2017-06-28 14:02:40 -04:00
|
|
|
[role="xpack"]
|
2018-08-23 21:04:02 -04:00
|
|
|
[[security-api-has-privileges]]
|
2018-12-20 13:23:28 -05:00
|
|
|
=== Has privileges API
|
|
|
|
|
++++
|
|
|
|
|
<titleabbrev>Has privileges</titleabbrev>
|
|
|
|
|
++++
|
2017-05-12 02:51:47 -04:00
|
|
|
[[security-api-has-privilege]]
|
|
|
|
|
|
|
|
|
|
The `has_privileges` API allows you to determine whether the logged in user has
|
|
|
|
|
a specified list of privileges.
|
|
|
|
|
|
2017-09-22 12:46:09 -04:00
|
|
|
==== Request
|
|
|
|
|
|
2018-12-11 04:13:10 -05:00
|
|
|
`GET /_security/user/_has_privileges`
|
2017-09-22 12:46:09 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
==== Description
|
|
|
|
|
|
|
|
|
|
For a list of the privileges that you can specify in this API,
|
2018-08-23 21:04:02 -04:00
|
|
|
see {stack-ov}/security-privileges.html[Security privileges].
|
2017-09-22 12:46:09 -04:00
|
|
|
|
|
|
|
|
A successful call returns a JSON structure that shows whether each specified
|
|
|
|
|
privilege is assigned to the user.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
==== Request Body
|
|
|
|
|
|
|
|
|
|
`cluster`:: (list) A list of the cluster privileges that you want to check.
|
|
|
|
|
|
|
|
|
|
`index`::
|
|
|
|
|
`names`::: (list) A list of indices.
|
Permission for restricted indices (#37577)
This grants the capability to grant privileges over certain restricted
indices (.security and .security-6 at the moment).
It also removes the special status of the superuser role.
IndicesPermission.Group is extended by adding the `allow_restricted_indices`
boolean flag. By default the flag is false. When it is toggled, you acknowledge
that the indices under the scope of the permission group can cover the
restricted indices as well. Otherwise, by default, restricted indices are ignored
when granting privileges, thus rendering them hidden for authorization purposes.
This effectively adds a confirmation "check-box" for roles that might grant
privileges to restricted indices.
The "special status" of the superuser role has been removed and coded as
any other role:
```
new RoleDescriptor("superuser",
new String[] { "all" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("*")
.privileges("all")
.allowRestrictedIndices(true)
// this ----^
.build() },
new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("*")
.privileges("*")
.resources("*")
.build()
},
null, new String[] { "*" },
MetadataUtils.DEFAULT_RESERVED_METADATA,
Collections.emptyMap());
```
In the context of the Backup .security work, this allows the creation of a
"curator role" that would permit listing (get settings) for all indices
(including the restricted ones). That way the curator role would be able to
ist and snapshot all indices, but not read or restore any of them.
Supersedes #36765
Relates #34454
2019-01-20 16:19:40 -05:00
|
|
|
`allow_restricted_indices`::: (boolean) If `names` contains internal restricted
|
|
|
|
|
that also have to be covered by the has-privilege check, then this has to be
|
|
|
|
|
set to `true`. By default this is `false` because restricted indices should
|
|
|
|
|
generaly not be "visible" to APIs. For most use cases it is safe to ignore
|
|
|
|
|
this parameter.
|
2017-09-22 12:46:09 -04:00
|
|
|
`privileges`::: (list) A list of the privileges that you want to check for the
|
|
|
|
|
specified indices.
|
|
|
|
|
|
2018-08-23 21:04:02 -04:00
|
|
|
`application`::
|
|
|
|
|
`application`::: (string) The name of the application.
|
|
|
|
|
`privileges`::: (list) A list of the privileges that you want to check for the
|
|
|
|
|
specified resources. May be either application privilege names, or the names of
|
|
|
|
|
actions that are granted by those privileges
|
|
|
|
|
`resources`::: (list) A list of resource names against which the privileges
|
|
|
|
|
should be checked
|
|
|
|
|
|
2017-09-22 12:46:09 -04:00
|
|
|
==== Authorization
|
|
|
|
|
|
2017-06-28 14:02:40 -04:00
|
|
|
All users can use this API, but only to determine their own privileges.
|
|
|
|
|
To check the privileges of other users, you must use the run as feature. For
|
2017-09-22 12:46:09 -04:00
|
|
|
more information, see
|
2017-06-28 14:02:40 -04:00
|
|
|
{xpack-ref}/run-as-privilege.html[Submitting Requests on Behalf of Other Users].
|
2017-05-12 02:51:47 -04:00
|
|
|
|
2017-09-22 12:46:09 -04:00
|
|
|
|
|
|
|
|
==== Examples
|
|
|
|
|
|
|
|
|
|
The following example checks whether the current user has a specific set of
|
2018-08-23 21:04:02 -04:00
|
|
|
cluster, index, and application privileges:
|
2017-05-12 02:51:47 -04:00
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
|
--------------------------------------------------
|
2018-12-11 04:13:10 -05:00
|
|
|
GET /_security/user/_has_privileges
|
2017-05-12 02:51:47 -04:00
|
|
|
{
|
|
|
|
|
"cluster": [ "monitor", "manage" ],
|
|
|
|
|
"index" : [
|
|
|
|
|
{
|
|
|
|
|
"names": [ "suppliers", "products" ],
|
|
|
|
|
"privileges": [ "read" ]
|
2017-06-28 14:02:40 -04:00
|
|
|
},
|
2017-05-12 02:51:47 -04:00
|
|
|
{
|
|
|
|
|
"names": [ "inventory" ],
|
|
|
|
|
"privileges" : [ "read", "write" ]
|
|
|
|
|
}
|
2018-08-23 21:04:02 -04:00
|
|
|
],
|
|
|
|
|
"application": [
|
|
|
|
|
{
|
|
|
|
|
"application": "inventory_manager",
|
|
|
|
|
"privileges" : [ "read", "data:write/inventory" ],
|
|
|
|
|
"resources" : [ "product/1852563" ]
|
|
|
|
|
}
|
2017-05-12 02:51:47 -04:00
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
// CONSOLE
|
|
|
|
|
|
2017-09-22 12:46:09 -04:00
|
|
|
The following example output indicates which privileges the "rdeniro" user has:
|
2017-05-12 02:51:47 -04:00
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
{
|
|
|
|
|
"username": "rdeniro",
|
|
|
|
|
"has_all_requested" : false,
|
|
|
|
|
"cluster" : {
|
|
|
|
|
"monitor" : true,
|
|
|
|
|
"manage" : false
|
|
|
|
|
},
|
|
|
|
|
"index" : {
|
|
|
|
|
"suppliers" : {
|
|
|
|
|
"read" : true
|
|
|
|
|
},
|
|
|
|
|
"products" : {
|
|
|
|
|
"read" : true
|
|
|
|
|
},
|
|
|
|
|
"inventory" : {
|
|
|
|
|
"read" : true,
|
|
|
|
|
"write" : false
|
|
|
|
|
}
|
2018-07-24 12:34:46 -04:00
|
|
|
},
|
2018-08-23 21:04:02 -04:00
|
|
|
"application" : {
|
|
|
|
|
"inventory_manager" : {
|
|
|
|
|
"product/1852563" : {
|
|
|
|
|
"read": false,
|
|
|
|
|
"data:write/inventory": false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-05-12 02:51:47 -04:00
|
|
|
}
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
// TESTRESPONSE[s/"rdeniro"/"$body.username"/]
|
|
|
|
|
// TESTRESPONSE[s/: false/: true/]
|
