Submitting Requests on Behalf of Other Users

Shield supports a permission that enables an authenticated user to submit requests on behalf of other users. If your application already authenticates users, you can use this run as mechanism to restrict data access according to Shield permissions without having to re-authenticate each user through Shield.

To run as another user, you must be able to retrieve the user from the realm you use to authenticate. The esusers realm supports this out of the box. To use run_as with an LDAP realm, it must be configured to enable user search. For more information, see Configuring an LDAP Realm with User Search.

To submit requests on behalf of other users, you need to have the run_as permission. For example, the following run_as_role grants permision to submit request on behalf of jacknich or redeniro:

run_as_role:
    run_as: jacknich, rdeniro

For information about assigning roles, see Mapping Users and Groups to Roles.

To submit a request as another user, you specify the user in the request header. For example:

curl -H "es-shield-runas-user: jacknich"  -u es_admin -XGET 'http://localhost:9200/'