I'm trying to setup role based access control. I define a security_engineer role and a security_engineer space for the security engineers that needs read only access.
I'm on elasticsearch version 7.5.0 with security enabled (basic license)
I define the role as
curl -v -k -u <usename>:<password> -XPUT -H "kbn-xsrf: true" -H "Content-Type: application/json" "http://127.0.0.1:5601/api/security/role/security_engineer" -d ' { "elasticsearch": { "cluster" : [ "all" ], "indices" : [ { "names" : [ "wazuh*", "phoenix*" ], "privileges" : [ "read" ] } ] }, "kibana": [ { "base": [], "feature": { "discover": ["read"], "dashboard": ["read"], "siem" : ["read"], "wazuh": ["read"] }, "spaces": [ "security_engineer" ] } ] }'
And I assign this role to a specific security engineer.
They indeed only see the features for discover, dashboard,siem and wazuh.
but they can also get to the settings.
so once they login they can just assign themselves the superuser role
That is obviously not the idea. So I must be doing something really stupid.
The question are:
- where do I enforce that a user cannot change it's own security roles.
- how can I disable the settings feature?