I want to create a user who can create and manage new user onboarding.
What I did is, created a user and assign a role with manage_security permission for the cluster.
Problem: the user who is assigned with manage_security privileges can make himself a superuser. I want to give a user limited access only to create and delete users.
Can anyone help me how can I achieve this?
This is not possible today. Being able to create user essentially implies superuser access because there is no restriction on what roles you can assign to a new user. This means you can easily make a new superuser.
Depending on your needs, the closest alternative could be creating API keys for new users. The privileges of an API key is bounded by the creator's privileges.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.