Has Privileges API

edit

The has_privileges API allows you to determine whether the logged in user has a specified list of privileges.

Request

edit

GET _xpack/security/user/_has_privileges

Description

edit

For a list of the privileges that you can specify in this API, see Security privileges.

A successful call returns a JSON structure that shows whether each specified privilege is assigned to the user.

Request Body

edit
cluster
(list) A list of the cluster privileges that you want to check.
index
names
(list) A list of indices.
privileges
(list) A list of the privileges that you want to check for the specified indices.
application
application
(string) The name of the application.
privileges
(list) A list of the privileges that you want to check for the specified resources. May be either application privilege names, or the names of actions that are granted by those privileges
resources
(list) A list of resource names against which the privileges should be checked

Authorization

edit

All users can use this API, but only to determine their own privileges. To check the privileges of other users, you must use the run as feature. For more information, see Submitting requests on behalf of other users.

Examples

edit

The following example checks whether the current user has a specific set of cluster, index, and application privileges:

GET _xpack/security/user/_has_privileges
{
  "cluster": [ "monitor", "manage" ],
  "index" : [
    {
      "names": [ "suppliers", "products" ],
      "privileges": [ "read" ]
    },
    {
      "names": [ "inventory" ],
      "privileges" : [ "read", "write" ]
    }
  ],
  "application": [
    {
      "application": "inventory_manager",
      "privileges" : [ "read", "data:write/inventory" ],
      "resources" : [ "product/1852563" ]
    }
  ]
}

The following example output indicates which privileges the "rdeniro" user has:

{
  "username": "rdeniro",
  "has_all_requested" : false,
  "cluster" : {
    "monitor" : true,
    "manage" : false
  },
  "index" : {
    "suppliers" : {
      "read" : true
    },
    "products" : {
      "read" : true
    },
    "inventory" : {
      "read" : true,
      "write" : false
    }
  },
  "application" : {
    "inventory_manager" : {
      "product/1852563" : {
        "read": false,
        "data:write/inventory": false
      }
    }
  }
}