POST request to Amazon Elastic Search from application impersonating user role (e.g. manager, contractor, etc...)

Question

I am working on a search microservice in Spring boot that relies on Amazon Elastic Search.

• I have an angular Front end and a spring boot service in front of Amazon Elastic Search
• I created Application Privileges in Elastic search so that my service/application can impersonate three types of users: manager, employee, contractor;
• Each role is related to fine-grained permissions (e.g. only a manager can find personal data of the employees, Contractor can find employees but some fields would be scrubbed or not returned at all);

My use case is the following:

GIVEN an authenticated user
   AND the user has been authorized with the role Contractor by an In-House access management system;
WHEN the user searches through my service
THEN only the relevant documents are shown as per his/her privileges;

How would that request (I guess POST) would look like for this to work?

Answer 1

I eventually found the answer in the Open Distro ElasticSearch documentation about User Impersonation here.

In short the trick is to add opendistro_security_impersonate_as to the header in the following way:

curl -XGET -u 'admin:admin' -k -H "opendistro_security_impersonate_as: user_1" https://localhost:9200/_opendistro/_security/authinfo?pretty

where you can replace:

• admin:admin with your service user
• user_1 with the user that you want to impersonate and
• https://localhost:9200/_opendistro/_security/authinfo?pretty with the URL of your GET request.

This worked like a charm in my case.