api_access:
hosts: []
users:
- "admin"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
cross_cluster_replication_leader_full_access:
hosts: []
users:
- "replicator_admin"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
custom_replication_role:
hosts: []
users:
- "replicator"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
kibana_server:
hosts: []
users:
- "kibanaserver"
reserved: true
hidden: false
backend_roles: []
and_backend_roles: []
Cluster 2
---
replication_user:
hash: "$2y$12$.OE3NqbqelrrrK3bl01Dk2cOuAlODchEZz9VpejPJ7aVg/T0P006d6vm"
reserved: false
hidden: false
backend_roles: []
attributes: {}
description: "User for cross cluster replication"
opendistro_security_roles: []
static: false
logstash:
hash: "$2a$12$u1ShR4l4uBS3rrrUv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
hidden: false
backend_roles:
- "logstash"
attributes: {}
description: "Demo logstash user, using external role mapping"
opendistro_security_roles: []
static: false
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbrrrgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
hidden: false
backend_roles:
- "snapshotrestore"
attributes: {}
description: "Demo snapshotrestore user, using external role mapping"
opendistro_security_roles: []
static: false
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2y$12$s5IwbfB4QCRshEFdrre15JKOZxbOSOD/QcG/DPpt0YHrJ/sWdPwX8ri"
reserved: true
hidden: false
backend_roles:
- "admin"
attributes: {}
description: "Demo admin user"
opendistro_security_roles: []
static: false
replicator:
hash: "$2y$12$x/1bfClgUuSBqOTSYFrrWBqeczRuzebwRqA22Gg7hVgiGfqu6xGa4Va"
reserved: false
hidden: false
backend_roles:
- "cross_cluster_replication_follower_full_access"
attributes: {}
opendistro_security_roles: []
static: false
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5rrs5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
hidden: false
backend_roles: []
attributes: {}
description: "Demo OpenSearch Dashboards user"
opendistro_security_roles: []
static: false
replicator_admin:
hash: "$2y$12$PVgDk6VVhhP3UW6tTrIrrMOe2qhZNXl73Qs2YP8IYsXWB08SxjHbQxa"
reserved: false
hidden: false
backend_roles:
- "cross_cluster_replication_follower_full_access"
attributes: {}
opendistro_security_roles: []
static: false
kibanaro:
hash: "$2a$12$JJSXNfTowz7Urru5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
hidden: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo OpenSearch Dashboards read only user, using external role mapping"
opendistro_security_roles: []
static: false
readall:
hash: "$2a$12$ae4ycwzwvLtZxwrrZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
hidden: false
backend_roles:
- "readall"
attributes: {}
description: "Demo readall user, using external role mapping"
opendistro_security_roles: []
static: false
anomalyadmin:
hash: "$2y$12$TRwAAJgnNo67w3rrrVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
reserved: false
hidden: false
backend_roles: []
attributes: {}
description: "Demo anomaly admin user, using internal role"
opendistro_security_roles:
- "anomaly_full_access"
static: false
---
observability_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/observability/get"
index_permissions: []
tenant_permissions: []
static: false
snapshot_management_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/snapshot_management/policy/explain"
- "cluster:admin/opensearch/snapshot_management/policy/get"
- "cluster:admin/opensearch/snapshot_management/policy/search"
- "cluster:admin/repository/get"
- "cluster:admin/snapshot/get"
index_permissions: []
tenant_permissions: []
static: false
_meta:
type: "roles"
config_version: 2
observability_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/observability/create"
- "cluster:admin/opensearch/observability/delete"
- "cluster:admin/opensearch/observability/get"
- "cluster:admin/opensearch/observability/update"
index_permissions: []
tenant_permissions: []
static: false
point_in_time_full_access:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "manage_point_in_time"
tenant_permissions: []
static: false
flow_framework_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/flow_framework/*"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/aliases/get"
