Elasticsearch put角色API [英] Elasticsearch put role API

查看:115
本文介绍了Elasticsearch put角色API的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我开始使用创建角色API,它按预期工作:

I started using the create role API and it works as expected : https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html

我获得了Elasticsearch中默认角色的列表,/_security/role,但是我不知道要创建以下角色,也无法为其找到合适的文档.

I got the list of default roles in elasticsearch, /_security/role but I don't know to create the following roles and not able to find the proper docs for it.

我想根据以下需求对用户进行隔离,

I want to segregate the user based on the following needs,

  1. 角色,该角色有权在Elastic Search中的所有索引中仅执行READ/WRITE(该角色不应具有创建/删除索引的特权
  2. 有权在基巴纳州上仅执行操作的角色
  3. 有权在Logstash上仅执行操作的角色

推荐答案

我想根据以下需求对用户进行隔离,

I want to segregate the user based on the following needs,

  • 有权在基巴纳州上仅执行操作的角色
  • 有权在Logstash上仅执行操作的角色

创建/更新角色,则可以在 Elasticsearch 7.x文档的>安全特权,然后将其中一些添加/删除到您更新的角色中.

when Creating / Updating a role, you can find all valid privileges in security privilege of elasticsearch 7.x documentation then add / delete some of them into the role you update.

下面的角色设置应涵盖Kibana和Logstash的典型用例:

The role setup below should cover typical use cases of Kibana and Logstash :

  • 对于Logstash用户
    • manage_index_templates添加到群集特权列表中
    • 为每个索引模式
    • create_indexindex添加到索引特权列表中
    • 如果您在外部生成文档的_id字段(而不是由Elasticsearch自动生成的ID),则可能需要在indice特权列表中使用createcreate_doc
    • 将您创建的新角色分配给您喜欢的任何用户
    • For Logstash user
      • add manage_index_templates to cluster privilege list
      • add create_index and index to indice privilege list, for each index pattern
      • you may need create or create_doc in the indice privilege list, in case that you generate _id field of a document externally (instead of auto-generated ID by elasticsearch)
      • assign the new role you created to whatever users you like
      # Quick example, with POST request /_security/role/my_logstash_role
      
      {
        "cluster": ["manage_index_templates"],
        "indices": [
          {
            "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
            "privileges": ["create_index", "index"],
          }
        ],
        "applications": [
          {
            "application": "YOUR_APP_NAME",
            "privileges": [ "YOUR_APP_PRIV" ],
          }
        ],
      }
      

      • 针对Kibana用户
        • 为每个索引模式将read添加到索引特权列表中
        • 将您创建的新角色,和内置角色kibana_system 分配给您喜欢的任何用户,请注意kibana_system包括(1)名为monitor的群集特权和(2)对某些索引模式的访问权限,例如.kibana*.reporting-*.monitoring-*,这是Kibana所需的.
        • 如果您还使用 DevTool控制台的Kibana与Elasticsearch REST API进行交互,您可能需要向角色添加更多的特权,例如writedeletemanage ... etc,这在很大程度上取决于您尝试调用的API端点.
          • For Kibana user
            • add read to indice privilege list, for each index pattern
            • assign the new role you created, and built-in role kibana_system to whatever users you like, note kibana_system includes (1) a cluster privilege named monitor and (2) access permissions to some index patterns e.g. .kibana*, .reporting-*, .monitoring-* , which are required by Kibana.
            • if you also use DevTool console of Kibana to interact with elasticsearch REST API, you may need to add few more privileges like write,delete,manage ...etc to the role, which highly depends on the API endpoints you attempt to call.
            • # Quick example, with POST request /_security/role/my_kibana_role
              
              {
                "cluster": [],
                "indices": [
                  {
                    "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
                    "privileges": ["read"],
                  }
                ],
                "applications": [
                  {
                    "application": "YOUR_APP_NAME",
                    "privileges": [ "YOUR_CUSTOM_APP_PRIV" ],
                  }
                ],
              }
              

              这篇关于Elasticsearch put角色API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