002.Security Setting:Roles And U
题目开始:
** EXAM OBJECTIVE: INSTALLATION AND CONFIGURATION **
GOAL: Secure a cluster and an index using Elasticsearch Security
REQUIRED SETUP:
(i) a running Elasticsearch cluster with at least one node and
a Kibana instance,
(ii) no index with namehamletis indexed on the cluster
Enable xPack security on the cluster
Set the password of theelasticandkibanabuilt-in users. Use
the pattern "{{username}}-password" (e.g., "elastic-password")
Login to Kibana using theelasticuser credentialsWe are now going to use the _bulk API to index some documents into the cluster. The documents are lines from Hamlet by William Shakespeare, and have the following structure:
{
"line_number": "String",
"speaker": "String",
"text_entry": "String",
}
Let’s continue with the exercise.
Create the indexhamletand add some documents by running the
following _bulk command:
PUT hamlet/_bulk
{"index":{"_index":"hamlet","_id":0}}
{"line_number":"1","speaker":"BERNARDO","text_entry":"Whos there?"}
{"index":{"_index":"hamlet","_id":1}}
{"line_number":"2","speaker":"FRANCISCO","text_entry":"Nay, answer me: stand, and unfold yourself."}
{"index":{"_index":"hamlet","_id":2}}
{"line_number":"3","speaker":"BERNARDO","text_entry":"Long live the king!"}
{"index":{"_index":"hamlet","_id":3}}
{"line_number":"4","speaker":"FRANCISCO","text_entry":"Bernardo?"}
{"index":{"_index":"hamlet","_id":4}}
{"line_number":"5","speaker":"BERNARDO","text_entry":"He."}
{"index":{"_index":"hamlet","_id":5}}
{"line_number":"6","speaker":"FRANCISCO","text_entry":"You come most carefully upon your hour."}
{"index":{"_index":"hamlet","_id":6}}
{"line_number":"7","speaker":"BERNARDO","text_entry":"Tis now struck twelve; get thee to bed, Francisco."}
{"index":{"_index":"hamlet","_id":7}}
{"line_number":"8","speaker":"FRANCISCO","text_entry":"For this relief much thanks: tis bitter cold,"}
{"index":{"_index":"hamlet","_id":8}}
{"line_number":"9","speaker":"FRANCISCO","text_entry":"And I am sick at heart."}
{"index":{"_index":"hamlet","_id":9}}
{"line_number":"10","speaker":"BERNARDO","text_entry":"Have you had quiet guard?"}
You can specify authentication (“who are you”) and authorisation (“what you can do”) policies on the Elasticsearch resources by means of users, roles, and mappings between users and roles. Do you know how to do that?
Create the security role
francisco_rolein the native realm, so
that:
(i) the role has "monitor" privileges on the cluster,
(ii) the role has all privileges on thehamletindex
Create the userfranciscowith password "francisco-password"
Assign the rolefrancisco_roleto thefranciscouser
Login using thefranciscouser credentials, and run queries on
hamletto verify that the role privileges were correctly set
需要注意的一点是,需要为francisco这个用户添加kibana_user的role,否则无法登陆kibana。
创建角色API:https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api-put-role.html
创建用户API:https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api-put-user.html
修改密码API:https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api-change-password.html
位置都是在[X-Pack APIs]->[Security APIs]下面。
POST _security/role/francisco_role
{
"cluster": ["monitor"],
"indices": [
{
"names": ["hamlet"],
"privileges": ["all"]
}
]
}
PUT _security/user/francisco
{
"password": "francisco-password",
"roles": ["francisco_role", "kibana_user"]
}
GET hamlet/_search
{
"query": {
"match_all": {}
}
}
Not bad, right? Now, let’s create a more sophisticated security role, which assigns read-only permissions on indices, documents and fields.
Create the security rolebernardo_rolein the native realm, so
that:
(i) the role has "monitor" privileges on the cluster,
(ii) the role has read-only privileges on thehamletindex,
(iii) the role can see only those documents having "BERNARDO"
as aspeaker,
(iv) the role can see only thetext_entryfield
Create the userbernardowith password "bernardo-password"
Assign the rolebernardo_roleto thebernardouser
Login using thebernardouser credentials, and run queries on
hamletto verify that the role privileges were correctly set
Whoops, I asked you to assign the wrong password to the “bernardo” user. My bad. Would you be so kind as to change it?
Change the password of thebernardouser to "poor-bernardo"
(Never forget to check if it worked!)
自己练习的时候需要安装trial license,不然无法使用field level/doc level 的角色设置。
POST /_license/start_trial?acknowledge=true
这题本身没有什么难度,问题在于第三条和第四条是矛盾的,如果不赋予"speaker"字段权限,那么搜索结果是搜不到任何文档的。但是,如果给speaker字段赋予了权限,那么搜索结果中就必然包含这个字段,那就违背了第四条。我猜测其实考试时检查不会那么细致,如果配上了就直接算正确了。
下面是我的答案。
POST _security/role/bernardo_role
{
"cluster": ["monitor"],
"indices": [
{
"names": ["hamlet"],
"privileges": ["read"],
"field_security": {
"grant": ["text_entry"]
},
"query": {
"match": {
"speaker": "BERNARDO"
}
}
}
]
}
PUT _security/user/bernardo
{
"password": "bernardo-password",
"roles": ["bernardo_role", "kibana_user"]
}
GET hamlet/_search
{
"query": {
"match": {
"speaker": "BERNARDO"
}
}
}
POST /_security/user/bernardo/_password
{
"password": "poor-bernardo"
}
其实这里面最耗时间的是几个账号切来切去的加载时间。其他其实都还好。
