OpenSearch/x-pack/docs/en/security/ccs-clients-integrations/http.asciidoc

[[http-clients]]
=== HTTP/REST clients and security

The {es} {security-features} work with standard HTTP
https://en.wikipedia.org/wiki/Basic_access_authentication[basic authentication]
headers to authenticate users. Since Elasticsearch is stateless, this header must
be sent with every request:

[source,shell]
--------------------------------------------------
Authorization: Basic <TOKEN> <1>
--------------------------------------------------
<1> The `<TOKEN>` is computed as `base64(USERNAME:PASSWORD)`

Alternatively, you can use
<<token-authentication-services,token-based authentication services>>.

[discrete]
[[http-clients-examples]]
==== Client examples

This example uses `curl` without basic auth to create an index:

[source,shell]
-------------------------------------------------------------------------------
curl -XPUT 'localhost:9200/idx'
-------------------------------------------------------------------------------

[source,js]
-------------------------------------------------------------------------------
{
  "error":  "AuthenticationException[Missing authentication token]",
  "status": 401
}
-------------------------------------------------------------------------------

Since no user is associated with the request above, an authentication error is
returned. Now we'll use `curl` with basic auth to create an index as the
`rdeniro` user:

[source,shell]
---------------------------------------------------------
curl --user rdeniro:taxidriver -XPUT 'localhost:9200/idx'
---------------------------------------------------------

[source,js]
---------------------------------------------------------
{
  "acknowledged": true
}
---------------------------------------------------------

[discrete]
[[http-clients-secondary-authorization]]
==== Secondary authorization

Some APIs support secondary authorization headers for situations where you want
tasks to run with a different set of credentials. For example, you can send the
following header in addition to the basic authentication header:

[source,shell]
--------------------------------------------------
es-secondary-authorization: Basic <TOKEN> <1>
--------------------------------------------------
<1> The `<TOKEN>` is computed as `base64(USERNAME:PASSWORD)`

The `es-secondary-authorization` header has the same syntax as the
`Authorization` header. It therefore also supports the use of
<<token-authentication-services,token-based authentication services>>. For
example:

[source,shell]
--------------------------------------------------
es-secondary-authorization: ApiKey <TOKEN> <1>
--------------------------------------------------
<1> The `<TOKEN>` is computed as `base64(API key ID:API key)`


[discrete]
[[http-clients-libraries]]
==== Client libraries over HTTP

For more information about using {security-features} with the language
specific clients, refer to:

* {java-rest}/_basic_authentication.html[Java]
* {jsclient-current}/auth-reference.html[JavaScript]
* https://www.elastic.co/guide/en/elasticsearch/client/net-api/master/configuration-options.html[.NET]
* https://metacpan.org/pod/Search::Elasticsearch::Cxn::HTTPTiny#CONFIGURATION[Perl]
* https://www.elastic.co/guide/en/elasticsearch/client/php-api/master/security.html[PHP]
* https://elasticsearch-py.readthedocs.io/en/master/#ssl-and-authentication[Python]
* https://github.com/elasticsearch/elasticsearch-ruby/tree/master/elasticsearch-transport#authentication[Ruby]
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`[[http-clients]]`
[DOCS] Update X-Pack terminology in security docs (#36564) 2018-12-19 17:53:37 -05:00			`=== HTTP/REST clients and security`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
[DOCS] Change http://elastic.co -> https (#48479) (#51812) Co-authored-by: Jonathan Budzenski <jon@budzenski.me> 2020-02-03 09:50:11 -05:00			`The {es} {security-features} work with standard HTTP`
[DOCS] Add Java to list of HTTP client libraries for basic authentication (#48647) 2019-11-05 17:07:39 -05:00			`https://en.wikipedia.org/wiki/Basic_access_authentication[basic authentication]`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`headers to authenticate users. Since Elasticsearch is stateless, this header must`
			`be sent with every request:`

			`[source,shell]`
			`--------------------------------------------------`
			`Authorization: Basic <TOKEN> <1>`
			`--------------------------------------------------`
			<1> The `<TOKEN>` is computed as `base64(USERNAME:PASSWORD)`

