93 lines
3.4 KiB
Plaintext
93 lines
3.4 KiB
Plaintext
[[http-clients]]
|
|
=== HTTP/REST clients and security
|
|
|
|
The {es} {security-features} work with standard HTTP
|
|
https://en.wikipedia.org/wiki/Basic_access_authentication[basic authentication]
|
|
headers to authenticate users. Since Elasticsearch is stateless, this header must
|
|
be sent with every request:
|
|
|
|
[source,shell]
|
|
--------------------------------------------------
|
|
Authorization: Basic <TOKEN> <1>
|
|
--------------------------------------------------
|
|
<1> The `<TOKEN>` is computed as `base64(USERNAME:PASSWORD)`
|
|
|
|
Alternatively, you can use
|
|
<<token-authentication-services,token-based authentication services>>.
|
|
|
|
[discrete]
|
|
[[http-clients-examples]]
|
|
==== Client examples
|
|
|
|
This example uses `curl` without basic auth to create an index:
|
|
|
|
[source,shell]
|
|
-------------------------------------------------------------------------------
|
|
curl -XPUT 'localhost:9200/idx'
|
|
-------------------------------------------------------------------------------
|
|
|
|
[source,js]
|
|
-------------------------------------------------------------------------------
|
|
{
|
|
"error": "AuthenticationException[Missing authentication token]",
|
|
"status": 401
|
|
}
|
|
-------------------------------------------------------------------------------
|
|
|
|
Since no user is associated with the request above, an authentication error is
|
|
returned. Now we'll use `curl` with basic auth to create an index as the
|
|
`rdeniro` user:
|
|
|
|
[source,shell]
|
|
---------------------------------------------------------
|
|
curl --user rdeniro:taxidriver -XPUT 'localhost:9200/idx'
|
|
---------------------------------------------------------
|
|
|
|
[source,js]
|
|
---------------------------------------------------------
|
|
{
|
|
"acknowledged": true
|
|
}
|
|
---------------------------------------------------------
|
|
|
|
[discrete]
|
|
[[http-clients-secondary-authorization]]
|
|
==== Secondary authorization
|
|
|
|
Some APIs support secondary authorization headers for situations where you want
|
|
tasks to run with a different set of credentials. For example, you can send the
|
|
following header in addition to the basic authentication header:
|
|
|
|
[source,shell]
|
|
--------------------------------------------------
|
|
es-secondary-authorization: Basic <TOKEN> <1>
|
|
--------------------------------------------------
|
|
<1> The `<TOKEN>` is computed as `base64(USERNAME:PASSWORD)`
|
|
|
|
The `es-secondary-authorization` header has the same syntax as the
|
|
`Authorization` header. It therefore also supports the use of
|
|
<<token-authentication-services,token-based authentication services>>. For
|
|
example:
|
|
|
|
[source,shell]
|
|
--------------------------------------------------
|
|
es-secondary-authorization: ApiKey <TOKEN> <1>
|
|
--------------------------------------------------
|
|
<1> The `<TOKEN>` is computed as `base64(API key ID:API key)`
|
|
|
|
|
|
[discrete]
|
|
[[http-clients-libraries]]
|
|
==== Client libraries over HTTP
|
|
|
|
For more information about using {security-features} with the language
|
|
specific clients, refer to:
|
|
|
|
* {java-rest}/_basic_authentication.html[Java]
|
|
* {jsclient-current}/auth-reference.html[JavaScript]
|
|
* https://www.elastic.co/guide/en/elasticsearch/client/net-api/master/configuration-options.html[.NET]
|
|
* https://metacpan.org/pod/Search::Elasticsearch::Cxn::HTTPTiny#CONFIGURATION[Perl]
|
|
* https://www.elastic.co/guide/en/elasticsearch/client/php-api/master/security.html[PHP]
|
|
* https://elasticsearch-py.readthedocs.io/en/master/#ssl-and-authentication[Python]
|
|
* https://github.com/elasticsearch/elasticsearch-ruby/tree/master/elasticsearch-transport#authentication[Ruby]
|