https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ref-ldap-settings
https://www.elastic.co/guide/en/elasticsearch/reference/current/ldap-realm.html#mapping-roles-ldap
总结:
1、Elasticsearch user用户的权限是绑定到对应的role角色中,也就是说没有直接的语法来授予或修改用户在哪些索引上的权限,需要修改权限的话,就去修改对应的role角色拥有哪些权限
2、Elasticsearch 角色映射(Role Mapping)主要用于将外部认证系统(如 LDAP、SAML)的用户或组动态映射到角色。对于本地用户(Native Realm),角色通常是直接使用_security/user/kibanauser1分配的
3、Elasticsearch 需要有license才正常配置LDAP功能
默认账号和角色
ES数据库安装好后,默认有如下7个账号,分别是elastic(角色superuser),kibana(角色kibana_system),kibana_system(角色kibana_system),logstash_system(角色logstash_system),beats_system(角色beats_system),apm_system(角色apm_system),remote_monitoring_user(角色remote_monitoring_collector,remote_monitoring_agent)
ES数据库安装好后,默认有大概30来个角色包含superuser,transform_admin,kibana_admin,kibana_user,kibana_system,watcher_admin,watcher_user,monitoring_user等
匿名访问
当我们在/etc/elasticsearch/elasticsearch.yml添加匿名访问用户为anonymous_user和匿名访问组为superuser并且重启后,用户anonymous_user自动创建了,用户组superuser因为已经存在所以没有变化。再次修改/etc/elasticsearch/elasticsearch.yml匿名访问用户为testuser1和匿名访问组为testrole1并且重启后,用户testuser1自动创建了,之前的用户anonymous_user被自动删除了,访问组testrole1没有被创建。因为访问组testrole1没有被创建,所以匿名访问curl -XGET “https://woncnesdbtest1:9200/_security/user?pretty” -k的时候会报错action [cluster:admin/xpack/security/user/get] is unauthorized for user [testuser1] with effective roles [] (assigned roles [testrole1] were not found), this action is granted by the cluster privileges [read_security,manage_security,all]。4节点的ES集群,如果用户名testuser1用户组testrole1不存在的情况下,前三个节点配置的匿名用户为testuser1和匿名访问组为testrole1,第四个节点配置的匿名用户为testuser1和匿名访问组为superuser,则无法匿名访问前面3个节点,但是可以匿名访问第四个节点。
xpack.security.authc.anonymous.username: anonymous_user
xpack.security.authc.anonymous.roles: superuser
查看用户和角色
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/role?pretty” -k
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/user?pretty” -k
查看本机用户,本机用户可以理解为非内置用户,就是使用_security/user api创建的用户
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/_query/user?pretty” -k
查看指定的用户user1,可以是本机用户也可以是内置用户,可以看到用户匹配了哪个角色
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/user/user1” -k
查看指定的本机用户user1,可以看到用户匹配了哪个角色
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/_query/user?pretty” -k -H “Content-Type: application/json” -d’{“query”: {“match”: {“username”:“user1”}}}’
查看本机角色,本机角色可以理解为非内置角色,就是使用_security/role api创建的用户
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/_query/role?pretty” -k
查看指定的角色role1,可以是本机角色也可以是内置角色,可以看到角色拥有哪些权限
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/role/role1” -k
查看指定的本机角色role1,可以看到角色拥有哪些权限
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/_query/role?pretty” -k -H “Content-Type: application/json” -d’{“query”: {“match”: {“name”:“role1”}}}’
创建或修改用户_security/user/username,必须password和role两个参数同时存在
创建或修改用户kibanauser1,密码为88888,授予权限角色为kibana_admin和kibana_system。如果用户不存在就是创建,如果用户已经存在就是修改用户
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibanauser1" -k -H "Content-Type: application/json" -d'{"password" : "888888","roles" : [ "kibana_admin","kibana_system" ]}'
只有password参数存在时则报错如下
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibanauser1" -k -H "Content-Type: application/json" -d'{"password" : "888888"}'
{"error":{"root_cause":[{"type":"action_request_validation_exception","reason":"Validation Failed: 1: roles are missing;"}],"type":"action_request_validation_exception","reason":"Validation Failed: 1: roles are missing;"},"status":400}
只有role参数存在,如果用户之前不存在则无法创建报错如下,如果用户之前存在则表示修改用户的role角色关系
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/lukes12" -k -H "Content-Type: application/json" -d'{"roles" :"superuser"}'
{"error":{"root_cause":[{"type":"validation_exception","reason":"Validation Failed: 1: password must be specified unless you are updating an existing user;"}],"type":"validation_exception","reason":"Validation Failed: 1: password must be specified unless you are updating an existing user;"},"status":400}
只修改用户kibanauser1的密码_security/user/username/_password
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibanauser1/_password" -k -H "Content-Type: application/json" -d'{"password" : "666666"}'
有些内置用户只能修改密码,不能修改授于的权限角色,比如内置用户kibana
修改用户kibana的密码为123456
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibana/_password" -k -H "Content-Type: application/json" -d'{"password" : "123456"}'
修改用户kibana的密码为123456,报错user [kibana] is reserved and only the password can be changed
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibana" -k -H "Content-Type: application/json" -d'{"password" : "123456","roles" : [ "kibana_admin","kibana_system" ]}'
{"error":{"root_cause":[{"type":"action_request_validation_exception","reason":"Validation Failed: 1: user [kibana] is reserved and only the password can be changed;"}],"type":"action_request_validation_exception","reason":"Validation Failed: 1: user [kibana] is reserved and only the password can be changed;"}
修改用户kibana的权限为kibana_admin,报错user [kibana] is reserved and only the password can be changed
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibana" -k -H "Content-Type: application/json" -d'{"roles" : "kibana_admin"}'
{"error":{"root_cause":[{"type":"action_request_validation_exception","reason":"Validation Failed: 1: user [kibana] is reserved and only the password can be changed;"}],"type":"action_request_validation_exception","reason":"Validation Failed: 1: user [kibana] is reserved and only the password can be changed;"}
创建或修改角色_security/role/rolename
创建或修改角色kibanarole1,授权索引级别的权限是read所有索引,write所有索引,write包含create,update,delete,index这些document层面的权限。如果角色不存在就是创建,如果角色已经存在就是修改角色
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/role/kibanarole1" -k -H "Content-Type: application/json" -d'{"indices": [{"names": [ "*" ],"privileges": [ "read","write","create_index", "delete_index"]}]}'
创建或修改角色readonly,授权索引级别的权限是read所有索引
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/role/readonly" -k -H "Content-Type: application/json" -d'{"indices": [{"names": [ "*" ],"privileges": [ "read" ]}]}'
Role mappings角色映射
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role-mapping.html#security-api-put-role-mapping-path-params
Role mappings define which roles are assigned to each user. Each mapping has rules that identify users and a list of roles that are granted to those users.
角色映射定义了分配给每个用户的角色。每个映射都有识别用户的规则和授予这些用户的角色列表。
https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-roles.html
Role mapping is supported by all realms except native and file.
除本机和文件之外的所有领域都支持角色映射。
以下代码片段使用基于文件的方法将admins映射到monitoring角色,并将John Doe,users,admins映射到readonly角色
monitoring:
- "cn=admins,dc=example,dc=com"
readonly:
- "cn=John Doe,cn=contractors,dc=example,dc=com"
- "cn=users,dc=example,dc=com"
- "cn=admins,dc=example,dc=com"
实验:得出结论Role mappings角色映射这个功能不适用于本地用户
创建一个用户lukestest1,分配的权限是角色watcher_user
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/lukestest1" -k -H "Content-Type: application/json" -d'{"password" : "888888","roles" : [ "watcher_user" ]}'
创建一个Role mappings角色映射,映射角色superuser给用户lukestest1
curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/role_mapping/mapping1" -k -H "Content-Type: application/json" -d'{"roles":"superuser", "enabled":true, "rules":{"field":{"username":"lukestest1"}}}'
查看该角色映射,确实发现角色superuser授予给了用户lukestest1
curl -XGET -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/role_mapping/mapping1" -k
使用拥有superuser权限的用户lukestest1删除一个索引,报错说这个用户lukestest1没有权限
curl -XDELETE -ulukestest1:888888 "https://woncnesdbtest1:9200/tablenode1" -k
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/delete] is unauthorized for user [lukestest1] with effective roles [watcher_user] on indices [tablenode1], this action is granted by the index privileges [delete_index,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/delete] is unauthorized for user [lukestest1] with effective roles [watcher_user] on indices [tablenode1], this action is granted by the index privileges [delete_index,manage,all]"},"status":403}
验证用户身份并检索有关经过身份验证的用户的信息
curl -u elastic:XXXXXX “https://woncnesdbtest1:9200/_security/_authenticate” -k
LDAP
LDAP 身份验证是一种常见的身份验证方式,它使用 LDAP 目录来存储用户信息和密码
elasticsearch.yml中现有的安全配置
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
key: /etc/elasticsearch/certs/star.panaray.com.key
certificate: /etc/elasticsearch/certs/star.panaray.com.pem
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
key: /etc/elasticsearch/certs/star.panaray.com.key
certificate: /etc/elasticsearch/certs/star.panaray.com.pem
xpack.security.authc.token.enabled: true
官方文档提供的LDAP模版
xpack.security.authc.realms:
ldap:
ldap1:
order: 0
url: "ldaps://ldap.example.com:636"
bind_dn: "cn=ldapuser, ou=users, o=services, dc=example, dc=com"
user_search:
base_dn: "dc=example,dc=com"
filter: "(cn={0})"
group_search:
base_dn: "dc=example,dc=com"
files:
role_mapping: "ES_PATH_CONF/role_mapping.yml"
unmapped_groups_as_roles: false
1、elasticsearch.yml中实际添加的LDAP配置,公司域控服务器信息dai19dc1.da.net.com和dai19dc2.da.net.com,账号LDAP Query Account在AD域中的路径da.net.com/DAT/DAT/Users and Groups/Process Accounts/LDAP Query Account
xpack.security.authc.realms:
ldap.realmldap:
order: 0
url: ["ldaps://dai19dc1.da.net.com:636", "ldaps://dai19dc2.da.net.com:636"]
bind_dn: "CN=LDAP Query Account,OU=Process Accounts,OU=Users and Groups,OU=DAT,OU=DAT,DC=da,DC=net,DC=com"
secure_bind_password: "XXXXXX"
user_search:
base_dn: "OU=DAT,DC=da,DC=net,DC=com"
filter: "(cn={0})"
group_search:
base_dn: "OU=DAT,DC=da,DC=net,DC=com"
files:
role_mapping: "role_mapping.yml"
unmapped_groups_as_roles: false
各个指标的解释
ldap.realmldap:Specifies the type of realm (for example, native, ldap, active_directory, pki, file, kerberos, saml) and the realm name
指定领域的类型(例如,native、ldap、active_directory、pki、file、kerberos、saml)和领域名称
order:The priority of the realm within the realm chain. Realms with a lower order are consulted first. The value must be unique for each realm. This setting is required.
领域链中领域的优先级。优先考虑顺序较低的领域。每个领域的值必须是唯一的。此设置是必需的。
bind_dn:The DN of the user that is used to bind to the LDAP and perform searches. Only applicable in user search mode. If not specified, an anonymous bind is attempted. Defaults to Empty.
用于绑定到 LDAP 并执行搜索的用户 DN。仅适用于用户搜索模式。如果未指定,则尝试匿名绑定。默认为空。
DN:Distinguished Name 专有名称
CN:Common Name 通用名
OU:Organizational Unit 组织单位
DC:Domain Component 域组件
例如Lukes Liao这个域账号对象路径是da.net.com/DAT/WONCH/Users and Groups/IT/Lukes Liao,那么CN,OU,DC对应的信息就是CN=Lukes Liao,OU=IT,OU=Users and Groups,OU=WONCH,OU=DAT,DC=da,DC=net,DC=com
secure_bind_password:The password for the user that is used to bind to Active Directory.
用于绑定到 Active Directory 的用户(就是bind_dn配置用户名)的密码
user_search.base_dn:Specifies a container DN to search for users. Required to operated in user search mode. If user_dn_templates is specified, this setting is not valid.
指定用于搜索用户的容器 DN。在用户搜索模式下操作时必需。如果指定了user_dn_templates,则此设置无效。
user_search.filter:Specifies the filter used to search the directory in attempts to match an entry with the username provided by the user. Defaults to (uid={0}). {0} is substituted with the username provided when searching.
指定用于搜索目录以尝试匹配用户提供的用户名的条目的过滤器。默认为 (uid={0})。搜索时,{0} 将替换为提供的用户名。
group_search.base_dn:The container DN to search for groups in which the user has membership. When this element is absent, Elasticsearch searches for the attribute specified by user_group_attribute set on the user in order to determine group membership.
用于搜索用户所属组的容器 DN。当此元素不存在时,Elasticsearch 将搜索用户上设置的 user_group_attribute 指定的属性,以确定组成员身份。
group_search.filter:Specifies a filter to use to look up a group. When not set, the realm searches for group, groupOfNames, groupOfUniqueNames, or posixGroup with the attributes member, memberOf, or memberUid. Any instance of {0} in the filter is replaced by the user attribute defined in group_search.user_attribute.