- "indices:admin/mappings/get"
- "indices_monitor"
tenant_permissions: []
static: false
cross_cluster_replication_leader_full_access:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/read/plugins/replication/changes"
- "indices:data/read/plugins/replication/file_chunk"
tenant_permissions: []
static: false
ppl_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ppl"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/mappings/get"
- "indices:data/read/search*"
- "indices:monitor/settings/get"
tenant_permissions: []
static: false
security_analytics_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/securityanalytics/alerts/get"
- "cluster:admin/opensearch/securityanalytics/correlationAlerts/get"
- "cluster:admin/opensearch/securityanalytics/correlations/findings"
- "cluster:admin/opensearch/securityanalytics/correlations/list"
- "cluster:admin/opensearch/securityanalytics/detector/get"
- "cluster:admin/opensearch/securityanalytics/detector/search"
- "cluster:admin/opensearch/securityanalytics/findings/get"
- "cluster:admin/opensearch/securityanalytics/logtype/search"
- "cluster:admin/opensearch/securityanalytics/mapping/get"
- "cluster:admin/opensearch/securityanalytics/mapping/view/get"
- "cluster:admin/opensearch/securityanalytics/rule/get"
- "cluster:admin/opensearch/securityanalytics/rule/search"
- "cluster:admin/opensearch/securityanalytics/threatintel/alerts/get"
- "cluster:admin/opensearch/securityanalytics/threatintel/iocs/findings/get"
- "cluster:admin/opensearch/securityanalytics/threatintel/iocs/list"
- "cluster:admin/opensearch/securityanalytics/threatintel/monitors/search"
- "cluster:admin/opensearch/securityanalytics/threatintel/sources/get"
- "cluster:admin/opensearch/securityanalytics/threatintel/sources/search"
index_permissions: []
tenant_permissions: []
static: false
security_analytics_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/securityanalytics/alerts/*"
- "cluster:admin/opensearch/securityanalytics/connections/*"
- "cluster:admin/opensearch/securityanalytics/correlationAlerts/*"
- "cluster:admin/opensearch/securityanalytics/correlations/*"
- "cluster:admin/opensearch/securityanalytics/detector/*"
- "cluster:admin/opensearch/securityanalytics/findings/*"
- "cluster:admin/opensearch/securityanalytics/logtype/*"
- "cluster:admin/opensearch/securityanalytics/mapping/*"
- "cluster:admin/opensearch/securityanalytics/rule/*"
- "cluster:admin/opensearch/securityanalytics/threatintel/*"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/mapping/put"
- "indices:admin/mappings/get"
tenant_permissions: []
static: false
knn_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/knn_delete_model_action"
- "cluster:admin/knn_get_model_action"
- "cluster:admin/knn_remove_model_from_cache_action"
- "cluster:admin/knn_search_model_action"
- "cluster:admin/knn_stats_action"
- "cluster:admin/knn_training_job_route_decision_info_action"
- "cluster:admin/knn_training_job_router_action"
- "cluster:admin/knn_training_model_action"
- "cluster:admin/knn_update_model_graveyard_action"
- "cluster:admin/knn_warmup_action"
index_permissions: []
tenant_permissions: []
static: false
flow_framework_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/flow_framework/workflow/get"
- "cluster:admin/opensearch/flow_framework/workflow/search"
- "cluster:admin/opensearch/flow_framework/workflow_state/get"
- "cluster:admin/opensearch/flow_framework/workflow_state/search"
- "cluster:admin/opensearch/flow_framework/workflow_step/get"
index_permissions: []
tenant_permissions: []
static: false
security_rest_api_full_access:
reserved: true
hidden: false
cluster_permissions:
- "restapi:admin/actiongroups"
- "restapi:admin/allowlist"
- "restapi:admin/config/update"
- "restapi:admin/internalusers"
- "restapi:admin/nodesdn"
- "restapi:admin/roles"
- "restapi:admin/rolesmapping"
- "restapi:admin/ssl/certs/info"
- "restapi:admin/ssl/certs/reload"
- "restapi:admin/tenants"
index_permissions: []
tenant_permissions: []
static: false
forecast_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/plugin/forecast/*"
- "cluster:admin/settings/update"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/aliases/get"
- "indices:admin/mapping/get"
- "indices:admin/mapping/put"
- "indices:admin/mappings/fields/get*"
- "indices:admin/mappings/get"
- "indices:admin/resolve/index"
- "indices:data/read*"
- "indices:data/read/field_caps*"
- "indices:data/read/search"
- "indices:data/write*"
- "indices_monitor"
tenant_permissions: []
static: false
kibana_read_only:
reserved: true
hidden: false
cluster_permissions: []
index_permissions: []
tenant_permissions: []
static: false
cross_cluster_search_remote_full_access:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/shards/search_shards"
- "indices:data/read/search"
tenant_permissions: []
static: false
anomaly_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/ad/detector/info"
- "cluster:admin/opendistro/ad/detector/search"
- "cluster:admin/opendistro/ad/detector/validate"
- "cluster:admin/opendistro/ad/detectors/get"
- "cluster:admin/opendistro/ad/result/search"
- "cluster:admin/opendistro/ad/result/topAnomalies"
- "cluster:admin/opendistro/ad/tasks/search"
index_permissions: []
tenant_permissions: []
static: false
reports_instances_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/menu/download"
index_permissions: []
tenant_permissions: []
static: false
snapshot_management_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/notifications/feature/publish"
- "cluster:admin/opensearch/snapshot_management/*"
- "cluster:admin/repository/*"
- "cluster:admin/snapshot/*"
index_permissions: []
tenant_permissions: []
static: false
asynchronous_search_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/asynchronous_search/*"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:data/read/search*"
tenant_permissions: []
static: false
search_relevance_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/search_relevance/*"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/mappings/get"
- "indices:data/read/search*"
tenant_permissions: []
static: false
ml_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ml/*"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices_monitor"
tenant_permissions: []
static: false
reports_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/reports/definition/create"
- "cluster:admin/opendistro/reports/definition/delete"
- "cluster:admin/opendistro/reports/definition/get"
- "cluster:admin/opendistro/reports/definition/list"
- "cluster:admin/opendistro/reports/definition/on_demand"
- "cluster:admin/opendistro/reports/definition/update"
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/menu/download"
index_permissions: []
tenant_permissions: []
static: false
custom_replication_role:
reserved: false
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/replication/*"
- "cluster:monitor/*"
- "indices:admin/plugins/replication/*"
index_permissions:
- index_patterns:
- "follower-01"
fls: []
masked_fields: []
allowed_actions:
- "read"
- "write"
- "manage"
- index_patterns:
- "leader-01"
fls: []
masked_fields: []
allowed_actions:
- "read"
tenant_permissions: []
static: false
ip2geo_datasource_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/geospatial/datasource/*"
index_permissions: []
tenant_permissions: []
static: false
admin_full_access:
reserved: false
hidden: false
cluster_permissions:
- "cluster:admin/settings/update"
- "cluster:admin/opendistro/replication/*"
- "cluster:admin/*"
- "cluster:monitor/*"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "read"
- "write"
- "manage"
- "indices:admin/*"
tenant_permissions: []
static: false
notebooks_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/notebooks/get"
- "cluster:admin/opendistro/notebooks/list"
index_permissions: []
tenant_permissions: []
static: false
security_analytics_ack_alerts:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/securityanalytics/alerts/*"
- "cluster:admin/opensearch/securityanalytics/correlationAlerts/*"
- "cluster:admin/opensearch/securityanalytics/threatintel/alerts/*"
index_permissions: []
tenant_permissions: []
static: false
replication_role:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/plugins/replication/autofollow/update"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/plugins/replication/index/pause"
