I'm wondering if it is somehow possible to protect the internal (native) ES roles from being compromised by a "bad" AD admin, who could create an external (AD, LDAP) group "superuser" and add its own account to that group. As the result - full access to the ES cluster.
Again: supposed that an active_directory realm is configured with:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.