Elasticsearch put角色API [英] Elasticsearch put role API
问题描述
I started using the create role API and it works as expected : https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html
我获得了Elasticsearch中默认角色的列表,/_security/role
,但是我不知道要创建以下角色,也无法为其找到合适的文档.
I got the list of default roles in elasticsearch, /_security/role
but I don't know to create the following roles and not able to find the proper docs for it.
我想根据以下需求对用户进行隔离,
I want to segregate the user based on the following needs,
- 角色,该角色有权在Elastic Search中的所有索引中仅执行READ/WRITE(该角色不应具有创建/删除索引的特权
- 有权在基巴纳州上仅执行操作的角色
- 有权在Logstash上仅执行操作的角色
推荐答案
我想根据以下需求对用户进行隔离,
I want to segregate the user based on the following needs,
- 有权在基巴纳州上仅执行操作的角色
- 有权在Logstash上仅执行操作的角色
创建/更新角色,则可以在 Elasticsearch 7.x文档的>安全特权,然后将其中一些添加/删除到您更新的角色中.
when Creating / Updating a role, you can find all valid privileges in security privilege of elasticsearch 7.x documentation then add / delete some of them into the role you update.
下面的角色设置应涵盖Kibana和Logstash的典型用例:
The role setup below should cover typical use cases of Kibana and Logstash :
- 对于Logstash用户
- 将
manage_index_templates
添加到群集特权列表中
为每个索引模式 - 将
create_index
和index
添加到索引特权列表中 - 如果您在外部生成文档的
_id
字段(而不是由Elasticsearch自动生成的ID),则可能需要在indice特权列表中使用create
或create_doc
- 将您创建的新角色分配给您喜欢的任何用户
- For Logstash user
- add
manage_index_templates
to cluster privilege list - add
create_index
andindex
to indice privilege list, for each index pattern - you may need
create
orcreate_doc
in the indice privilege list, in case that you generate_id
field of a document externally (instead of auto-generated ID by elasticsearch) - assign the new role you created to whatever users you like
# Quick example, with POST request /_security/role/my_logstash_role { "cluster": ["manage_index_templates"], "indices": [ { "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ], "privileges": ["create_index", "index"], } ], "applications": [ { "application": "YOUR_APP_NAME", "privileges": [ "YOUR_APP_PRIV" ], } ], }
- 针对Kibana用户
- 为每个索引模式将
read
添加到索引特权列表中 - 将您创建的新角色,和内置角色
kibana_system
分配给您喜欢的任何用户,请注意kibana_system
包括(1)名为monitor
的群集特权和(2)对某些索引模式的访问权限,例如.kibana*
,.reporting-*
,.monitoring-*
,这是Kibana所需的. - 如果您还使用 DevTool控制台的Kibana与Elasticsearch REST API进行交互,您可能需要向角色添加更多的特权,例如
write
,delete
,manage
... etc,这在很大程度上取决于您尝试调用的API端点. - For Kibana user
- add
read
to indice privilege list, for each index pattern - assign the new role you created, and built-in role
kibana_system
to whatever users you like, notekibana_system
includes (1) a cluster privilege namedmonitor
and (2) access permissions to some index patterns e.g..kibana*
,.reporting-*
,.monitoring-*
, which are required by Kibana. - if you also use DevTool console of Kibana to interact with elasticsearch REST API, you may need to add few more privileges like
write
,delete
,manage
...etc to the role, which highly depends on the API endpoints you attempt to call.
# Quick example, with POST request /_security/role/my_kibana_role { "cluster": [], "indices": [ { "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ], "privileges": ["read"], } ], "applications": [ { "application": "YOUR_APP_NAME", "privileges": [ "YOUR_CUSTOM_APP_PRIV" ], } ], }
这篇关于Elasticsearch put角色API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- add
- 为每个索引模式将
- add
- 将