Skip to content

Users with only manage_token privilege cannot invalidate tokens by username or realmname #47151

Closed
#47418
Closed
Users with only manage_token privilege cannot invalidate tokens by username or realmname#47151
#47418
Assignees
albertzaharovits
Labels
:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bug
@bizybot

Description

@bizybot
bizybot
opened on Sep 26, 2019

Steps:

  • Create a user with manage_token cluster privilege.
  • Use the user to generate tokens using API POST _security/oauth2/token and grant_type as password
  • Use the user to invalidate the tokens for a user using DELETE _security/oauth2/token with the username/realm_name parameter.

The request to invalidate tokens fails since the search action is not executed in the context of XPackSecurityUser. We need to execute the search action with SECURITY_ORIGIN.

https://discuss.elastic.co/t/what-privileges-are-required-to-invalidate-tokens-by-username/201043

Metadata

Metadata

Assignees

Labels

:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bug

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions