API created User cannot change profile settings

[Alphayeeeet]

Kibana version:
8.14.0

Elasticsearch version:
8.14.0

Server OS version:
RHEL 8

Browser version:
current Chrome/Edge

Browser OS version:
Windows 11

Original install method (e.g. download page, yum, from source, etc.):
download page RPM

Describe the bug:
Users who were created using the Elasticsearch create/update users API cannot change their profile settings. There should be a separate Kibana API to initialize those saved object data. Then when the users are created using the UI, they can change their profile settings.

Steps to reproduce:

1. Create a User using Users API
2. Try to change profile settings

Expected behavior:
Users created by the Users API should be able to change their profile settings.

Screenshots (if relevant):
Standard User:

API created user:

Any additional context:
Reference: #185949

[Alphayeeeet]

Unfortunately there is no API in Kibana which can be used to create the users.

[dmlemeshko]

Hey @Alphayeeeet

Security API allows not only to create a user, but also update it:

Assuming you created a user my_test_user

PUT /_security/user/my_test_user
{
  "roles" : [ "viewer" ],
  "full_name" : "Alphayeeeet",
  "email" : "[email protected]",
}

Docs link

But since elastic user is reserved one, you won't be able to change full name / email. It is expected behaviour, for reserved ones only password can be changed.

Let me know if you still have questions

[Alphayeeeet]

Yeah I know. But when I create users with the API from Elasticsearch, they cannot change profile settings like dark mode, which are saved in Kibana saved objects not user metadata.

Please try to reproduce first.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[SiddharthMantri]

Hi @Alphayeeeet, can you please share the full request made to the ES API for creating users? We'd also like to know how are the newly created users then logging in?

[Alphayeeeet]

The Users are logging in via Basic Auth over a Reverse Proxy. They use Authorization Header Basic for each request. I will provide The request ASAP but it should be a regular POST to the ES users api with Fullname, Username, Email and Password in the Body.

[SiddharthMantri]

Hey @Alphayeeeet, thank you for the clarification.

Unfortunately, authenticating users over a proxy is a limitation we currently have. For such scenarios, we are unable to create sessions and hence activate profiles for these users. This in turn causes side effects like being unable to save profile changes

There's a lot more context here - specifically under the header: Interactive users (authenticating via HTTP proxy) .

We've got an issue to track this here: #158277

[Alphayeeeet]

@SiddharthMantri Thank you for the update. Thats very unfortunate. I hope support for proxy is provided soon, as it is a limitation for our users.

The ES-API request would be like this:

POST /_security/user/jacknich
{
"password" : "l0ng-r4nd0m-p@ssw0rd",
"roles" : [ "admin", "other_role1" ],
"full_name" : "Jack Nicholson",
"email" : "[email protected]",
"metadata" : {
"script_managed": true
}
}

[Alphayeeeet]

@SiddharthMantri You can close this ticket with reference to the other, as there is already #158277 to track this issue.