The {es} {security-features} work with standard HTTP {wikipedia}/Basic_access_authentication[basic authentication] headers to authenticate users. Since Elasticsearch is stateless, this header must be sent with every request:
Authorization: Basic <TOKEN> (1)
-
The
<TOKEN>
is computed asbase64(USERNAME:PASSWORD)
Alternatively, you can use token-based authentication services.
This example uses curl
without basic auth to create an index:
curl -XPUT 'localhost:9200/idx'
{
"error": "AuthenticationException[Missing authentication token]",
"status": 401
}
Since no user is associated with the request above, an authentication error is
returned. Now we’ll use curl
with basic auth to create an index as the
rdeniro
user:
curl --user rdeniro:taxidriver -XPUT 'localhost:9200/idx'
{
"acknowledged": true
}
Some APIs support secondary authorization headers for situations where you want tasks to run with a different set of credentials. For example, you can send the following header in addition to the basic authentication header:
es-secondary-authorization: Basic <TOKEN> (1)
-
The
<TOKEN>
is computed asbase64(USERNAME:PASSWORD)
The es-secondary-authorization
header has the same syntax as the
Authorization
header. It therefore also supports the use of
token-based authentication services. For
example:
es-secondary-authorization: ApiKey <TOKEN> (1)
-
The
<TOKEN>
is computed asbase64(API key ID:API key)
For more information about using {security-features} with the language specific clients, refer to: