Submitting Requests on Behalf of Other Users
editSubmitting Requests on Behalf of Other Users
editShield supports a privilege that enables an authenticated user to submit requests on behalf of other users. If your application already authenticates users, you can use this run as mechanism to restrict data access according to Shield permissions without having to re-authenticate each user through Shield.
To run as another user, you must be able to retrieve the user from the realm you use
to authenticate. The native
and file
realms support this out of the box. To use run_as
with
an LDAP realm, it must be configured to enable user search. For more information,
see Configuring an LDAP Realm with User Search.
To submit requests on behalf of other users, you need to have the run_as
privilege. For example, the following run_as_role
grants permission to submit requests on
behalf of jacknich
or redeniro
:
POST /_shield/role/run_as_role { "run_as": [ "jacknich", "rdeniro" ] }
For information about assigning roles, see Mapping Users and Groups to Roles.
To submit a request as another user, you specify the user in the request header. For example:
curl -H "es-shield-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'