Cross-cluster replication security

Because cross-cluster replication involves multiple clusters, it’s possible that clusters might have different security configurations. The following configurations are supported:

• Security plugin enabled only for TLS on both clusters ()
• Security plugin absent or disabled on both clusters (not recommended)

Enable node-to-node encryption on both the leader and the follower cluster to ensure that replication traffic between the clusters is encrypted.

In order for non-admin users to perform replication activities, they must be mapped to the appropriate permissions.

If you don’t want to use the default roles, you can combine individual replication permissions to meet your needs. Most permissions correspond to specific REST API operations. For example, the permission lets you pause replication.

The and create replication rule operations are special cases. They involve background processes on the leader and follower clusters that must be associated with roles. When you perform one of these actions, you must explicitly pass the leader_cluster_role and follower_cluster_role in the request, which OpenSearch then uses in all backend replication tasks.

To enable non-admins to start replication and create replication rules, create an identical user on each cluster (for example, ) and map them to the cross_cluster_replication_leader_full_access role on the remote cluster and cross_cluster_replication_follower_full_access on the follower cluster. For instructions, see .

You can create your own, custom leader and follower cluster roles using individual permissions, but we recommend using the default roles, which are a good fit for most use cases.

The following sections list the available index and cluster-level permissions for cross-cluster replication.

The security plugin supports these permissions for the follower cluster:

Leader cluster