Hi there,
I'd need to create a role which allows a user to make the following call
GET _security/user
in order to list all the users of a cluster.
Unfortunately, according to the API doc it seems to need the manage_security
or all
cluster privilege.
However, giving a specific user one of those privileges would allow him to do a bunch of other VERY IMPORTANT things, such as create/delete/edit other users/roles.
Is there any other way to accomplish what I need without giving such permissions?
I tried allowing specific privileges (like read/write) only to the .security*
indices but it won't work, returning the usual security error
action [cluster:admin/xpack/security/user/get] is unauthorized for user [my_user] wit
h roles [my_role], this action is granted by the cluster privileges [manage_security,all]
Is it possible I can't allow a user to list other users without preventing him the whole access to the security layer?
Thanks!