[Translated] How can I prevent the user from going to the Account Settings page in the figure when logging in with an account named A that has [kibana_dashboard_only_user]? Finally, I want to prevent the password from being changed. Also, NGINX is used as a reverse proxy. version is 6.8.13 and the license is Basic.
The short answer is no. I tried a few hacks to see if I could do what you are asking for but in the end, I found no solution. This functionality is by design and admins are not meant to forbid access to a user changing their own password.
User password hashes are stored in the
.security* indices which are used by the security module to provide security features for ES (see discussion). Non-super users are not granted access to restricted indices unless the
allow_restricted_indices flag is set to true on the Indices Privileges which is inadvisable.
Restricted indices are a special category of indices that are used internally to store configuration data. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is most discouraged because it could effectively grant superuser privileges. If however, for administrative purposes, you need to create a role with privileges covering restricted indices, you must set this field to
false), and then the
namesfield will cover the restricted indices as well.
There may be a way to achieve this through some custom application privilege or indices privilege assigned to a custom elasticsearch role but those rules require
privileges that are all meant to allow access not deny. In this case, the user already does not have access to the restricted indices except for their own credentials.
Hope that helps.