Version: SG FLX
Community

User Impersonation

The Search Guard user impersonation feature lets you submit requests on behalf of another user. It means that a user can log in with his or her credentials, and then impersonate as another user, without having to know this users username or password.

For example, this can be useful when an admin needs to debug permission problems for a particular user.

In order for user impersonation to work, you must be able to retrieve the user from one of the configured authentication backends. The Active Directory/LDAP and the Internal Users authentication backend support impersonation out of the box.

Permission settings

To give a user permission to impersonate as another user,

searchguard.authcz.rest_impersonation_user.<allowed_user>:
  - <impersonated_user_1>
  - <impersonated_user_2>
  - ...

For example:

searchguard.authcz.rest_impersonation_user.admin:
  - user_1
  - user_2

In this example, the user admin has the permission to impersonate as user user_1 and user_2. Wildcards are supported, so the following snippet grants the user admin the permission to impersonate as any user that starts with user_.

searchguard.authcz.rest_impersonation_user.admin:
  - user_*

Using impersonation on the REST layer

To impersonate as another user, specify the username in the sg_impersonate_as HTTP header of the REST call, for example:

curl -u admin:password  \
  -H "sg_impersonate_as: user_1"  \
  -XGET https://example.com:9200/_searchguard/authinfo?pretty

Effects on audit- and compliance logging

When using impersonation, the audit and compliance events will track both the initiating user and the impersonated user:

Name Description
audit_request_initiating_user The user that initiated the request
audit_request_effective_user The impersonated user


Not what you were looking for? Try the search.