CCR not working

Hello,

I am testing Opensearch 1.1.0 and followed the docs in order to get CCR working but i get an error when trying to start it.

Start command:

curl --cert tls.crt --key tls.key --cacert ca.crt -XPUT -k -H 'Content-Type: application/json' 'https://opensearch-replica-master.cadence-test:9200/_plugins/_replication/cadence-visibility/_start?pretty' -d '
{
   "leader_alias": "master",
   "leader_index": "cadence-visibility",
   "use_roles":{
      "leader_cluster_role": "all_access",
      "follower_cluster_role": "all_access"
   }
}'

Log errors:

[2021-10-07T08:02:03,682][ERROR][o.o.r.s.RemoteClusterRetentionLeaseHelper] [opensearch-cluster-master-2] retention lease with ID [replication:opensearch-replica:[cadence-visibility][0]] already exists
[2021-10-07T08:02:03,683][INFO ][o.o.r.s.RemoteClusterRetentionLeaseHelper] [opensearch-cluster-master-2] Renew retention lease as it already exists replication:opensearch-replica:[cadence-visibility][0] with -1
[2021-10-07T08:02:03,688][ERROR][o.o.s.f.SecurityFilter   ] [opensearch-cluster-master-2] No user found for indices:data/read/plugins/replication/file_chunk from 10.196.75.55:43050 LOCAL via transport {_opendistro_security_initial_action_class_header=GetFileChunkRequest, _opendistro_security_origin_header=LOCAL, _opendistro_security_remotecn=opensearch-replica}

Status:

curl --cert tls.crt --key tls.key --cacert ca.crt -XGET 'https://opensearch-replica-master.cadence-test:9200/_plugins/_replication/cadence-visibility/_status?pretty'
{
  "status" : "FAILED",
  "reason" : "",
  "leader_alias" : "master",
  "leader_index" : "cadence-visibility",
  "follower_index" : "cadence-visibility"
}

Any help is much appreciated.

Best regards

Just tried to start the replication using -u’admin:admin’ and it worked.

It’s weird since the certificate i am using with curl has CN=admin and i have set the same in plugins.security.authcz.admin_dn

Just so I understand, @stdmje, it’s not working as expected with your preferred authz but it is working with basic auth?

Yes, you are right. If i start the replication with basic auth works fine.

Thanks @stdmje for reporting the issue.
CCR relies on security plugin to populate relevant info in the thread context to trigger replication jobs. if the certs for admin are used, this user context information is missing. I have opened an issue on CCR to track this: link

1 Like