Shield supports a permission that enables an authenticated user to submit requests on behalf of other users. If your application already authenticates users, you can use this run as mechanism to restrict data access according to Shield permissions without having to re-authenticate each user through Shield.
To run as another user, you must be able to retrieve the user from the realm you use
to authenticate. The
esusers realm supports this out of the box. To use
an LDAP realm, it must be configured to enable user search. For more information,
see Configuring an LDAP Realm with User Search.
To submit requests on behalf of other users, you need to have the
permission. For example, the following
run_as_role grants permision to submit request on
run_as_role: run_as: jacknich, rdeniro
For information about assigning roles, see Mapping Users and Groups to Roles.
To submit a request as another user, you specify the user in the request header. For example:
curl -H "es-shield-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'