Put User doesn't always overwrite custom metadata #70295
Labels
>bug
:Security/Authentication
Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Team:Security
Meta label for security team
https://discuss.elastic.co/t/how-to-remove-custom-metadata-fields-from-users-and-roles/266646/2
By design, a PUT on a user does not overwrite their password unless the password (or hash) is in the request body.
That means, that within the NativeUsersStore, the Put will actually perform an update on the underlying document.
Because
metadata
is stored as a nested object, the semantics of that update means that metadata fields are not always removed from the document, even though they are supposed to be (and are for other object types like roles).To be extra confusing putting a user with
metadata: {}
will preserve all existing metadata, but not specifyingmetadata
at all will remove all metadata (andmetadata: null
is not allowed by the rest parser).We will need to think carefully about how to fix this without breaking existing workflows that rely on the bug.
Examples below:
The text was updated successfully, but these errors were encountered: