OpenSearch/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc

[role="xpack"]
[[run-as-privilege]]
=== Submitting requests on behalf of other users

The {es} {security-features} support a permission that enables an authenticated
user to submit
requests on behalf of other users. If your application already authenticates
users, you can use the _run as_ mechanism to restrict data access according to
{es} permissions without having to re-authenticate each user through.

To "run as" (impersonate) another user, you must be able to retrieve the user from
the realm you use to authenticate. Both the internal `native` and `file` realms
support this out of the box. The LDAP realm must be configured to run in
<<ldap-realm-configuration,_user search_ mode>>. The Active Directory realm must be
<<ref-ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to support
_run as_. The PKI, Kerberos, and SAML realms do not support _run as_.

To submit requests on behalf of other users, you need to have the `run_as`
permission. For example, the following role grants permission to submit request
on behalf of `jacknich` or `redeniro`:

[source,js]
---------------------------------------------------
{
  "run_as" : [ "jacknich", "rdeniro" ]
}
---------------------------------------------------

To submit a request as another user, you specify the user in the
`es-security-runas-user` request header. For example:

[source,shell]
---------------------------------------------------
curl -H "es-security-runas-user: jacknich"  -u es_admin -XGET 'http://localhost:9200/'
---------------------------------------------------
[DOCS] Fixes title capitalization in security content 2018-05-14 18:35:02 -04:00			`[role="xpack"]`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`[[run-as-privilege]]`
[DOCS] Fixes title capitalization in security content 2018-05-14 18:35:02 -04:00			`=== Submitting requests on behalf of other users`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
[DOCS] Update X-Pack terminology in security docs (#36564) 2018-12-19 17:53:37 -05:00			`The {es} {security-features} support a permission that enables an authenticated`
			`user to submit`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`requests on behalf of other users. If your application already authenticates`
			`users, you can use the _run as_ mechanism to restrict data access according to`
[DOCS] Update X-Pack terminology in security docs (#36564) 2018-12-19 17:53:37 -05:00			`{es} permissions without having to re-authenticate each user through.`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
			`To "run as" (impersonate) another user, you must be able to retrieve the user from`
			the realm you use to authenticate. Both the internal `native` and `file` realms
Add active directory bind user and user lookup support (elastic/x-pack-elasticsearch#1956) This commit adds support for a bind user when using the active directory realm. The addition of a bind user also enables support for the user lookup mechanism, which is necessary to support the run as functionality that we provide. relates elastic/x-pack-elasticsearch#179 Original commit: elastic/x-pack-elasticsearch@40b07b3422b935d85c3e7bd35630ba9be2ca532a 2017-07-12 16:01:39 -04:00			`support this out of the box. The LDAP realm must be configured to run in`
[DOCS] Merges duplicate pages for LDAP realms (#49203) 2019-11-18 16:29:51 -05:00			`<<ldap-realm-configuration,_user search_ mode>>. The Active Directory realm must be`
[DOCS] Merges duplicate pages for Active Directory realms (#49205) 2019-11-19 16:05:11 -05:00			<<ref-ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to support
Add support for "authorization_realms" (#33262) Authorization Realms allow an authenticating realm to delegate the task of constructing a User object (with name, roles, etc) to one or more other realms. E.g. A client could authenticate using PKI, but then delegate to an LDAP realm. The LDAP realm performs a "lookup" by principal, and then does regular role-mapping from the discovered user. This commit includes: - authorization_realm support in the pki, ldap, saml & kerberos realms - docs for authorization_realms - checks that there are no "authorization chains" (whereby "realm-a" delegates to "realm-b", but "realm-b" delegates to "realm-c") Authorization realms is a platinum feature. 2018-08-30 23:25:27 -04:00			`_run as_. The PKI, Kerberos, and SAML realms do not support _run as_.`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
			To submit requests on behalf of other users, you need to have the `run_as`
			`permission. For example, the following role grants permission to submit request`
			on behalf of `jacknich` or `redeniro`:

			`[source,js]`
			`---------------------------------------------------`
			`{`
			`"run_as" : [ "jacknich", "rdeniro" ]`
			`}`
			`---------------------------------------------------`

			`To submit a request as another user, you specify the user in the`
			`es-security-runas-user` request header. For example:

			`[source,shell]`
			`---------------------------------------------------`
			`curl -H "es-security-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'`
			`---------------------------------------------------`