Elasticsearch 放置角色 API [英] Elasticsearch put role API
问题描述
我开始使用创建角色 API,它按预期工作:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html
I started using the create role API and it works as expected : https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html
我得到了 elasticsearch 中的默认角色列表,/_security/role
,但我不知道创建以下角色并且无法找到合适的文档.
I got the list of default roles in elasticsearch, /_security/role
but I don't know to create the following roles and not able to find the proper docs for it.
我想根据以下需求对用户进行隔离,
I want to segregate the user based on the following needs,
- 有权在 Elastic Search 中的所有索引中仅执行 READ/WRITE 的角色(此角色不应具有 CREATE/DELETE 索引的权限
- 有权仅在 Kibana 上执行操作的角色
- 具有仅对 Logstash 执行操作权限的角色
推荐答案
我想根据以下需求对用户进行隔离,
I want to segregate the user based on the following needs,
- 有权仅在 Kibana 上执行操作的角色
- 具有仅对 Logstash 执行操作权限的角色
当 创建/更新角色,您可以在 elasticsearch 7.x 文档的>安全权限,然后将其中一些添加/删除到您更新的角色中.
when Creating / Updating a role, you can find all valid privileges in security privilege of elasticsearch 7.x documentation then add / delete some of them into the role you update.
以下角色设置应涵盖 Kibana 和 Logstash 的典型用例:
The role setup below should cover typical use cases of Kibana and Logstash :
- 对于 Logstash 用户
- 将
manage_index_templates
添加到集群权限列表 - 为每个索引模式添加
create_index
和index
到索引权限列表 - 您可能需要索引权限列表中的
create
或create_doc
,以防您在外部生成文档的_id
字段(而不是由 elasticsearch 自动生成的 ID) - 将您创建的新角色分配给您喜欢的任何用户
- For Logstash user
- add
manage_index_templates
to cluster privilege list - add
create_index
andindex
to indice privilege list, for each index pattern - you may need
create
orcreate_doc
in the indice privilege list, in case that you generate_id
field of a document externally (instead of auto-generated ID by elasticsearch) - assign the new role you created to whatever users you like
# Quick example, with POST request /_security/role/my_logstash_role { "cluster": ["manage_index_templates"], "indices": [ { "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ], "privileges": ["create_index", "index"], } ], "applications": [ { "application": "YOUR_APP_NAME", "privileges": [ "YOUR_APP_PRIV" ], } ], }
- 对于 Kibana 用户
- 为每个索引模式添加
read
到索引权限列表 - 将您创建的新角色、和内置角色
kibana_system
分配给您喜欢的任何用户,注意kibana_system
包括 (1)名为monitor
的集群特权和 (2) 对某些索引模式的访问权限,例如.kibana*
,.reporting-*
,.monitoring-*
,这是 Kibana 需要的. - 如果您还使用 DevTool 控制台 Kibana 与 elasticsearch REST API 交互,您可能需要添加更多权限,例如
write
、delete
、manage
...等角色,这在很大程度上取决于您尝试调用的 API 端点. - For Kibana user
- add
read
to indice privilege list, for each index pattern - assign the new role you created, and built-in role
kibana_system
to whatever users you like, notekibana_system
includes (1) a cluster privilege namedmonitor
and (2) access permissions to some index patterns e.g..kibana*
,.reporting-*
,.monitoring-*
, which are required by Kibana. - if you also use DevTool console of Kibana to interact with elasticsearch REST API, you may need to add few more privileges like
write
,delete
,manage
...etc to the role, which highly depends on the API endpoints you attempt to call.
# Quick example, with POST request /_security/role/my_kibana_role { "cluster": [], "indices": [ { "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ], "privileges": ["read"], } ], "applications": [ { "application": "YOUR_APP_NAME", "privileges": [ "YOUR_CUSTOM_APP_PRIV" ], } ], }
这篇关于Elasticsearch 放置角色 API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- add
- 为每个索引模式添加
- add
- 将