OpenSearch/docs/java-rest/high-level/security/has-privileges.asciidoc

87 lines
3.3 KiB
Plaintext
Raw Normal View History

--
:api: has-privileges
:request: HasPrivilegesRequest
:response: HasPrivilegesResponse
--
[role="xpack"]
[id="{upid}-{api}"]
=== Has Privileges API
[id="{upid}-{api}-request"]
==== Has Privileges Request
The +{request}+ supports checking for any or all of the following privilege types:
* Cluster Privileges
* Index Privileges
* Application Privileges
Privileges types that you do not wish to check my be passed in as +null+, but as least
one privilege must be specified.
["source","java",subs="attributes,callouts,macros"]
--------------------------------------------------
include-tagged::{doc-tests-file}[{api}-request]
--------------------------------------------------
include::../execution.asciidoc[]
[id="{upid}-{api}-response"]
==== Has Privileges Response
The returned +{response}+ contains the following properties
`username`::
The username (userid) of the current user (for whom the "has privileges"
check was executed)
`hasAllRequested`::
`true` if the user has all of the privileges that were specified in the
+{request}+. Otherwise `false`.
`clusterPrivileges`::
A `Map<String,Boolean>` where each key is the name of one of the cluster
privileges specified in the request, and the value is `true` if the user
has that privilege, and `false` otherwise.
+
The method `hasClusterPrivilege` can be used to retrieve this information
in a more fluent manner. This method throws an `IllegalArgumentException`
if the privilege was not included in the response (which will be the case
if the privilege was not part of the request).
`indexPrivileges`::
A `Map<String, Map<String, Boolean>>` where each key is the name of an
index (as specified in the +{request}+) and the value is a `Map` from
privilege name to a `Boolean`. The `Boolean` value is `true` if the user
has that privilege on that index, and `false` otherwise.
+
The method `hasIndexPrivilege` can be used to retrieve this information
in a more fluent manner. This method throws an `IllegalArgumentException`
if the privilege was not included in the response (which will be the case
if the privilege was not part of the request).
`applicationPrivileges`::
A `Map<String, Map<String, Map<String, Boolean>>>>` where each key is the
name of an application (as specified in the +{request}+).
For each application, the value is a `Map` keyed by resource name, with
each value being another `Map` from privilege name to a `Boolean`.
The `Boolean` value is `true` if the user has that privilege on that
resource for that application, and `false` otherwise.
+
The method `hasApplicationPrivilege` can be used to retrieve this
information in a more fluent manner. This method throws an
`IllegalArgumentException` if the privilege was not included in the
response (which will be the case if the privilege was not part of the
request).
["source","java",subs="attributes,callouts,macros"]
--------------------------------------------------
include-tagged::{doc-tests-file}[{api}-response]
--------------------------------------------------
<1> `hasMonitor` will be `true` if the user has the `"monitor"`
cluster privilege.
<2> `hasWrite` will be `true` if the user has the `"write"`
privilege on the `"logstash-2018-10-05"` index.
<3> `hasRead` will be `true` if the user has the `"read"`
privilege on all possible indices that would match
the `"logstash-2018-*"` pattern.