parent
dfd7f226f0
commit
9425de8dd1
|
@ -17,7 +17,7 @@ include::mapping-roles.asciidoc[]
|
|||
|
||||
include::field-and-document-access-control.asciidoc[]
|
||||
|
||||
include::run-as-privilege.asciidoc[]
|
||||
include::run-as-privilege.asciidoc[leveloffset=+2]
|
||||
|
||||
include::configuring-authorization-delegation.asciidoc[]
|
||||
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
[role="xpack"]
|
||||
[[run-as-privilege]]
|
||||
=== Submitting requests on behalf of other users
|
||||
= Submitting requests on behalf of other users
|
||||
|
||||
The {es} {security-features} support a permission that enables an authenticated
|
||||
user to submit
|
||||
requests on behalf of other users. If your application already authenticates
|
||||
users, you can use the _run as_ mechanism to restrict data access according to
|
||||
{es} permissions without having to re-authenticate each user through.
|
||||
user to submit requests on behalf of other users. If your application already
|
||||
authenticates users, you can use the _run as_ mechanism to restrict data access
|
||||
according to {es} permissions without having to re-authenticate each user.
|
||||
|
||||
To "run as" (impersonate) another user, you must be able to retrieve the user from
|
||||
the realm you use to authenticate. Both the internal `native` and `file` realms
|
||||
To "run as" (impersonate) another user, that user must exist in a realm that
|
||||
supports the _run as_ mechanism. Both the internal `native` and `file` realms
|
||||
support this out of the box. The LDAP realm must be configured to run in
|
||||
<<ldap-realm-configuration,_user search_ mode>>. The Active Directory realm must be
|
||||
<<ref-ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to support
|
||||
_run as_. The PKI, Kerberos, and SAML realms do not support _run as_.
|
||||
<<ldap-realm-configuration,_user search_ mode>>. The Active Directory realm must
|
||||
be <<ref-ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to
|
||||
support _run as_. The Kerberos, OpenID Connect, PKI, and SAML realms do not
|
||||
support _run as_.
|
||||
|
||||
To submit requests on behalf of other users, you need to have the `run_as`
|
||||
permission. For example, the following role grants permission to submit request
|
||||
|
|
Loading…
Reference in New Issue