callWithRequest security.hasPrivileges not available

diniden · January 9, 2020, 9:58pm

I am attempting to use callWithRequest to fetch elastic privilieges so I can customize my user's plugin experience based on whether or not they have access to read/write to an index within elastic.

However, I can't find a single example that explains how to use a sub-object portion of the API in conjunction with callWithRequest.

For instance, I've tried:

callWithRequest(req, 'security.hasPrivileges', {
          user: req.auth.credentials.username,
          body: {
            cluster: 'data',
            index: {
              names: [payload.index],
              privileges: ['write']
            }
          }
        }).then(function (response) {
          return response;
        }).catch(err => {
          return { error: err, message: 'Invalid Check for Security Privileges' };
        })

tsullivan · January 9, 2020, 10:28pm

Try the transport.request method:

callWithRequest(req, 'transport.request', {
  method: 'POST',
  path: '/_security/user/_has_privileges', // see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-has-privileges.html
  body: { ... }
});

I'm pretty sure the user doesn't need to be specified in options, as it's taken from req.headers

diniden · January 9, 2020, 10:36pm

This looks like it works! Thanks! Never encountered this anywhere in the docs as a suggestion (and hours of googling).

Now I'm stuck with the 'current license is non-compliant for [security]' since I'm using the elastic / kibana docker images for development.

Know of any paths I can take to work on developing under these conditions without a license? Or is a temp license a possibility?

tsullivan · January 10, 2020, 4:52pm

I don't know why, but it looks like the reference for this method only shows up under "Examples" https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/master/transport_request_examples.html

I thought it used to also be under API Reference. I'll check if I'm mistaken.

tsullivan · January 10, 2020, 6:15pm

I'm not sure if there is a decent solution, since that's not the recommended set up for development.

There are a lot of features of security available with a Basic license, if that helps. See Security for Elasticsearch is now free | Elastic Blog

system · February 7, 2020, 6:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.