You're viewing version 2.13 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.

User impersonation

User impersonation allows specially privileged users to act as another user without knowledge of nor access to the impersonated user’s credentials.

Impersonation can be useful for testing and troubleshooting, or for allowing system services to safely act as a user.

Impersonation can occur on either the REST interface or at the transport layer.

REST interface

To allow one user to impersonate another, add the following to opensearch.yml:

plugins.security.authcz.rest_impersonation_user:
  <AUTHENTICATED_USER>:
    - <IMPERSONATED_USER_1>
    - <IMPERSONATED_USER_2>

The impersonated user field supports wildcards. Setting it to * allows AUTHENTICATED_USER to impersonate any user.

Transport interface

In a similar fashion, add the following to enable transport layer impersonation:

plugins.security.authcz.impersonation_dn:
  "CN=spock,OU=client,O=client,L=Test,C=DE":
    - worf

Impersonating users

To impersonate another user, submit a request to the system with the HTTP header opendistro_security_impersonate_as set to the name of the user to be impersonated. A good test is to make a GET request to the _plugins/_security/authinfo URI:

curl -XGET -u 'admin:<custom-admin-password>' -k -H "opendistro_security_impersonate_as: user_1" https://localhost:9200/_plugins/_security/authinfo?pretty

REST interface
Transport interface
Impersonating users

WAS THIS PAGE HELPFUL?

✔ Yes ✖ No

Tell us why

350 characters left

Have a question? Ask us on the OpenSearch forum.

Want to contribute? Edit this page or create an issue.

User impersonation

REST interface

Transport interface

Impersonating users

OpenSearch Links

Get Involved

Resources

Contact Us