Hello,
In trying to create a project that allows internal users to change their passwords, this has identified a bug in the following Security REST API:
https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#change-password
This behaviour has been observed and identified in opendistro 1.4.0-1
Here’s a summary of the identified bug and recreation steps:
- create a user using the Security REST API as an admin user:
PUT _opendistro/_security/api/internalusers/qwertyuiop
{
"password": "qwertyuiop",
"backend_roles": ["test_roles"],
"attributes": {
"email": "test@test.test",
"name": "test"
}
}
Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#create-user
- check user account via details Security REST API as an admin user:
GET _opendistro/_security/api/internalusers/qwertyuiop
{
"qwertyuiop": {
"hash": "",
"reserved": false,
"hidden": false,
"backend_roles": [
"test"
],
"attributes": {
"email": "test@test.test",
"name": "test"
},
"opendistro_security_roles": [],
"static": false
}
}
Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#get-user
- check user account details as the end user:
GET _opendistro/_security/api/account
{
"user_name": "qwertyuiop",
"is_reserved": false,
"is_hidden": false,
"is_internal_user": true,
"user_requested_tenant": null,
"backend_roles": [
"test"
],
"custom_attribute_names": [
"attr.internal.email",
"attr.internal.name",
],
"tenants": {
"aaaaaa-bbbb-cccc-dddd-12354647abc": true
},
"roles": [
"test",
"own_index"
]
}
- change user password details as the end user:
PUT _opendistro/_security/api/account
{
"current_password" : "qwertyuiop",
"password" : "asdfghjkl"
}
- check user account details as the end user:
GET _opendistro/_security/api/account
{
"user_name": "qwertyuiop",
"is_reserved": false,
"is_hidden": false,
"is_internal_user": true,
"user_requested_tenant": null,
"backend_roles": [],
"custom_attribute_names": [],
"tenants": {
"aaaaaa-bbbb-cccc-dddd-12354647abc": true
},
"roles": []
}
- check user account via details Security REST API as an admin user:
GET _opendistro/_security/api/internalusers/qwertyuiop
{
"qwertyuiop": {
"hash": "",
"reserved": false,
"hidden": false,
"backend_roles": [],
"attributes": {},
"opendistro_security_roles": [],
"static": false
}
}
Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#get-user
As is confirmed from steps 5&6, in changing the end user’s password (step 4), the user has lost all of its Roles and Custom Attributes.
Is there a method for end users to change their passwords without losing their attributes and roles?
Many thanks,
Major