I want to create a user who can create and manage new user onboarding.
What I did is, created a user and assign a role with manage_security permission for the cluster.
Problem: the user who is assigned with manage_security privileges can make himself a superuser. I want to give a user limited access only to create and delete users.
Can anyone help me how can I achieve this?
This is not possible today. Being able to create user essentially implies superuser access because there is no restriction on what roles you can assign to a new user. This means you can easily make a new superuser.
Depending on your needs, the closest alternative could be creating API keys for new users. The privileges of an API key is bounded by the creator's privileges.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.