124 lines
3.3 KiB
Plaintext
124 lines
3.3 KiB
Plaintext
[role="xpack"]
|
|
[[security-api-has-privileges]]
|
|
=== Has privileges API
|
|
++++
|
|
<titleabbrev>Has privileges</titleabbrev>
|
|
++++
|
|
[[security-api-has-privilege]]
|
|
|
|
The `has_privileges` API allows you to determine whether the logged in user has
|
|
a specified list of privileges.
|
|
|
|
==== Request
|
|
|
|
`GET /_security/user/_has_privileges`
|
|
|
|
|
|
==== Description
|
|
|
|
For a list of the privileges that you can specify in this API,
|
|
see {stack-ov}/security-privileges.html[Security privileges].
|
|
|
|
A successful call returns a JSON structure that shows whether each specified
|
|
privilege is assigned to the user.
|
|
|
|
|
|
==== Request Body
|
|
|
|
`cluster`:: (list) A list of the cluster privileges that you want to check.
|
|
|
|
`index`::
|
|
`names`::: (list) A list of indices.
|
|
`allow_restricted_indices`::: (boolean) This needs to be set to `true` (default
|
|
is `false`) if using wildcards or regexps for patterns that cover restricted
|
|
indices. Implicitly, restricted indices do not match index patterns because
|
|
restricted indices usually have limited privileges and including them in
|
|
pattern tests would render most such tests `false`. If restricted indices are
|
|
explicitly included in the `names` list, privileges will be checked against
|
|
them regardless of the value of `allow_restricted_indices`.
|
|
`privileges`::: (list) A list of the privileges that you want to check for the
|
|
specified indices.
|
|
|
|
`application`::
|
|
`application`::: (string) The name of the application.
|
|
`privileges`::: (list) A list of the privileges that you want to check for the
|
|
specified resources. May be either application privilege names, or the names of
|
|
actions that are granted by those privileges
|
|
`resources`::: (list) A list of resource names against which the privileges
|
|
should be checked
|
|
|
|
==== Authorization
|
|
|
|
All users can use this API, but only to determine their own privileges.
|
|
To check the privileges of other users, you must use the run as feature. For
|
|
more information, see
|
|
{xpack-ref}/run-as-privilege.html[Submitting Requests on Behalf of Other Users].
|
|
|
|
|
|
==== Examples
|
|
|
|
The following example checks whether the current user has a specific set of
|
|
cluster, index, and application privileges:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
GET /_security/user/_has_privileges
|
|
{
|
|
"cluster": [ "monitor", "manage" ],
|
|
"index" : [
|
|
{
|
|
"names": [ "suppliers", "products" ],
|
|
"privileges": [ "read" ]
|
|
},
|
|
{
|
|
"names": [ "inventory" ],
|
|
"privileges" : [ "read", "write" ]
|
|
}
|
|
],
|
|
"application": [
|
|
{
|
|
"application": "inventory_manager",
|
|
"privileges" : [ "read", "data:write/inventory" ],
|
|
"resources" : [ "product/1852563" ]
|
|
}
|
|
]
|
|
}
|
|
--------------------------------------------------
|
|
// CONSOLE
|
|
|
|
The following example output indicates which privileges the "rdeniro" user has:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"username": "rdeniro",
|
|
"has_all_requested" : false,
|
|
"cluster" : {
|
|
"monitor" : true,
|
|
"manage" : false
|
|
},
|
|
"index" : {
|
|
"suppliers" : {
|
|
"read" : true
|
|
},
|
|
"products" : {
|
|
"read" : true
|
|
},
|
|
"inventory" : {
|
|
"read" : true,
|
|
"write" : false
|
|
}
|
|
},
|
|
"application" : {
|
|
"inventory_manager" : {
|
|
"product/1852563" : {
|
|
"read": false,
|
|
"data:write/inventory": false
|
|
}
|
|
}
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
// TESTRESPONSE[s/"rdeniro"/"$body.username"/]
|
|
// TESTRESPONSE[s/: false/: true/]
|