- "indices:admin/plugins/replication/index/resume"
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:admin/plugins/replication/index/start"
- "indices:admin/plugins/replication/index/status_check"
- "indices:admin/plugins/replication/index/stop"
- "indices:admin/plugins/replication/index/update"
- "indices:data/write/plugins/replication/changes"
tenant_permissions: []
static: false
ltr_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/ltr/*"
index_permissions: []
tenant_permissions: []
static: false
alerting_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/alerting/*"
- "cluster:admin/opensearch/alerting/*"
- "cluster:admin/opensearch/notifications/feature/publish"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
- "leader-index-*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/aliases/get"
- "indices:admin/mappings/get"
- "indices_monitor"
tenant_permissions: []
static: false
alerting_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/alerting/alerts/get"
- "cluster:admin/opendistro/alerting/destination/get"
- "cluster:admin/opendistro/alerting/monitor/get"
- "cluster:admin/opendistro/alerting/monitor/search"
- "cluster:admin/opensearch/alerting/comments/search"
- "cluster:admin/opensearch/alerting/findings/get"
- "cluster:admin/opensearch/alerting/remote/indexes/get"
- "cluster:admin/opensearch/alerting/workflow/get"
- "cluster:admin/opensearch/alerting/workflow_alerts/get"
- "cluster:admin/plugins/replication*"
- "indices:data/read/cross_cluster*"
index_permissions: []
tenant_permissions: []
static: false
cross_cluster_replication_follower_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/plugins/replication/autofollow/update"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/plugins/replication/index/pause"
- "indices:admin/plugins/replication/index/resume"
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:admin/plugins/replication/index/start"
- "indices:admin/plugins/replication/index/status_check"
- "indices:admin/plugins/replication/index/stop"
- "indices:admin/plugins/replication/index/update"
- "indices:data/write/plugins/replication/changes"
tenant_permissions: []
static: false
notifications_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/notifications/*"
index_permissions: []
tenant_permissions: []
static: false
query_assistant_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ml/config/get"
- "cluster:admin/opensearch/ml/execute"
- "cluster:admin/opensearch/ml/predict"
- "cluster:admin/opensearch/ppl"
index_permissions: []
tenant_permissions: []
static: false
notifications_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/notifications/channels/get"
- "cluster:admin/opensearch/notifications/configs/get"
- "cluster:admin/opensearch/notifications/features"
index_permissions: []
tenant_permissions: []
static: false
knn_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/knn_get_model_action"
- "cluster:admin/knn_search_model_action"
- "cluster:admin/knn_stats_action"
index_permissions: []
tenant_permissions: []
static: false
asynchronous_search_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/asynchronous_search/get"
index_permissions: []
tenant_permissions: []
static: false
index_management_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/ism/*"
- "cluster:admin/opendistro/rollup/*"
- "cluster:admin/opendistro/transform/*"
- "cluster:admin/opensearch/controlcenter/lron/*"
- "cluster:admin/opensearch/notifications/channels/get"
- "cluster:admin/opensearch/notifications/feature/publish"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/opensearch/ism/*"
- "indices:internal/plugins/replication/index/stop"
tenant_permissions: []
static: false
ml_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ml/config/get"
- "cluster:admin/opensearch/ml/connectors/get"
- "cluster:admin/opensearch/ml/connectors/search"
- "cluster:admin/opensearch/ml/controllers/get"
- "cluster:admin/opensearch/ml/memory/conversation/get"
- "cluster:admin/opensearch/ml/memory/conversation/interaction/search"
- "cluster:admin/opensearch/ml/memory/conversation/list"
