honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-13 16:35:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc
Tim Vernum 273c82d7c9
Add support for "authorization_realms" (#33262) 
Authorization Realms allow an authenticating realm to delegate the task
of constructing a User object (with name, roles, etc) to one or more
other realms.

E.g. A client could authenticate using PKI, but then delegate to an LDAP
realm. The LDAP realm performs a "lookup" by principal, and then does
regular role-mapping from the discovered user.

This commit includes:
- authorization_realm support in the pki, ldap, saml & kerberos realms
- docs for authorization_realms
- checks that there are no "authorization chains"
   (whereby "realm-a" delegates to "realm-b", but "realm-b" delegates to "realm-c")

Authorization realms is a platinum feature.
2018-08-31 13:25:27 +10:00

35 lines
1.5 KiB
Plaintext
Raw Blame History

[role="xpack"]
[[run-as-privilege]]
=== Submitting requests on behalf of other users
{security} supports a permission that enables an authenticated user to submit
requests on behalf of other users. If your application already authenticates
users, you can use the _run as_ mechanism to restrict data access according to
{security} permissions without having to re-authenticate each user through.
To "run as" (impersonate) another user, you must be able to retrieve the user from
the realm you use to authenticate. Both the internal `native` and `file` realms
support this out of the box. The LDAP realm must be configured to run in
<<ldap-user-search, _user search_ mode>>. The Active Directory realm must be
<<ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to support
_run as_. The PKI, Kerberos, and SAML realms do not support _run as_.
To submit requests on behalf of other users, you need to have the `run_as`
permission. For example, the following role grants permission to submit request
on behalf of `jacknich` or `redeniro`:
[source,js]
---------------------------------------------------
{
"run_as" : [ "jacknich", "rdeniro" ]
}
---------------------------------------------------
To submit a request as another user, you specify the user in the
`es-security-runas-user` request header. For example:
[source,shell]
---------------------------------------------------
curl -H "es-security-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'
---------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink