OpenDistro - Security - Roles or permissions for a user to create other users only

Hello,

I am trying to create a user, say usr-creator, who will have permissions to create other ‘Internal users’. I am able to create Roles, Action groups with permissions using root user.

I am working with AWS Elasticsearch service, so I can setup a Lambda to use Security API - Open Distro Documentation to get this done programmatically. But that’d be additional effort.

I do not want to give them root or admin access. So, is it possible for me to assign only user create permissions to the user - usr-creator to get this done from the UI?

Thanks for reading through.

Best,
Prashanth Sripathi

@psripathi
You can use below settings in opensearch.yml to control the rest api access:

plugins.security.restapi.roles_enabled: ["usr-creator"]
plugins.security.restapi.endpoints_disabled.usr-creator.INTERNALUSERS: ["PATCH","POST", "DELETE"]

plugins.security.restapi.endpoints_disabled.usr-creator.ACTIONGROUPS: ["PUT", "GET", "POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.ROLES: ["PUT", "GET","POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.ROLESMAPPING: ["PUT","GET", "POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.TENANTS: ["PUT","GET", "POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.CONFIG: ["PUT","GET","POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.CACHE: ["PUT", "GET","POST", "DELETE", "PATCH"]

Opendistro syntax is:

opendistro_security.restapi.endpoints_disabled...

I haven’t used this much, but from quick testing, it seems that the update and create api both use PUT. Meaning the user will be able to not only create users, but also update existing one (change passwords, backend roles and attributes.)

Not sure if this will suffice for your use-case

You can also remove the GET, preventing the user from seeing created users and therefore preventing updating existing users through the UI, but this will not prevent them using curl with the PUT request to update those users.
Hopefully in the future these update api will be using PATCH and therefore can be filtered using this method.
Hope this helps