一、集群级别权限
1、原来自定义角色sg_zyl_role,只有对所有索引有all操作权限,对集群级别权限没有
# zyl脚本可以监控集群,只能对customer索引有操作权限
sg_zyl_role:
indices:
'*':
'*':
- '*'
2、建立zyl用户,并将zyl用户赋予sg_zyl_role角色,使用zyl用户去查询集群节点列表
-
建立zyl用户,并将zyl用户赋予sg_zyl_role角色,使用zyl用户去查询集群节点列表
a、建立用户zyl,在sg_internal_users.yml添加如下内容:
[root@webSvr sgconfig]# vi sg_internal_users.yml
.......
zyl:
hash: $2a$12$RuFlJX31YeaLehfz.LGTDuBwKNSaAblM5hddGlYmZWgnK8KA/.KGG
#password is: zyl
注意:其中密码是通过用plugins/search-guard-2/tools/hash.sh生成hash字符串,生成密码:
b、将zyl用户绑定到角色sg_zyl_role上,在sg_roles_mapping添加如下内容
[root@webSvr sgconfig]# vi sg_roles_mapping.yml
......
sg_zyl_role:
users:
- zyl
c、重新写入配置文件,执行sgadmin.sh
d、使用zyl用户进行查询:
[etl @webSvr ~]# curl -u zyl '192.168.129.116:9200/_cat/nodes?v'
Enter host password for user 'zyl': zyl
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for cluster:monitor/state"}],"type":"security_exception","reason":"no permissions for cluster:monitor/state"},"status":403}
[etl@webSvr ~]$ cd /etl_home/elasticsearch-2.4.1/plugins/search-guard-2/
3、编辑sg_role文件,添加集群all权限
[etl@webSvr sgconfig]$ vi sg_roles.yml
.......
# Allows each user to access own named index
sg_own_index:
indices:
'${user_name}':
'*':
- ALL
# zyl脚本可以监控集群,只能对customer索引有操作权限
sg_zyl_role:
cluster:
- '*'
indices:
'*':
'*':
- '*'
"sg_roles.yml" 195L, 5084C 已写入
4、查询节点列表
[etl@webSvr sgconfig]$ curl -u zyl '192.168.129.116:9200/_cat/nodes?v'
Enter host password for user 'zyl':
host ip heap.percent ram.percent load node.role master name
192.168.129.116 192.168.129.116 12 99 0.12 d * node-116
192.168.129.119 192.168.129.119 7 99 0.85 d m node-119
二、索引级别权限
1、上面的sg_role配置文件中zyl用户是可以操作all索引的,以下是查询索引
[etl@webSvr sgconfig]$ curl -u zyl '192.168.129.116:9200/_cat/indices?v'
Enter host password for user 'zyl':
health status index pri rep docs.count docs.deleted store.size pri.store.size
green open dic_etl 5 1 58 0 199.3kb 99.6kb
green open customer 5 1 1 0 7.3kb 3.6kb
green open searchguard 1 0 0 0 62.2kb 62.2kb
2、修改sg_role的配置文件,将索引*修改成cus*,也就是说对其他索引没权限:
indices:
'cus*':
'*':
- '*'
3、查询customer索引中type为external,id=1的数据:
[etl@webSvr sgconfig]$ curl -u zyl -XGET '192.168.129.116:9200/customer/external/1?pretty'
Enter host password for user 'zyl':
{
"_index" : "customer",
"_type" : "external",
"_id" : "1",
"_version" : 1,
"found" : true,
"_source" : {
"name" : "John Doe"
}
}
[etl@webSvr sgconfig]$ curl -u zyl -XGET '192.168.129.116:9200/dic_etl/hislog/322?pretty'
Enter host password for user 'zyl':
{
"error" : {
"root_cause" : [ {
"type" : "security_exception",
"reason" : "no permissions for indices:data/read/get"
} ],
"type" : "security_exception",
"reason" : "no permissions for indices:data/read/get"
},
"status" : 403
}
从结果中可看成用户zyl对dic_etl无权限查询,先改成admin用户查询
[etl@webSvr sgconfig]$ curl -u admin -XGET '192.168.129.116:9200/dic_etl/hislog/322?pretty'
Enter host password for user 'admin':
{
"_index" : "dic_etl",
"_type" : "hislog",
"_id" : "322",
"_version" : 1,
"found" : true,
"_source" : {
"LOG_FIELD" : " START \r\n\r\n2017/04/28 14:01:37 - [父流程(322)] - 并行启动节点 [sql#204#] \r\n2017/04/28 14:01:37 - [父流程(322)] - 并行启动节点 [流程 2#223#] \r\n2017/04/28 14:01:37 - [父流程(322)] - 并行启动节点 [流程 1#222#] \r\n2017/04/28 14:01:37 - [父流程(322)] -
三、案例需求(type级别控制)
用户zyl对customer索引是external类型的可以新增、删除,对internal类型只能查询,不能删除,也不能新增
1、修改配置文件如下:
# zyl脚本可以监控集群,只能对customer索引有操作权限
sg_zyl_role:
cluster:
- CLUSTER_MONITOR
indices:
'customer':
'exter*':
- CRUD
'inter*' :
- "indices:monitor/*"
2、执行脚本,刷新权限
./plugins/search-guard-2/tools/sgadmin.sh -cn dic_etl -h 192.168.129.116 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass 12345678 -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass 12345678 -nhnv
3、用户zyl向customer/internal/22中无法插入数据了
[etl@webSvr sgconfig]$ curl -u zyl -XPUT '192.168.129.116:9200/customer/internal/22?pretty' -d '
{
"age": "28"
}'
Enter host password for user 'zyl':
{
"error" : {
"root_cause" : [ {
"type" : "security_exception",
"reason" : "no permissions for indices:data/write/index"
} ],
"type" : "security_exception",
"reason" : "no permissions for indices:data/write/index"
},
"status" : 403
}
4、用户zyl删除数据
[etl@webSvr sgconfig]$ curl -u zyl -XDELETE '192.168.129.116:9200/customer/external/2?pretty'
Enter host password for user 'zyl':
{
"found" : true,
"_index" : "customer",
"_type" : "external",
"_id" : "2",
"_version" : 2,
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
}
}
从web页面中查询: