Disallow change own password

I am going to share a (read-only) user with the world so people can check out my X-Pack demo.
Therefore I need to disallow/disable the 'change password' option under the users own account options.
Is this possible?

There isn't an explicit option for that today, though there are a few workarounds that may be sufficient for your needs.

  1. We don't allow changing the password for AD/LDAP users, so if you have an AD/LDAP domain, you could create/use a shared user there.
  2. You could configure a separate Kibana instance and configure anonymous access. There are a few ways to do this, which I actually just outlined in a recent post I want authentication only for ES, not Kibana dashboards

It would also be possible to use the file realm for this (it doesn't support API-based password changes either).
If you go down this path, please make sure you read the "IMPORTANT" notices in the file realm documentation as there are key steps that you need to follow when setting up file-based authentication.

1 Like

Thanks for the answers.
I also found a workaround myself:
Using NGINX as reverse proxy to deny/drop the following requests:

location /api/security/v1/users/<user>/password {
                limit_except GET {
                        deny  all;
                }
        }
 location /api/console/ {
                limit_except GET {
                        deny  all;
                }
        }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.