The has_privileges API allows you to determine whether the logged in user has
a specified list of privileges.
For a list of the privileges that you can specify in this API, see Security privileges.
A successful call returns a JSON structure that shows whether each specified privilege is assigned to the user.
cluster
index
names
allow_restricted_indices
true (default
is false) if using wildcards or regexps for patterns that cover restricted
indices. Implicitly, restricted indices do not match index patterns because
restricted indices usually have limited privileges and including them in
pattern tests would render most such tests false. If restricted indices are
explicitly included in the names list, privileges will be checked against
them regardless of the value of allow_restricted_indices.
privileges
application
application
privileges
resources
All users can use this API, but only to determine their own privileges. To check the privileges of other users, you must use the run as feature. For more information, see Submitting Requests on Behalf of Other Users.
The following example checks whether the current user has a specific set of cluster, index, and application privileges:
GET /_security/user/_has_privileges
{
"cluster": [ "monitor", "manage" ],
"index" : [
{
"names": [ "suppliers", "products" ],
"privileges": [ "read" ]
},
{
"names": [ "inventory" ],
"privileges" : [ "read", "write" ]
}
],
"application": [
{
"application": "inventory_manager",
"privileges" : [ "read", "data:write/inventory" ],
"resources" : [ "product/1852563" ]
}
]
}The following example output indicates which privileges the "rdeniro" user has:
{
"username": "rdeniro",
"has_all_requested" : false,
"cluster" : {
"monitor" : true,
"manage" : false
},
"index" : {
"suppliers" : {
"read" : true
},
"products" : {
"read" : true
},
"inventory" : {
"read" : true,
"write" : false
}
},
"application" : {
"inventory_manager" : {
"product/1852563" : {
"read": false,
"data:write/inventory": false
}
}
}
}