- "cluster:admin/opensearch/ml/memory/conversation/search"
- "cluster:admin/opensearch/ml/memory/interaction/get"
- "cluster:admin/opensearch/ml/memory/interaction/list"
- "cluster:admin/opensearch/ml/memory/trace/get"
- "cluster:admin/opensearch/ml/model_groups/get"
- "cluster:admin/opensearch/ml/model_groups/search"
- "cluster:admin/opensearch/ml/models/get"
- "cluster:admin/opensearch/ml/models/search"
- "cluster:admin/opensearch/ml/profile/nodes"
- "cluster:admin/opensearch/ml/stats/nodes"
- "cluster:admin/opensearch/ml/tasks/get"
- "cluster:admin/opensearch/ml/tasks/search"
- "cluster:admin/opensearch/ml/tools/get"
- "cluster:admin/opensearch/ml/tools/list"
index_permissions: []
tenant_permissions: []
static: false
reports_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/reports/definition/get"
- "cluster:admin/opendistro/reports/definition/list"
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/menu/download"
index_permissions: []
tenant_permissions: []
static: false
anomaly_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/ingest/pipeline/delete"
- "cluster:admin/ingest/pipeline/put"
- "cluster:admin/opendistro/ad/*"
- "cluster_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/aliases/get"
- "indices:admin/mappings/fields/get"
- "indices:admin/mappings/fields/get*"
- "indices:admin/mappings/get"
- "indices:admin/resolve/index"
- "indices:admin/setting/put"
- "indices:data/read/field_caps*"
- "indices:data/read/search"
- "indices_monitor"
tenant_permissions: []
static: false
replicationAdmin_role:
reserved: false
hidden: false
cluster_permissions:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:admin/plugins/replication/index/start"
- "indices:admin/plugins/replication/index/pause"
- "indices:admin/plugins/replication/index/resume"
- "indices:admin/plugins/replication/index/stop"
- "indices:admin/plugins/replication/index/update"
- "indices:admin/plugins/replication/index/status_check"
- "indices:data/write/plugins/replication/changes"
- "cluster:admin/plugins/replication/autofollow/update"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields: []
allowed_actions:
- "read"
- "write"
- "manage"
- "indices:admin/plugins/replication/*"
tenant_permissions: []
static: false
forecast_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/plugin/forecast/forecaster/info"
- "cluster:admin/plugin/forecast/forecaster/stats"
- "cluster:admin/plugin/forecast/forecaster/suggest"
- "cluster:admin/plugin/forecast/forecaster/validate"
- "cluster:admin/plugin/forecast/forecasters/get"
- "cluster:admin/plugin/forecast/forecasters/info"
- "cluster:admin/plugin/forecast/forecasters/search"
- "cluster:admin/plugin/forecast/result/topForecasts"
- "cluster:admin/plugin/forecast/tasks/search"
index_permissions:
- index_patterns:
- "opensearch-forecast-result*"
fls: []
masked_fields: []
allowed_actions:
- "indices:admin/mappings/fields/get*"
- "indices:admin/resolve/index"
- "indices:data/read*"
tenant_permissions: []
static: false
security_rest_api_access:
reserved: true
hidden: false
cluster_permissions: []
index_permissions: []
tenant_permissions: []
static: false
ip2geo_datasource_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/geospatial/datasource/get"
index_permissions: []
tenant_permissions: []
static: false
ltr_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/ltr/caches/stats"
- "cluster:admin/ltr/featurestore/list"
- "cluster:admin/ltr/stats"
index_permissions: []
tenant_permissions: []
static: false
alerting_ack_alerts:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/alerting/alerts/*"
- "cluster:admin/opendistro/alerting/chained_alerts/*"
- "cluster:admin/opendistro/alerting/workflow_alerts/*"
- "cluster:admin/opensearch/alerting/comments/*"
index_permissions: []
tenant_permissions: []
static: false
search_relevance_read_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/search_relevance/experiment/get"
- "cluster:admin/opensearch/search_relevance/judgment/get"
- "cluster:admin/opensearch/search_relevance/queryset/get"
- "cluster:admin/opensearch/search_relevance/search_configuration/get"
index_permissions: []
tenant_permissions: []
static: false
