31 lines
1.5 KiB
Plaintext
31 lines
1.5 KiB
Plaintext
|
[[submitting-requests-for-other-users]]
|
||
|
|
=== Submitting Requests on Behalf of Other Users
|
||
|
|
|
||
|
|
Shield supports a permission that enables an authenticated user to submit requests on behalf
|
||
|
|
of other users. If your application already authenticates users, you can use this
|
||
|
|
_run as_ mechanism to restrict data access according to Shield permissions without having
|
||
|
|
to re-authenticate each user through Shield.
|
||
|
|
|
||
|
|
To run as another user, you must be able to retrieve the user from the realm you use
|
||
|
|
to authenticate. The `esusers` realm supports this out of the box. To use `run_as` with
|
||
|
|
an LDAP realm, it must be configured to enable user search. For more information,
|
||
|
|
see <<ldap-user-search, Configuring an LDAP Realm with User Search>>.
|
||
|
|
|
||
|
|
To submit requests on behalf of other users, you need to have the `run_as`
|
||
|
|
permission. For example, the following `run_as_role` grants permision to submit request on
|
||
|
|
behalf of `jacknich` or `redeniro`:
|
||
|
|
|
||
|
|
[source,yaml]
|
||
|
|
---------------------------------------------------
|
||
|
|
run_as_role:
|
||
|
|
run_as: jacknich, rdeniro
|
||
|
|
---------------------------------------------------
|
||
|
|
|
||
|
|
For information about assigning roles, see <<mapping-roles, Mapping Users and Groups to Roles>>.
|
||
|
|
|
||
|
|
To submit a request as another user, you specify the user in the request header. For example:
|
||
|
|
|
||
|
|
[source,console]
|
||
|
|
---------------------------------------------------
|
||
|
|
curl -H "es-shield-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'
|
||
|
|
---------------------------------------------------
|