I would like to define an internal database OpenSearch user who should be able to CRUD users without having the admin backend_role.
Mainly, I would like to have users capable to manage users, but not have access to the cluster configuration.
How should such a role be defined?
Every attempt, I’ve made doesn’t allow an user to create users if the user doesn’t have the admin backend role.
@clenkiu
The way to achieve this would be to create a role, lets say “testRole1” and add the following lines to elasticsearch.yml file:
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "testRole1"]
opendistro_security.restapi.endpoints_disabled.testRole1.ACTIONGROUPS: ["PUT", "GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.ROLES: ["PUT", "GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.ROLESMAPPING: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.TENANTS: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.CONFIG: ["PUT","GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.CACHE: ["PUT", "GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.LICENSE: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.SYSTEMINFO: ["PUT","GET", "POST", "DELETE", "PATCH"]
This will provide a limited admin role, with access only to internal users (“PUT”, “GET”,“POST”, “DELETE”, “PATCH”)
Hope this helps