指定用于查找组的过滤器。如果未设置,领域将搜索具有属性 member、memberOf 或 memberUid 的 group、groupOfNames、groupOfUniqueNames 或 posixGroup。过滤器中任何 {0} 实例都将被 group_search.user_attribute 中定义的用户属性替换。
unmapped_groups_as_roles:If set to true, the names of any unmapped LDAP groups are used as role names and assigned to the user. A group is considered to be unmapped if it is not referenced in a role-mapping file. API-based role mappings are not considered. Defaults to false.
如果设置为 true,则任何未映射的 LDAP 组的名称都将用作角色名称并分配给用户。如果角色映射文件中未引用某个组,则认为该组未映射。不考虑基于 API 的角色映射。默认为 false。
2、在role_mapping.yml文件中配置用户和角色的映射关系
将LDAP中的da.net.com/DAT/WON/Users and Groups/Programming/WON DBA组和da.net.com/DAT/WON/Users and Groups/WON-DBA/wondawebprocess用户映射到Elasticsearch的superuser角色,LDAP中的da.net.com/DAT/WON/Users and Groups/Programming/WON Programming组映射到Elasticsearch的readonly角色
superuser:
- "cn=WON DBA,ou=Programming,ou=Users and Groups,ou=WON,ou=DAT,dc=da,dc=net,dc=com"
- "cn=wondawebprocess,ou=WON-DBA,ou=Users and Groups,ou=WON,ou=DAT,dc=da,dc=net,dc=com"
readonly:
- "cn=WON Programming,ou=Programming,ou=Users and Groups,ou=WON,ou=DAT,dc=da,dc=net,dc=com"
3、重启ES节点,报错java.lang.IllegalArgumentException: Setting [xpack.security.authc.realms.ldap.realmldap.secure_bind_password] is a secure setting and must be stored inside the Elasticsearch keystore, but was found inside elasticsearch.yml
4、从elasticsearch.yml中移除明文密码项secure_bind_password,将密码存入Elasticsearch密钥库,再重启ES节点,ES节点正常启动
/usr/share/elasticsearch/bin/elasticsearch-keystore list
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.authc.realms.ldap.realmldap.secure_bind_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.authc.realms.ldap.realmldap.secure_bind_password
/usr/share/elasticsearch/bin/elasticsearch-keystore list
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.authc.realms.ldap.realmldap.secure_bind_password
5、验证LDAP用户权限,发现LDAP功能需要license才能正常使用
curl -u elastic:XXXXXX "https://woncnesdbtest1:9200/_security/_authenticate" -k
{"username":"elastic","roles":["superuser"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true,"authentication_realm":{"name":"reserved","type":"reserved"},"lookup_realm":{"name":"reserved","type":"reserved"},"authentication_type":"realm"}
--elastic内置用户正常
curl -u lukes.liao:XXXXXX "https://woncnesdbtest1:9200/_security/_authenticate" -k
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [lukes.liao] for REST request [/_security/_authenticate]","header":{"WWW-Authenticate":["Basic realm=\"security\", charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [lukes.liao] for REST request [/_security/_authenticate]","header":{"WWW-Authenticate":["Basic realm=\"security\", charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
--LDAP账号lukes.liao报错
检查/var/log/elasticsearch/woncnesdbtestcluster.log日志发现下面两行信息,LDAP功能需要license才能正常使用
[woncnesdbtest1] license mode is [basic], currently licensed security realms are [reserved/reserved,file/default_file,native/default_native]
[woncnesdbtest1] The [ldap.realmldap] realm has been automatically disabled due to a change in license [active basic license]
/*
Postgresql的LDAP配置及相关术语的解释
https://www.postgresql.org/docs/current/auth-ldap.html
The URL scheme ldaps chooses the LDAPS method for making LDAP connections over SSL, equivalent to using ldapscheme=ldaps.
ldapscheme: A setting that specifies the protocol scheme to use for LDAP connections.
ldapscheme=ldaps: This setting instructs the client to use LDAPS (LDAP over SSL/TLS) for the connection.
ldapscheme=ldap: This setting instructs the client to use standard, unencrypted LDAP for the connection.
Security: LDAPS encrypts data in transit, protecting sensitive information like passwords and other credent
Port Numbers: LDAP typically uses port 389, while LDAPS uses port 636.
PG配置文件中存在的LDAP配置
ldap ldapserver=“dai19dc1.da.net.com” ldapport=636 ldapscheme=ldaps ldaptls=0 ldapbasedn=“OU=DAT,DC=da,DC=net,DC=com” ldapbinddn=“LDAP Query Account,OU=Process Accounts,OU=Users and Groups,OU=DAT,OU=DAT,DC=da,DC=net,DC=com” ldapbindpasswd=“XXXXXX” ldapsearchattribute=“sAMAccountName”
*/