I want to create a user who can create and manage new user onboarding.
What I did is, created a user and assign a role with manage_security permission for the cluster.
Problem: the user who is assigned with manage_security privileges can make himself a superuser. I want to give a user limited access only to create and delete users.
This is not possible today. Being able to create user essentially implies superuser access because there is no restriction on what roles you can assign to a new user. This means you can easily make a new superuser.
Depending on your needs, the closest alternative could be creating API keys for new users. The privileges of an API key is bounded by the creator's privileges.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.