Shield supports a privilege that enables an authenticated user to submit requests on behalf of other users. If your application already authenticates users, you can use this run as mechanism to restrict data access according to Shield permissions without having to re-authenticate each user through Shield.

To run as another user, you must be able to retrieve the user from the realm you use to authenticate. The native and file realms support this out of the box. To use run_as with an LDAP realm, it must be configured to enable user search. For more information, see Configuring an LDAP Realm with User Search.

To submit requests on behalf of other users, you need to have the run_as privilege. For example, the following run_as_role grants permission to submit requests on behalf of jacknich or redeniro:

POST /_shield/role/run_as_role
{
  "run_as": [ "jacknich", "rdeniro" ]
}

For information about assigning roles, see Mapping Users and Groups to Roles.

To submit a request as another user, you specify the user in the request header. For example:

curl -H "es-shield-runas-user: jacknich"  -u es_admin -XGET 'http://localhost:9200/'