Startsida Utforska Hjälp
Registrera dig Logga in
lqb
/
elasticsearch
spegling av https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Filer Ärenden 0 Wiki
Träd: 442fc1f3b6
Grenar Taggar
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
activate-user-profile.asciidoc

activate-user-profile.asciidoc 4.4 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141 
  1. [role="xpack"]
    2. 

  2. [[security-api-activate-user-profile]]
    3. 

  3. === Activate user profile API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Activate user profile</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. .New API reference
    9. 

  9. [sidebar]
    10. 

  10. --
    11. 

  11. For the most up-to-date API details, refer to {api-es}/group/endpoint-security[Security APIs].
    12. 

  12. --
    13. 

  13. 

  14. NOTE: The user profile feature is designed only for use by {kib} and
    15. 

  15. Elastic’s {observability}, {ents}, and {elastic-sec} solutions. Individual
    16. 

  16. users and external applications should not call this API directly. Elastic reserves
    17. 

  17. the right to change or remove this feature in future releases without prior notice.
    18. 

  18. 

  19. Creates or updates a user profile on behalf of another user.
    20. 

  20. 

  21. [[security-api-activate-user-profile-request]]
    22. 

  22. ==== {api-request-title}
    23. 

  23. 

  24. `POST /_security/profile/_activate`
    25. 

  25. 

  26. [[security-api-activate-user-profile-prereqs]]
    27. 

  27. ==== {api-prereq-title}
    28. 

  28. 

  29. * To use this API, you must have the `manage_user_profile` cluster privilege.
    30. 

  30. 

  31. [[security-api-activate-user-profile-desc]]
    32. 

  32. ==== {api-description-title}
    33. 

  33. 

  34. The activate user profile API creates or updates a profile document for end
    35. 

  35. users with information that is extracted from the user's authentication object,
    36. 

  36. including `username`, `full_name`, `roles`, and the authentication realm.
    37. 

  37. For example, in the JWT `access_token` case, the profile user's `username` is
    38. 

  38. extracted from the JWT token claim pointed to by the `claims.principal`
    39. 

  39. setting of the JWT realm that authenticated the token.
    40. 

  40. 

  41. When updating a profile document, the API enables the document if it was
    42. 

  42. disabled. Any updates do not change existing content for either the `labels` or
    43. 

  43. `data` fields.
    44. 

  44. 

  45. This API is intended only for use by applications (such as {kib}) that need to
    46. 

  46. create or update profiles for end users.
    47. 

  47. 

  48. IMPORTANT: The calling application must have either an `access_token`, or a
    49. 

  49. combination of `username` and `password` for the user that the profile document
    50. 

  50. is intended for.
    51. 

  51. 

  52. [role="child_attributes"]
    53. 

  53. [[security-api-activate-user-profile-request-body]]
    54. 

  54. ==== {api-request-body-title}
    55. 

  55. 

  56. `access_token`::
    57. 

  57. (Required*, string)
    58. 

  58. The user's <<security-api-get-token, {es} access token>>, or JWT. Both <<jwt-realm-oauth2, access>> and
    59. 

  59. <<jwt-realm-oidc, id>> JWT token types are supported, and they depend on the underlying JWT realm configuration.
    60. 

  60. If you specify the `access_token` grant type, this parameter is required. It is not valid with other grant types.
    61. 

  61. 

  62. include::client-authentication.asciidoc[]
    63. 

  63. 

  64. `grant_type`::
    65. 

  65. (Required, string)
    66. 

  66. The type of grant.
    67. 

  67. +
    68. 

  68. .Valid values for `grant_type`
    69. 

  69. [%collapsible%open]
    70. 

  70. ====
    71. 

  71. `access_token`::
    72. 

  72. In this type of grant, you must supply either an access token, that was created by the
    73. 

  73. {es} token service (see <<security-api-get-token>> and <<encrypt-http-communication>>),
    74. 

  74. or a <<jwt-auth-realm, JWT>> (either a JWT `access_token` or a JWT `id_token`).
    75. 

  75. 

  76. `password`::
    77. 

  77. In this type of grant, you must supply the `username` and `password` for the
    78. 

  78. user that you want to create the API key for.
    79. 

  79. ====
    80. 

  80. 

  81. `password`::
    82. 

  82. (Required*, string)
    83. 

  83. The user's password. If you specify the `password` grant type, this parameter is
    84. 

  84. required. It is not valid with other grant types.
    85. 

  85. 

  86. `username`::
    87. 

  87. (Required*, string)
    88. 

  88. The username that identifies the user. If you specify the `password` grant type,
    89. 

  89. this parameter is required. It is not valid with other grant types.
    90. 

  90. 

  91. *Indicates that the setting is required in some, but not all situations.
    92. 

  92. 

  93. [[security-api-activate-user-profile-response-body]]
    94. 

  94. ==== {api-response-body-title}
    95. 

  95. 

  96. A successful activate user profile API call returns a JSON structure that contains
    97. 

  97. the profile unique ID, user information, timestamp for the operation and version
    98. 

  98. control numbers.
    99. 

  99. 

  100. [[security-api-activate-user-profile-example]]
    101. 

  101. ==== {api-examples-title}
    102. 

  102. 

  103. [source,console]
    104. 

  104. ----
    105. 

  105. POST /_security/profile/_activate
    106. 

  106. {
    107. 

  107.   "grant_type": "password",
    108. 

  108.   "username" : "jacknich",
    109. 

  109.   "password" : "l0ng-r4nd0m-p@ssw0rd"
    110. 

  110. }
    111. 

  111. ----
    112. 

  112. // TEST[setup:jacknich_user]
    113. 

  113. 

  114. The API returns the following response:
    115. 

  115. 

  116. [source,console-result]
    117. 

  117. ----
    118. 

  118. {
    119. 

  119.   "uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0",
    120. 

  120.   "enabled": true,
    121. 

  121.   "last_synchronized": 1642650651037,
    122. 

  122.   "user": {
    123. 

  123.     "username": "jacknich",
    124. 

  124.     "roles": [
    125. 

  125.       "admin", "other_role1"
    126. 

  126.     ],
    127. 

  127.     "realm_name": "native",
    128. 

  128.     "full_name": "Jack Nicholson",
    129. 

  129.     "email": "jacknich@example.com"
    130. 

  130.   },
    131. 

  131.   "labels": {},
    132. 

  132.   "data": {},
    133. 

  133.   "_doc": {
    134. 

  134.     "_primary_term": 88,
    135. 

  135.     "_seq_no": 66
    136. 

  136.   }
    137. 

  137. }
    138. 

  138. ----
    139. 

  139. // TESTRESPONSE[s/1642650651037/$body.last_synchronized/]
    140. 

  140. // TESTRESPONSE[s/88/$body._doc._primary_term/]
    141. 

  141. // TESTRESPONSE[s/66/$body._doc._seq_no/]
    142.