[7.15.1] Allow GET _security/user avoiding permission bloat

Fabio-sama · November 12, 2021, 12:05pm

Hi there,

I'd need to create a role which allows a user to make the following call

GET _security/user

in order to list all the users of a cluster.
Unfortunately, according to the API doc it seems to need the manage_security or all cluster privilege.
However, giving a specific user one of those privileges would allow him to do a bunch of other VERY IMPORTANT things, such as create/delete/edit other users/roles.

Is there any other way to accomplish what I need without giving such permissions?

I tried allowing specific privileges (like read/write) only to the .security* indices but it won't work, returning the usual security error

action [cluster:admin/xpack/security/user/get] is unauthorized for user [my_user] wit
h roles [my_role], this action is granted by the cluster privileges [manage_security,all]

Is it possible I can't allow a user to list other users without preventing him the whole access to the security layer?

Thanks!

fdartayre · November 18, 2021, 10:02am

Hi Fabio,

You should be able to define the role like this and give it to your user:

POST /_security/role/get_user_role
{
  "cluster": ["cluster:admin/xpack/security/user/get"]
}

A cluster privilege can be either one of the predefined cluster privilege names (manage_security, etc) or a pattern over one of the available cluster actions.

Fabio-sama · December 7, 2021, 1:57pm

Hi Fred,

sorry for the late reply to your answer.
It worked flawlessly!

Thank you so much!

system · January 4, 2022, 1:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.