ES|QL when executed over CCS requires "read" local privilege for any (or none) local indices #108734
Labels
:Analytics/ES|QL
AKA ESQL
>bug
:Security/Security
Security issues without another label
Team:Analytics
Meta label for analytical engine team (ESQL/Aggs/Geo)
Team:Security
Meta label for security team
Description
When executing ES|QL over CCS (new and tech preview in 8.14) the permissions require that the user have "read" access defined for the local cluster.
The following are the minimum local cluster privileges required :
to allow ES|QL to work over CCS. (empty names is not needed, empty or any names will work). This requirement is due to an internal implementation detail for how the local actions are authorized before the work travels across clusters.
Ideally, only the following permissions (example for API key based CCS) are needed:
with no local permission required.
cc: @dnhatn @quux00
The text was updated successfully, but these errors were encountered: