2018-05-14 18:35:02 -04:00
|
|
|
[role="xpack"]
|
2017-04-06 21:29:29 -04:00
|
|
|
[[run-as-privilege]]
|
2018-05-14 18:35:02 -04:00
|
|
|
=== Submitting requests on behalf of other users
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
{security} supports a permission that enables an authenticated user to submit
|
|
|
|
requests on behalf of other users. If your application already authenticates
|
|
|
|
users, you can use the _run as_ mechanism to restrict data access according to
|
|
|
|
{security} permissions without having to re-authenticate each user through.
|
|
|
|
|
|
|
|
To "run as" (impersonate) another user, you must be able to retrieve the user from
|
|
|
|
the realm you use to authenticate. Both the internal `native` and `file` realms
|
2017-07-12 16:01:39 -04:00
|
|
|
support this out of the box. The LDAP realm must be configured to run in
|
|
|
|
<<ldap-user-search, _user search_ mode>>. The Active Directory realm must be
|
2018-03-29 02:31:45 -04:00
|
|
|
<<ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to support
|
|
|
|
_run as_. The PKI realm does not support _run as_.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
To submit requests on behalf of other users, you need to have the `run_as`
|
|
|
|
permission. For example, the following role grants permission to submit request
|
|
|
|
on behalf of `jacknich` or `redeniro`:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
---------------------------------------------------
|
|
|
|
{
|
|
|
|
"run_as" : [ "jacknich", "rdeniro" ]
|
|
|
|
}
|
|
|
|
---------------------------------------------------
|
|
|
|
|
|
|
|
To submit a request as another user, you specify the user in the
|
|
|
|
`es-security-runas-user` request header. For example:
|
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
---------------------------------------------------
|
|
|
|
curl -H "es-security-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'
|
|
|
|
---------------------------------------------------
|