パスワード変更の禁止

[kibana_dashboard_only_user]を持っているAというアカウントでログインしたとき,図のAccountSettingsページに移動させないためにはどうしたらいいですか?最終的にパスワード変更ができないようにしたいです.また,リバースプロキシでNGINXを使用しています.versinは6.8.13であり,ライセンスはBasicです.

[Translated] How can I prevent the user from going to the Account Settings page in the figure when logging in with an account named A that has [kibana_dashboard_only_user]? Finally, I want to prevent the password from being changed. Also, NGINX is used as a reverse proxy. version is 6.8.13 and the license is Basic.

The short answer is no. I tried a few hacks to see if I could do what you are asking for but in the end, I found no solution. This functionality is by design and admins are not meant to forbid access to a user changing their own password.

User password hashes are stored in the .security* indices which are used by the security module to provide security features for ES (see discussion). Non-super users are not granted access to restricted indices unless the allow_restricted_indices flag is set to true on the Indices Privileges which is inadvisable.

Restricted indices are a special category of indices that are used internally to store configuration data. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is most discouraged because it could effectively grant superuser privileges. If however, for administrative purposes, you need to create a role with privileges covering restricted indices, you must set this field to true (default is false ), and then the names field will cover the restricted indices as well.

There may be a way to achieve this through some custom application privilege or indices privilege assigned to a custom elasticsearch role but those rules require privileges that are all meant to allow access not deny. In this case, the user already does not have access to the restricted indices except for their own credentials.

Hope that helps.

返信していただきありがとうございます.素直に諦めます,ありがとうございました.

This page is only shown for users who login via the native realm.

If you create a file in another realm - such as the file realm, then they cannot change their password in Kibana.

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.