notebooks_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opendistro/notebooks/create"
- "cluster:admin/opendistro/notebooks/delete"
- "cluster:admin/opendistro/notebooks/get"
- "cluster:admin/opendistro/notebooks/list"
- "cluster:admin/opendistro/notebooks/update"
index_permissions: []
tenant_permissions: []
static: false
query_insights_full_access:
reserved: true
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/insights/live_queries/*"
- "cluster:admin/opensearch/insights/top_queries/*"
index_permissions:
- index_patterns:
- "top_queries-*"
fls: []
masked_fields: []
allowed_actions:
- "indices_all"
tenant_permissions: []
static: false
---
replication_role:
hosts: []
users:
- "replicator"
reserved: false
hidden: false
backend_roles:
- "custom_replication_role"
and_backend_roles: []
own_index:
hosts: []
users:
- "*"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
description: "Allow full access to an index named like the username"
kibana_user:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- "kibanauser"
and_backend_roles: []
description: "Maps kibanauser to kibana_user"
_meta:
type: "rolesmapping"
config_version: 2
all_access:
hosts: []
users:
- "replicator_admin"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
readall:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- "readall"
and_backend_roles: []
manage_snapshots:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- "snapshotrestore"
and_backend_roles: []
replicationAdmin_role:
hosts: []
users:
- "replicator_admin"
reserved: false
hidden: false
backend_roles:
- "replicationAdmin_role"
and_backend_roles: []
cross_cluster_replication_follower_full_access:
hosts: []
users:
- "replicator_admin"
reserved: false
hidden: false
backend_roles:
- "cross_cluster_replication_follower_full_access"
and_backend_roles: []
logstash:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- "logstash"
and_backend_roles: []
security_rest_api_access:
hosts: []
users:
- "admin"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
cross_cluster_replication_leader_full_access:
hosts: []
users:
- "admin"
reserved: false
hidden: false
backend_roles:
- "replicationAdmin_role"
and_backend_roles: []
custom_replication_role:
hosts: []
users:
- "replicator"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
kibana_server:
hosts: []
users:
- "kibanaserver"
reserved: true
hidden: false
backend_roles: []
and_backend_roles: []
admin_full_access:
hosts: []
users:
- "admin"
reserved: false
hidden: false
backend_roles:
- "admin"
and_backend_roles: []
Dear @Anthony I have attached details with required format.
Thanks,
Mohammad Jafar Raza
Anthony
September 9, 2025, 10:53am
11
Can you confirm the cross cluster replication works as expected using admin user and its only when you assign the permissions that this fails?
Hi
It is not working even with admin user.
Thanks,
Mohammad Jafar Raza
Anthony
September 9, 2025, 11:43am
13
@mohammadjafarraza in this case first you should get this working with admin user, as this will have all the necessary permissions. Have you went through the steps outlined in the docs
Which step do you fail on?
While starting the replication, it is getting failed with below error.
curl -XPUT -k -H ‘Content-Type: application/json’ -u ‘admin:********’ ‘https://localhost:9200/_plugins/_replication/follower-01/_start?pretty’ -d ’
If we hit multiple times, we are getting below error as well.
curl -XPUT -k -H ‘Content-Type: application/json’ -u ‘admin:*******’ ‘https://locahost:9200/_plugins/_replication/follower-01/_start?pretty’ -d ’
Anthony
September 9, 2025, 1:27pm
16
@mohammadjafarraza This indicated that the admin is not mapped to the two roles you have specified. Firstly ensure the role is present in both clusters (Using OSD UI is the simplest way).
If it is present, map admin user to these roles on both clusters. This should now enable you to start the replication.
Repeat the same steps for non admin user if the above works.
1 Like
Dear Anthony
Admin is part of both role in both cluster.
Thanks,
Mohammad Jafar Raza
1 Like
system
November 9, 2025, 6:44am
18
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
