lqb
/
elasticsearch
镜像自地址 https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358
							[role="xpack"]
[[security-api-query-user]]
=== Query User API

++++
<titleabbrev>Query User</titleabbrev>
++++

Retrieves <<native-realm,native users>> with <<query-dsl,Query DSL>> in a <<paginate-search-results,paginated>> fashion.

NOTE: As opposed to the <<security-api-get-user,get user api>>, <<built-in-users,built-in users>> are excluded from the
result. This API is only for <<native-realm,native users>>.

[[security-api-query-user-request]]
==== {api-request-title}

`GET /_security/_query/user`

`POST /_security/_query/user`

[[security-api-query-user-prereqs]]
==== {api-prereq-title}

* To use this API, you must have at least the  `read_security` cluster privilege.

[[security-api-query-user-desc]]
==== {api-description-title}

Use this API to retrieve users managed by the
<<native-realm,native realm>> in a paginated manner.
You can optionally filter the results with a query.

[[security-api-query-user-request-body]]
==== {api-request-body-title}

You can specify the following parameters in the request body:

`query`::
(Optional, string) A <<query-dsl,query>> to filter which users to return.
The query supports a subset of query types, including
<<query-dsl-match-all-query,`match_all`>>, <<query-dsl-bool-query,`bool`>>,
<<query-dsl-term-query,`term`>>, <<query-dsl-terms-query,`terms`>>,
<<query-dsl-match-query,`match`>>, <<query-dsl-ids-query,`ids`>>,
<<query-dsl-prefix-query,`prefix`>>, <<query-dsl-wildcard-query,`wildcard`>>,
<<query-dsl-exists-query,`exists`>>, <<query-dsl-range-query,`range`>>,
and <<query-dsl-simple-query-string-query,`simple query string`>>.
+
You can query the following public values associated with a user.
+
.Valid values for `query`
[%collapsible%open]
====
`username`::
An identifier for the user.

`roles`::
An array of the role names of the <<defining-roles, roles>> that are assigned to the user.

`full_name`::
Full name of the user.

`email`::
The email of the user.

`enabled`::
Specifies whether the user is enabled.
====

include::{es-ref-dir}/rest-api/common-parms.asciidoc[tag=from]
+
By default, you cannot page through more than 10,000 hits using the `from` and
`size` parameters. To page through more hits, use the
<<search-after,`search_after`>> parameter.

`size`::
(Optional, integer) The number of hits to return. Must not be negative and defaults to `10`.
+
By default, you cannot page through more than 10,000 hits using the `from` and
`size` parameters. To page through more hits, use the
<<search-after,`search_after`>> parameter.

`sort`::
(Optional, object) <<sort-search-results,Sort definition>>. You can sort on `username`, `roles` or `enabled`.
In addition, sort can also be applied to the `_doc` field to sort by index order.

`search_after`::
(Optional, array) <<search-after,Search after>> definition.

[[security-api-query-user-query-params]]
==== {api-query-parms-title}

`with_profile_uid`::
(Optional, boolean) Determines whether to retrieve the <<user-profile,user profile>> `uid`,
if exists, for the users. Defaults to `false`.

[[security-api-query-user-response-body]]
==== {api-response-body-title}

This API returns the following top level fields:

`total`::
The total number of users found.

`count`::
The number of users returned in the response.

`users`::
A list of users that match the query.

[[security-api-query-user-example]]
==== {api-examples-title}

The following request lists all users, assuming you have the
`read_security` privilege:

[source,console]
----
GET /_security/_query/user
----
// TEST[setup:jacknich_user,sandrakn_user]

A successful call returns a JSON structure that contains the information
retrieved from one or more users:

[source,console-result]
----
{
    "total": 2,
    "count": 2,
    "users": [ <1>
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        },
        {
            "username": "sandrakn",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Sandra Knight",
            "email": "sandrakn@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        }
    ]
}
----
// NOTCONSOLE

<1> The list of users that were retrieved for this request

If you create a user with the following details:

[source,console]
----
POST /_security/user/jacknich
{
  "password" : "l0ng-r4nd0m-p@ssw0rd",
  "roles" : [ "admin", "other_role1" ],
  "full_name" : "Jack Nicholson",
  "email" : "jacknich@example.com",
  "metadata" : {
    "intelligence" : 7
  }
}
----

A successful call returns a JSON structure:

[source,console-result]
----
{
  "created": true
}
----

Use the user information retrieve the user with a query:

[source,console]
----
POST /_security/_query/user
{
    "query": {
        "prefix": {
            "roles": "other"
        }
    }
}
----
// TEST[setup:jacknich_user]
A successful call returns a JSON structure for a user:

[source,console-result]
--------------------------------------------------
{
    "total": 1,
    "count": 1,
    "users": [
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        }
    ]
}
--------------------------------------------------
// NOTCONSOLE

To retrieve the user `profile_uid` as part of the response:

[source,console]
--------------------------------------------------
POST /_security/_query/user?with_profile_uid=true
{
    "query": {
        "prefix": {
            "roles": "other"
        }
    }
}
--------------------------------------------------
// TEST[setup:jacknich_user]

[source,console-result]
--------------------------------------------------
{
    "total": 1,
    "count": 1,
    "users": [
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "profile_uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0"
        }
    ]
}
--------------------------------------------------
// NOTCONSOLE

Use a `bool` query to issue complex logical conditions and use
`from`, `size`, `sort` to help paginate the result:

[source,js]
----
POST /_security/_query/user
{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "email": "*example.com" <1>
          }
        },
        {
          "term": {
            "enabled": true <2>
          }
        }
      ],
      "filter": [
        {
          "wildcard": {
            "roles": "*other*" <3>
          }
        }
      ]
    }
  },
  "from": 1, <4>
  "size": 2, <5>
  "sort": [
    { "username": { "order": "desc"} } <6>
  ]
}
----
// NOTCONSOLE

<1> The email must end with `example.com`
<2> The user must be enabled
<3> The result will be filtered to only contain users with at least one role that contains the substring `other`
<4> The offset to begin the search result is the 2nd (zero-based index) user
<5> The page size of the response is 2 users
<6> The result is sorted by `username` in descending order

The response contains a list of matched users along with their sort values:

[source,js]
----
{
    "total": 5,
    "count": 2,
    "users": [
        {
            "username": "ray",
            "roles": [
                "other_role3"
            ],
            "full_name": "Ray Nicholson",
            "email": "rayn@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "_sort": [
                "ray" <1>
            ]
        },
        {
            "username": "lorraine",
            "roles": [
                "other_role3"
            ],
            "full_name": "Lorraine Nicholson",
            "email": "lorraine@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "_sort": [
                "lorraine"
            ]
        }
    ]
}
----
// NOTCONSOLE

<1> The sort value is `username`