I am looking at the User Roles and wondered if someone has created a couple of admin roles like a global admin and admin role?
I would like to have a user role that can view and change the built in users passwords and perform and another role that allows new users to be created and change password but have no visibility of built in users. The idea behind this is to limit the number of people that can change passwords for users Elasticsearch, kibana and logstash use to communicate with each other.
Right now there is only manage_security privilege that allows users to manage security operations that include change password.
I think what you are after is more granular user editing privileges that can be restricted to set of users or realms to achieve separation of duties between different admins. Sorry as of latest release this is a missing feature and there is an existing issue that tracks this requirement: https://github.com/elastic/elasticsearch/issues/29932. It is unassigned meaning no one is actively working on it and we do not have any timelines on to when it will get resolved for now.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.