Users with only manage_token
privilege cannot invalidate tokens by username or realmname
#47151
Labels
manage_token
privilege cannot invalidate tokens by username or realmname
#47151
Steps:
manage_token
cluster privilege.POST _security/oauth2/token
andgrant_type
aspassword
DELETE _security/oauth2/token
with theusername
/realm_name
parameter.The request to invalidate tokens fails since the search action is not executed in the context of XPackSecurityUser. We need to execute the search action with SECURITY_ORIGIN.
https://discuss.elastic.co/t/what-privileges-are-required-to-invalidate-tokens-by-username/201043
The text was updated successfully, but these errors were encountered: