1、官方文档:https://www.elastic.co/guide/en/x-pack/current/index.html 2、Install X-Pack into Elasticsearch bin/elasticsearch-plugin install x-pack
3、Start Elasticsearch bin/elasticsearch
4、Install X-Pack into Kibana bin/kibana-plugin install x-pack
5、Start Kibana bin/kibana
6、初始用户名密码 Navigate to Kibana at http://localhost:8601/. Log in as the built-in elastic user with the password changeme. (说白了就是初始用户名为elastic,密码为changeme)
7、修改密码 修改elasticsearch密码:
curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -d '{
"password" : "elastic"
}'
修改kibana密码:修改之前需要在kibana.yml中配置elasticsearch的用户名和密码后才能需改密码,否则会报错。
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "elastic"
elasticsearch.password: "your password"
curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -d '{
"password" : "kibana"
}'
8、角色控制 kibana_user 和 monitoring_user 角色.
curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/events_admin' -d '{
"indices" : [
{
"names" : [ "events*" ],
"privileges" : [ "all" ]
},
{
"names" : [ ".kibana*" ],
"privileges" : [ "manage", "read", "index" ]
}
]
}'
curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/jack' -d '{
"password" : "123456",
"full_name" : "jack",
"email" : "jack@163.com",
"roles" : [ "events_admin" ]
}'
10,启用匿名访问 如果无法从传入请求中提取身份验证令牌,则认为传入请求是匿名的。默认情况下,拒绝匿名请求并返回身份验证错误(状态码401)。 要启用匿名访问,请在elasticsearch.yml配置文件中为匿名用户分配一个或多个角色。例如,以下配置分配匿名用户role1和role2:
xpack.security.authc:
anonymous:
username: anonymous_user
roles: role1, role2
authz_exception: true
The username/principal of the anonymous user. Defaults to _es_anonymous_user if not specified.
与匿名用户关联的角色。如果未指定角色,则禁用匿名访问 - 将拒绝匿名请求并返回身份验证错误。
11,添加用户 要添加用户,请向/ xpack / security / user / endpoint提交PUT或POST请求。用户名长度必须至少为1个字符且不得超过30个字符。第一个字符必须是字母(az或AZ)或下划线()。后续字符可以是字母,下划线(_),数字(0-9)或以下任何符号@, - ,。或$。
POST /_xpack/security/user/jacknich
{
"password": "j@rV1s",
"roles": [
"admin",
"other_role1"
],
"full_name": "Jack Nicholson",
"email": "jacknich@example.com",
"metadata": {
"intelligence": 7
},
"enabled": true
}
- 添加用户时必须指定密码。密码长度必须至少为6个字符。
- 您必须为用户分配至少一个角色。角色决定了用户的访问权限。
- 用户的全名。可选的。
- 用户的电子邮件地址。可选的。
- 要与用户关联的任意元数据。可选的。
- 指定是否应启用用户。可选,默认值为true。
12、Users控制(命令行) (1)查询所有User: curl -XGET -u elastic 'localhost:9200/_xpack/security/user'
(2)增加User: curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/demo' -d '{ "password" : "123456", "full_name" : " demo", "email" : “demo@163.com", "roles" : [ "clicks_admin" ] }'
(3)查询具体User: curl -XGET -u elastic 'localhost:9200/_xpack/security/user/demo'
(4)删除具体User: curl -XDELETE -u elastic 'localhost:9200/_xpack/security/user/demo'
13、Roles控制(命令行) (1)查询所有Roles: curl -XGET -u elastic 'localhost:9200/_xpack/security/role'
(2)增加Roles: curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/clicks_admin' -d '{ "indices" : [ { "names" : [ "events*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }’
(3)查询具体Roles: curl -XGET -u elastic 'localhost:9200/_xpack/security/role/clicks_admin'
(4)删除具体Roles: curl -XDELETE -u elastic 'localhost:9200/_xpack/security/role/clicks_admin'
14,设置字段和文档级安全性 (1)现场级安全 要启用字段级安全性,请指定每个角色可以作为角色定义中索引权限的一部分进行访问的字段。这将字段级安全性绑定到定义良好的索引集(可能还有一组文档)。
以下角色定义仅授予对所有events- * indices中的category,@ timestamp和message字段的读访问权限。
{
"indices": [
{
"names": [ "events-*" ],
"privileges": [ "read" ],
"field_security" : {
"grant" : [ "category", "@timestamp", "message" ]
}
}
]
}
您还可以指定字段表达式。例如,以下示例授予对以event_前缀开头的所有字段的读访问权限:
{
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"field_security" : {
"grant" : [ "event_*" ]
}
}
]
}
使用点符号来引用更复杂文档中的嵌套字段。例如,假设以下文档:
{
"customer": {
"handle": "Jim",
"email": "jim@mycompany.com",
"phone": "555-555-5555"
}
}
以下角色定义仅允许访问客户句柄字段:
{
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"field_security" : {
"grant" : [ "customer.handle" ]
}
}
]
}
这是通配符支持闪耀的地方。例如,使用customer。*仅启用对客户数据的读访问权:
{
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"field_security" : {
"grant" : [ "customer.*" ]
}
}
]
}
与授予字段权限类似,可以使用以下语法拒绝访问字段的权限:
{
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"field_security" : {
"grant" : [ "*"],
"except": [ "customer.handle" ]
}
}
]
}
角色中没有“field_security”等同于* access。如果已明确授予其他字段的权限,则只能提供拒绝字段。给出的例外必须是已授予权限的字段的子集。被拒绝和授予的字段定义意味着访问所有已授予的字段,但与拒绝字段中的模式匹配的字段除外。例:
{
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"field_security" : {
"except": [ "customer.handle" ],
"grant" : [ "customer.*" ]
}
}
]
}
(2)现场级安全和角色 当用户具有多个指定字段级别权限的角色时,每个索引的结果字段级别权限是各个角色权限的并集。例如,如果合并了这两个角色:
{
// role 1
...
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"field_security" : {
"grant": [ "a.*" ],
"except" : [ "a.b*" ]
}
}
]
}
{
// role 2
...
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"field_security" : {
"grant": [ "a.b*" ],
"except" : [ "a.b.c*" ]
}
}
]
}
然后得到的权限将等于:
{
// role 1 + role 2
...
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"field_security" : {
"grant": [ "a.*" ],
"except" : [ "a.b.c*" ]
}
}
]
}
(3)文件级安全性 以下角色定义仅授予对所有events- * indices中属于click类别的文档的读访问权限。
{
"indices": [
{
"names": [ "events-*" ],
"privileges": [ "read" ],
"query": "{\"match\": {\"category\": \"click\"}}"
}
]
}
例如,以下角色授予对所有索引的读访问权限,但限制对department_id等于12的文档的访问。
{
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"query" : {
"term" : { "department_id" : 12 }
}
}
]
}
(4)模板化角色查询 例如,以下角色查询使用模板插入当前经过身份验证的用户的用户名:
{
"indices" : [
{
"names" : [ "my_index" ],
"privileges" : [ "read" ],
"query" : {
"template" : {
"inline" : {
"term" : { "acl.username" : "{{_user.username}}" }
}
}
}
}
]
}
您还可以访问自定义用户元数据。例如,如果在用户元数据中维护group_id,则可以根据文档中的group.id字段应用文档级安全性:
{
"indices" : [
{
"names" : [ "my_index" ],
"privileges" : [ "read" ],
"query" : {
"template" : {
"inline" : {
"term" : { "group.id" : "{{_user.metadata.group_id}}" }
}
}
}
}
]
}