iSharkFly-Docs/opensearch-docs-cn
1
0
Fork 0
mirror of https://github.com/iSharkFly-Docs/opensearch-docs-cn synced 2025-03-08 02:59:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
opensearch-docs-cn/_security/access-control/impersonation.md
Derek Ho 6af66500eb
Remove admin:admin default and update instructions for demo setup (#5887) 
* Update some admin:admin references

Signed-off-by: Derek Ho <dxho@amazon.com>

* Update all references except for helm

Signed-off-by: Derek Ho <dxho@amazon.com>

* Update helm

Signed-off-by: Derek Ho <dxho@amazon.com>

* Reverts changes made to _install-and-configure folder

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Apply suggestions from code review

Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: Derek Ho <derek01778@gmail.com>

* Update _about/quickstart.md

Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nathan Bower <nbower@amazon.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

* Update quickstart.md

Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

---------

Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Derek Ho <derek01778@gmail.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Darshit Chanpura <dchanp@amazon.com>
Co-authored-by: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Nathan Bower <nbower@amazon.com>
2024-02-01 11:01:58 -08:00

1.5 KiB
Raw Blame History

layout title parent nav_order redirect_from
default User impersonation Access control 100
/security/access-control/impersonation/
/security-plugin/access-control/impersonation/

User impersonation

User impersonation allows specially privileged users to act as another user without knowledge of nor access to the impersonated user's credentials.

Impersonation can be useful for testing and troubleshooting, or for allowing system services to safely act as a user.

Impersonation can occur on either the REST interface or at the transport layer.

REST interface

To allow one user to impersonate another, add the following to opensearch.yml:

plugins.security.authcz.rest_impersonation_user:
  <AUTHENTICATED_USER>:
    - <IMPERSONATED_USER_1>
    - <IMPERSONATED_USER_2>

The impersonated user field supports wildcards. Setting it to * allows AUTHENTICATED_USER to impersonate any user.

Transport interface

In a similar fashion, add the following to enable transport layer impersonation:

plugins.security.authcz.impersonation_dn:
  "CN=spock,OU=client,O=client,L=Test,C=DE":
    - worf

Impersonating users

To impersonate another user, submit a request to the system with the HTTP header opendistro_security_impersonate_as set to the name of the user to be impersonated. A good test is to make a GET request to the _plugins/_security/authinfo URI:

curl -XGET -u 'admin:<custom-admin-password>' -k -H "opendistro_security_impersonate_as: user_1" https://localhost:9200/_plugins/_security/authinfo?pretty