限制用户在弹性搜索中的行为 [英] Restrict users' behaviour in elasticsearch

问题描述

如何禁止普通用户使用除GET之外的任何请求。

How can I prohibit general users from using any requests except GET.

这应适用于终端和网络浏览器。

This should be applicable to terminal and web browser.

例如，普通用户不能在终端中使用以下命令：

For example, general users should not be able to use the following command in terminal:

curl -XDELETE 'http://www.example.com:9200/customer/external/1?pretty' 

这是否足以实现目标？ https://www.elastic.co/guide /en/elasticsearch/reference/current/url-access-control.html 或者我必须设置其他参数才能达到上述目标。

Is this sufficient to achieve the goal? https://www.elastic.co/guide/en/elasticsearch/reference/current/url-access-control.html Or do I have to set up other parameters to reach the above goal.

此外，如何限制一般用户使用GET请求来获取太多的数据。例如：

Also how can I restrict general users from using GET request to obtain too much data. For example:

curl 'https://www.example.com:9200/dummyindex1/_search?q=*:*&pretty'

感谢

推荐答案

Shield绝对是一种从弹性的企业级安全产品。 Shield 自带的许多安全功能以及身份验证。它具有授权，SSL和LDAP集成。

Shield is definitely a enterprise grade security product from elastic.Shield comes with lot of security features along with authentication. It comes with authorization, SSL and LDAP integrations.

您可以下载盾牌并开始玩它。您可以直接跳转到字段和文档级安全性部分，您可以在其中设置用户只能根据您设置的身份验证规则读取索引。

You can download the shield and start playing with it.You can directly jump to Field and Document level security section where you can set access for the users to only read the index based on authentication rules set by you.

这些规则可以使用弹性REST API进行动态修改，也可以在部署过程中进行配置在配置文件中。

These rules you can modify dynamically using the elastic REST api or you can configure them during deployment in the config files.

用于动态更改其余api后的身份验证规则。

For Dynamically changing the authentication rules following the rest api.

POST /_shield/role/my_fls_role
{
  "indices": [
    {
      "names": [ "index1", "index2" ],
      "privileges": ["read"], 
      "fields": [ "title", "body" ]
    }
  ]
}

这也支持复杂的身份验证规则，其中哟您可以为特定角色设置字段的规则

This also support complex authentication rules where you can set the rules for the fields also for a particular roles

POST /_shield/role/customer_care
{
  "indices": [
    {
      "names": [ "*" ],
      "privileges": ["read"],
      "fields": [
            "issue_id",
            "description",
            "customer_handle",
            "customer_email",
            "customer_address",
            "customer_phone"
      ]
    }
  ]
}

您可以配置多个角色为不同访问层的多个客户端应用程序，如果您正在查看更多的企业级安全解决方案，您也可以从LDAP配置这些角色，这些角色通过弹性处理非常漂亮，因为它们缓存从LDAP通过网络接收的用户凭据增强性能。

You can configure multiple roles for multiple client apps for different access layers and if you are looking at more enterprise level security solutions you can configure these roles from LDAP as well , which is handled very beautifully by elastic as they cache the user credentials received from LDAP over the network to enhance performance.

如果您不是在寻找这样的年级安全解决方案，您可以查看 nginx / apache reverse proxy 在将其提交给群集之前进行身份验证。

Also if you are not looking for such grade security solutions, you can look at nginx/apache reverse proxy to authenticate the search requests before throwing it to cluster.

这篇关于限制用户在弹性搜索中的行为的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！