I am working on a search microservice in Spring boot that relies on Amazon Elastic Search.
My use case is the following:
GIVEN an authenticated user
AND the user has been authorized with the role Contractor by an In-House access management system;
WHEN the user searches through my service
THEN only the relevant documents are shown as per his/her privileges;
How would that request (I guess POST) would look like for this to work?
As long as your request is not changing anything you should use GET instead of POST, but POST will be supported for clients not capable of sending a request body with GET.
In order to show documents the user is allowed to see, you need to set up document-level security for your roles as described here: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/document-level-security/
Users of elastic's elasticsearch should have a look at that: https://www.elastic.co/guide/en/elasticsearch/reference/current/document-level-security.html
I eventually found the answer in the Open Distro ElasticSearch documentation about User Impersonation here .
In short the trick is to add opendistro_security_impersonate_as to the header in the following way:
curl -XGET -u 'admin:admin' -k -H "opendistro_security_impersonate_as: user_1" https://localhost:9200/_opendistro/_security/authinfo?pretty
where you can replace:
This worked like a charm in my case.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.