36 lines
1.5 KiB
Plaintext
36 lines
1.5 KiB
Plaintext
[role="xpack"]
|
|
[[run-as-privilege]]
|
|
= Submitting requests on behalf of other users
|
|
|
|
The {es} {security-features} support a permission that enables an authenticated
|
|
user to submit requests on behalf of other users. If your application already
|
|
authenticates users, you can use the _run as_ mechanism to restrict data access
|
|
according to {es} permissions without having to re-authenticate each user.
|
|
|
|
To "run as" (impersonate) another user, that user must exist in a realm that
|
|
supports the _run as_ mechanism. Both the internal `native` and `file` realms
|
|
support this out of the box. The LDAP realm must be configured to run in
|
|
<<ldap-realm-configuration,_user search_ mode>>. The Active Directory realm must
|
|
be <<ref-ad-settings,configured with a `bind_dn` and `secure_bind_password`>> to
|
|
support _run as_. The Kerberos, OpenID Connect, PKI, and SAML realms do not
|
|
support _run as_.
|
|
|
|
To submit requests on behalf of other users, you need to have the `run_as`
|
|
permission. For example, the following role grants permission to submit request
|
|
on behalf of `jacknich` or `redeniro`:
|
|
|
|
[source,js]
|
|
---------------------------------------------------
|
|
{
|
|
"run_as" : [ "jacknich", "rdeniro" ]
|
|
}
|
|
---------------------------------------------------
|
|
|
|
To submit a request as another user, you specify the user in the
|
|
`es-security-runas-user` request header. For example:
|
|
|
|
[source,shell]
|
|
---------------------------------------------------
|
|
curl -H "es-security-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'
|
|
---------------------------------------------------
|