发表新帖
发表新帖

Elasticsearch put role API

后端 未结
关注
1 2039
梦谈多话
梦谈多话 2020-12-21 07:59

I started using the create role API and it works as expected : https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html

I got the li

相关标签:
1条回答
  • 北恋
    2020-12-21 08:34

    I want to segregate the user based on the following needs,

    • Role which has the privilege to perform only operations on Kibana
    • Role which has the privilege to perform only operations on Logstash

    when Creating / Updating a role, you can find all valid privileges in security privilege of elasticsearch 7.x documentation then add / delete some of them into the role you update.

    The role setup below should cover typical use cases of Kibana and Logstash :

    • For Logstash user
      • add manage_index_templates to cluster privilege list
      • add create_index and index to indice privilege list, for each index pattern
      • you may need create or create_doc in the indice privilege list, in case that you generate _id field of a document externally (instead of auto-generated ID by elasticsearch)
      • assign the new role you created to whatever users you like
    # Quick example, with POST request /_security/role/my_logstash_role

{
  "cluster": ["manage_index_templates"],
  "indices": [
    {
      "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
      "privileges": ["create_index", "index"],
    }
  ],
  "applications": [
    {
      "application": "YOUR_APP_NAME",
      "privileges": [ "YOUR_APP_PRIV" ],
    }
  ],
}
    • For Kibana user
      • add read to indice privilege list, for each index pattern
      • assign the new role you created, and built-in role kibana_system to whatever users you like, note kibana_system includes (1) a cluster privilege named monitor and (2) access permissions to some index patterns e.g. .kibana*, .reporting-*, .monitoring-* , which are required by Kibana.
      • if you also use DevTool console of Kibana to interact with elasticsearch REST API, you may need to add few more privileges like write,delete,manage ...etc to the role, which highly depends on the API endpoints you attempt to call.
    # Quick example, with POST request /_security/role/my_kibana_role

{
  "cluster": [],
  "indices": [
    {
      "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
      "privileges": ["read"],
    }
  ],
  "applications": [
    {
      "application": "YOUR_APP_NAME",
      "privileges": [ "YOUR_CUSTOM_APP_PRIV" ],
    }
  ],
}
    0 讨论(0)
 看不清?
提交回复
热议问题