[DOCS] Adds documentation for secondary authorization headers (#55365) (#55986) 2020-04-29 19:29:38 -04:00			`Alternatively, you can use`
			`<<token-authentication-services,token-based authentication services>>.`

			`[discrete]`
			`[[http-clients-examples]]`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`==== Client examples`

			This example uses `curl` without basic auth to create an index:

			`[source,shell]`
			`-------------------------------------------------------------------------------`
			`curl -XPUT 'localhost:9200/idx'`
			`-------------------------------------------------------------------------------`

			`[source,js]`
			`-------------------------------------------------------------------------------`
			`{`
			`"error": "AuthenticationException[Missing authentication token]",`
			`"status": 401`
			`}`
			`-------------------------------------------------------------------------------`

			`Since no user is associated with the request above, an authentication error is`
			returned. Now we'll use `curl` with basic auth to create an index as the
			`rdeniro` user:

			`[source,shell]`
			`---------------------------------------------------------`
			`curl --user rdeniro:taxidriver -XPUT 'localhost:9200/idx'`
			`---------------------------------------------------------`

			`[source,js]`
			`---------------------------------------------------------`
			`{`
			`"acknowledged": true`
			`}`
			`---------------------------------------------------------`

[DOCS] Adds documentation for secondary authorization headers (#55365) (#55986) 2020-04-29 19:29:38 -04:00			`[discrete]`
			`[[http-clients-secondary-authorization]]`
			`==== Secondary authorization`

			`Some APIs support secondary authorization headers for situations where you want`
			`tasks to run with a different set of credentials. For example, you can send the`
			`following header in addition to the basic authentication header:`

			`[source,shell]`
			`--------------------------------------------------`
			`es-secondary-authorization: Basic <TOKEN> <1>`
			`--------------------------------------------------`
			<1> The `<TOKEN>` is computed as `base64(USERNAME:PASSWORD)`

			The `es-secondary-authorization` header has the same syntax as the
			`Authorization` header. It therefore also supports the use of
			`<<token-authentication-services,token-based authentication services>>. For`
			`example:`

			`[source,shell]`
			`--------------------------------------------------`
			`es-secondary-authorization: ApiKey <TOKEN> <1>`
			`--------------------------------------------------`
			<1> The `<TOKEN>` is computed as `base64(API key ID:API key)`


			`[discrete]`
			`[[http-clients-libraries]]`
[DOCS] Add Java to list of HTTP client libraries for basic authentication (#48647) 2019-11-05 17:07:39 -05:00			`==== Client libraries over HTTP`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
[DOCS] Change http://elastic.co -> https (#48479) (#51812) Co-authored-by: Jonathan Budzenski <jon@budzenski.me> 2020-02-03 09:50:11 -05:00			`For more information about using {security-features} with the language`
[DOCS] Add Java to list of HTTP client libraries for basic authentication (#48647) 2019-11-05 17:07:39 -05:00			`specific clients, refer to:`

			`* {java-rest}/_basic_authentication.html[Java]`
			`* {jsclient-current}/auth-reference.html[JavaScript]`
			`* https://www.elastic.co/guide/en/elasticsearch/client/net-api/master/configuration-options.html[.NET]`
			`* https://metacpan.org/pod/Search::Elasticsearch::Cxn::HTTPTiny#CONFIGURATION[Perl]`
[DOCS] Change http://elastic.co -> https (#48479) (#51812) Co-authored-by: Jonathan Budzenski <jon@budzenski.me> 2020-02-03 09:50:11 -05:00			`* https://www.elastic.co/guide/en/elasticsearch/client/php-api/master/security.html[PHP]`
[DOCS] Add Java to list of HTTP client libraries for basic authentication (#48647) 2019-11-05 17:07:39 -05:00			`* https://elasticsearch-py.readthedocs.io/en/master/#ssl-and-authentication[Python]`
[DOCS] Change http://elastic.co -> https (#48479) (#51812) Co-authored-by: Jonathan Budzenski <jon@budzenski.me> 2020-02-03 09:50:11 -05:00			`* https://github.com/elasticsearch/elasticsearch-ruby/tree/master/elasticsearch-transport#authentication[Ruby]`