[DOCS] Clarify support for run as in OIDC realms (#60246) (#60485)

This commit is contained in:
Lisa Cawley 2020-07-30 13:39:41 -07:00 committed by GitHub
parent dfd7f226f0
commit 9425de8dd1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 11 deletions

View File

@ -17,7 +17,7 @@ include::mapping-roles.asciidoc[]
include::field-and-document-access-control.asciidoc[]
include::run-as-privilege.asciidoc[]
include::run-as-privilege.asciidoc[leveloffset=+2]
include::configuring-authorization-delegation.asciidoc[]

View File

@ -1,19 +1,19 @@
[role="xpack"]
[[run-as-privilege]]
=== Submitting requests on behalf of other users
= Submitting requests on behalf of other users
The {es} {security-features} support a permission that enables an authenticated
user to submit
requests on behalf of other users. If your application already authenticates
users, you can use the _run as_ mechanism to restrict data access according to
{es} permissions without having to re-authenticate each user through.
user to submit requests on behalf of other users. If your application already
authenticates users, you can use the _run as_ mechanism to restrict data access
according to {es} permissions without having to re-authenticate each user.
To "run as" (impersonate) another user, you must be able to retrieve the user from
the realm you use to authenticate. Both the internal `native` and `file` realms
To "run as" (impersonate) another user, that user must exist in a realm that
supports the _run as_ mechanism. Both the internal `native` and `file` realms
support this out of the box. The LDAP realm must be configured to run in
<<ldap-realm-configuration,_user search_ mode>>. The Active Directory realm must be
<<ref-ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to support
_run as_. The PKI, Kerberos, and SAML realms do not support _run as_.
<<ldap-realm-configuration,_user search_ mode>>. The Active Directory realm must
be <<ref-ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to
support _run as_. The Kerberos, OpenID Connect, PKI, and SAML realms do not
support _run as_.
To submit requests on behalf of other users, you need to have the `run_as`
permission. For example, the following role grants permission to submit request