Elasticsearch 放置角色 API [英] Elasticsearch put role API

问题描述

我开始使用创建角色 API，它按预期工作:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html

I started using the create role API and it works as expected : https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html

我得到了 elasticsearch 中的默认角色列表，/_security/role，但我不知道创建以下角色并且无法找到合适的文档.

I got the list of default roles in elasticsearch, /_security/role but I don't know to create the following roles and not able to find the proper docs for it.

我想根据以下需求对用户进行隔离，

I want to segregate the user based on the following needs,

1. 有权在 Elastic Search 中的所有索引中仅执行 READ/WRITE 的角色(此角色不应具有 CREATE/DELETE 索引的权限
2. 有权仅在 Kibana 上执行操作的角色
3. 具有仅对 Logstash 执行操作权限的角色

推荐答案

我想根据以下需求对用户进行隔离，

I want to segregate the user based on the following needs,

• 有权仅在 Kibana 上执行操作的角色
• 具有仅对 Logstash 执行操作权限的角色

当 创建/更新角色，您可以在 elasticsearch 7.x 文档的>安全权限，然后将其中一些添加/删除到您更新的角色中.

when Creating / Updating a role, you can find all valid privileges in security privilege of elasticsearch 7.x documentation then add / delete some of them into the role you update.

以下角色设置应涵盖 Kibana 和 Logstash 的典型用例:

The role setup below should cover typical use cases of Kibana and Logstash :

• 对于 Logstash 用户
  • 将 manage_index_templates 添加到集群权限列表
  • 为每个索引模式添加create_index和index到索引权限列表
  • 您可能需要索引权限列表中的 create 或 create_doc，以防您在外部生成文档的 _id 字段(而不是由 elasticsearch 自动生成的 ID)
  • 将您创建的新角色分配给您喜欢的任何用户
  • For Logstash user
    • add manage_index_templates to cluster privilege list
    • add create_index and index to indice privilege list, for each index pattern
    • you may need create or create_doc in the indice privilege list, in case that you generate _id field of a document externally (instead of auto-generated ID by elasticsearch)
    • assign the new role you created to whatever users you like

    # Quick example, with POST request /_security/role/my_logstash_role
    
    {
      "cluster": ["manage_index_templates"],
      "indices": [
        {
          "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
          "privileges": ["create_index", "index"],
        }
      ],
      "applications": [
        {
          "application": "YOUR_APP_NAME",
          "privileges": [ "YOUR_APP_PRIV" ],
        }
      ],
    }
    

    • 对于 Kibana 用户
      • 为每个索引模式添加read到索引权限列表
      • 将您创建的新角色、和内置角色 kibana_system 分配给您喜欢的任何用户，注意 kibana_system 包括 (1)名为 monitor 的集群特权和 (2) 对某些索引模式的访问权限，例如.kibana*, .reporting-*, .monitoring-* ，这是 Kibana 需要的.
      • 如果您还使用 DevTool 控制台 Kibana 与 elasticsearch REST API 交互，您可能需要添加更多权限，例如 write、delete、manage ...等角色，这在很大程度上取决于您尝试调用的 API 端点.
      • For Kibana user
        • add read to indice privilege list, for each index pattern
        • assign the new role you created, and built-in role kibana_system to whatever users you like, note kibana_system includes (1) a cluster privilege named monitor and (2) access permissions to some index patterns e.g. .kibana*, .reporting-*, .monitoring-* , which are required by Kibana.
        • if you also use DevTool console of Kibana to interact with elasticsearch REST API, you may need to add few more privileges like write,delete,manage ...etc to the role, which highly depends on the API endpoints you attempt to call.

        # Quick example, with POST request /_security/role/my_kibana_role
        
        {
          "cluster": [],
          "indices": [
            {
              "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
              "privileges": ["read"],
            }
          ],
          "applications": [
            {
              "application": "YOUR_APP_NAME",
              "privileges": [ "YOUR_CUSTOM_APP_PRIV" ],
            }
          ],
        }
        

        这篇关于Elasticsearch 放置角色 API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！