目标
为elasticsearch分配用户角色权限。
步骤
elasticsearch设置
打开安全检查
bin/elasticsearch -E node.name=node0 -E cluster.name=mycluster -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true
尝试查看集群
打开链接:
http://localhost:9200/_cat/nodes?pretty
效果如下:
设置es默认账户
bin/elasticsearch-setup-passwords interactive
设置完密码之后,下面6个用户的密码就被改变了。
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
测试设置是否生效
curl -u elastic 'localhost:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
127.0.0.1 33 97 8 1.70 dilm * node0
kibana设置
设置kibana访问es集群账户
# 修改kibana配置文件
vim ~/Downloads/kibana-7.6.1-darwin-x86_64/config/kibana.yml
找到如下文件,进行修改:
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
# elasticsearch.username: "kibana"
# elasticsearch.password: "pass"
打开elasticsearch.username
和elasticsearch.password
设置kibana访问es集群密码,即可。
启动kibana
~/Downloads/kibana-7.6.1-darwin-x86_64/bin/kibana
使用es账户登录kibana
打开链接:
http://localhost:5601
效果如下图:
这里是使用的elastic
用户是es超级用户。
RBAC设置
写入种子数据
# 写入文档并创建my_index索引
PUT my_index/_doc/1
{
"full_text": "Quick Brown Foxes!"
}
# 写入结果
{
"_index" : "my_index",
"_type" : "_doc",
"_id" : "1",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 1,
"failed" : 0
},
"_seq_no" : 0,
"_primary_term" : 1
}
# 使用下面方式可以进行精确匹配
GET my_index/_search?pretty
{
"query": {
"term": {
"full_text.keyword": "Quick Brown Foxes!"
}
}
}
# 查找结果:
{
"took" : 0,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 0.2876821,
"hits" : [
{
"_index" : "my_index",
"_type" : "_doc",
"_id" : "1",
"_score" : 0.2876821,
"_source" : {
"full_text" : "Quick Brown Foxes!"
}
}
]
}
}
设置角色
准备种子数据之后,设置索引my_index
的读取权限和角色,具体如下图:
设置这个角色read_my_index
的kibana权限:
设置用户
测试rbac效果
使用用户my_user
登录kibana,然后对my_index
进行查询和删除操作:
# 使用下面方式可以进行精确匹配
GET my_index/_search?pretty
{
"query": {
"term": {
"full_text.keyword": "Quick Brown Foxes!"
}
}
}
# 查询结果:
{
"took" : 0,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 0.2876821,
"hits" : [
{
"_index" : "my_index",
"_type" : "_doc",
"_id" : "1",
"_score" : 0.2876821,
"_source" : {
"full_text" : "Quick Brown Foxes!"
}
}
]
}
}
# 尝试删除索引
DELETE my_index
# 删除结果:
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [indices:admin/delete] is unauthorized for user [my_user]"
}
],
"type" : "security_exception",
"reason" : "action [indices:admin/delete] is unauthorized for user [my_user]"
},
"status" : 403
}
从这里可以看出es的rbac生效了,这个用户只有查询权限,没有删除权限。