User Impersonation
Content
The Search Guard user impersonation feature lets you submit requests on behalf of another user. It means that a user can log in with his or her credentials, and then impersonate as another user, without having to know this users username or password.
For example, this can be useful when an admin needs to debug permission problems for a particular user.
In order for user impersonation to work, you must be able to retrieve the user from one of the configured authentication backends. The Active Directory/LDAP and the Internal Users authentication backend support impersonation out of the box.
Permission settings
To give a user permission to impersonate as another user,
searchguard.authcz.rest_impersonation_user.<allowed_user>:
- <impersonated_user_1>
- <impersonated_user_2>
- ...
For example:
searchguard.authcz.rest_impersonation_user.admin:
- user_1
- user_2
In this example, the user admin
has the permission to impersonate as user user_1
and user_2
. Wildcards are supported, so the following snippet grants the user admin
the permission to impersonate as any user that starts with user_
.
searchguard.authcz.rest_impersonation_user.admin:
- user_*
Using impersonation on the REST layer
To impersonate as another user, specify the username in the sg_impersonate_as
HTTP header of the REST call, for example:
curl -u admin:password \
-H "sg_impersonate_as: user_1" \
-XGET https://example.com:9200/_searchguard/authinfo?pretty
Effects on audit- and compliance logging
When using impersonation, the audit and compliance events will track both the initiating user and the impersonated user:
Name | Description |
---|---|
audit_request_initiating_user | The user that initiated the request |
audit_request_effective_user | The impersonated user |
Additional resources