Bug in account change_password API resulting in Roles and Attributes being lost

Hello,

In trying to create a project that allows internal users to change their passwords, this has identified a bug in the following Security REST API:

This behaviour has been observed and identified in opendistro 1.4.0-1

Here’s a summary of the identified bug and recreation steps:

  1. create a user using the Security REST API as an admin user:
PUT _opendistro/_security/api/internalusers/qwertyuiop
{
  "password": "qwertyuiop",
  "backend_roles": ["test_roles"],
  "attributes": {
    "email": "test@test.test",
    "name": "test"
  }
}

Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#create-user

  1. check user account via details Security REST API as an admin user:
GET _opendistro/_security/api/internalusers/qwertyuiop

{
  "qwertyuiop": {
    "hash": "",
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "test"
    ],
    "attributes": {
    "email": "test@test.test",
    "name": "test"
    },
    "opendistro_security_roles": [],
    "static": false
  }
}

Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#get-user

  1. check user account details as the end user:
GET _opendistro/_security/api/account
{
  "user_name": "qwertyuiop",
  "is_reserved": false,
  "is_hidden": false,
  "is_internal_user": true,
  "user_requested_tenant": null,
  "backend_roles": [
    "test"
  ],
  "custom_attribute_names": [
    "attr.internal.email",
    "attr.internal.name",
  ],
  "tenants": {
    "aaaaaa-bbbb-cccc-dddd-12354647abc": true
  },
  "roles": [
    "test",
    "own_index"
  ]
}

Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#get-account-details

  1. change user password details as the end user:
PUT _opendistro/_security/api/account
{
    "current_password" : "qwertyuiop",
    "password" : "asdfghjkl"
}

Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#change-password

  1. check user account details as the end user:
GET _opendistro/_security/api/account
{
  "user_name": "qwertyuiop",
  "is_reserved": false,
  "is_hidden": false,
  "is_internal_user": true,
  "user_requested_tenant": null,
  "backend_roles": [],
  "custom_attribute_names": [],
  "tenants": {
    "aaaaaa-bbbb-cccc-dddd-12354647abc": true
  },
  "roles": []
}

Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#get-account-details

  1. check user account via details Security REST API as an admin user:
GET _opendistro/_security/api/internalusers/qwertyuiop

{
  "qwertyuiop": {
    "hash": "",
    "reserved": false,
    "hidden": false,
    "backend_roles": [],
    "attributes": {},
    "opendistro_security_roles": [],
    "static": false
  }
}

Source: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#get-user

As is confirmed from steps 5&6, in changing the end user’s password (step 4), the user has lost all of its Roles and Custom Attributes.

Is there a method for end users to change their passwords without losing their attributes and roles?

Many thanks,
Major