This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Has privileges API
editHas privileges API
editDetermines whether the logged in user has a specified list of privileges.
Prerequisites
edit- All users can use this API, but only to determine their own privileges. To check the privileges of other users, you must use the run as feature. For more information, see Submitting requests on behalf of other users.
Description
editFor a list of the privileges that you can specify in this API, see Security privileges.
A successful call returns a JSON structure that shows whether each specified privilege is assigned to the user.
Request body
edit-
cluster - (list) A list of the cluster privileges that you want to check.
-
index -
-
names - (list) A list of indices.
-
allow_restricted_indices -
(Boolean) This needs to be set to
true(default isfalse) if using wildcards or regexps for patterns that cover restricted indices. Implicitly, restricted indices do not match index patterns because restricted indices usually have limited privileges and including them in pattern tests would render most such testsfalse. If restricted indices are explicitly included in thenameslist, privileges will be checked against them regardless of the value ofallow_restricted_indices. -
privileges - (list) A list of the privileges that you want to check for the specified indices.
-
-
application -
-
application - (string) The name of the application.
-
privileges - (list) A list of the privileges that you want to check for the specified resources. May be either application privilege names, or the names of actions that are granted by those privileges
-
resources - (list) A list of resource names against which the privileges should be checked
-
Examples
editThe following example checks whether the current user has a specific set of cluster, index, and application privileges:
resp = client.security.has_privileges(
cluster=[
"monitor",
"manage"
],
index=[
{
"names": [
"suppliers",
"products"
],
"privileges": [
"read"
]
},
{
"names": [
"inventory"
],
"privileges": [
"read",
"write"
]
}
],
application=[
{
"application": "inventory_manager",
"privileges": [
"read",
"data:write/inventory"
],
"resources": [
"product/1852563"
]
}
],
)
print(resp)
const response = await client.security.hasPrivileges({
cluster: ["monitor", "manage"],
index: [
{
names: ["suppliers", "products"],
privileges: ["read"],
},
{
names: ["inventory"],
privileges: ["read", "write"],
},
],
application: [
{
application: "inventory_manager",
privileges: ["read", "data:write/inventory"],
resources: ["product/1852563"],
},
],
});
console.log(response);
GET /_security/user/_has_privileges
{
"cluster": [ "monitor", "manage" ],
"index" : [
{
"names": [ "suppliers", "products" ],
"privileges": [ "read" ]
},
{
"names": [ "inventory" ],
"privileges" : [ "read", "write" ]
}
],
"application": [
{
"application": "inventory_manager",
"privileges" : [ "read", "data:write/inventory" ],
"resources" : [ "product/1852563" ]
}
]
}
The following example output indicates which privileges the "rdeniro" user has:
{
"username": "rdeniro",
"has_all_requested" : false,
"cluster" : {
"monitor" : true,
"manage" : false
},
"index" : {
"suppliers" : {
"read" : true
},
"products" : {
"read" : true
},
"inventory" : {
"read" : true,
"write" : false
}
},
"application" : {
"inventory_manager" : {
"product/1852563" : {
"read": false,
"data:write/inventory": false
}
}
}
}