6.4.6.5 LDAP user authentication
LDAP 可用于身份验证和授权,因此可以在配置的 authc 和 authz 部分中使用。authc 部分用于配置身份验证,这意味着可用于检查用户是否输入了正确的凭证。authz 用于授权,定义如何检索和映射经过身份验证的用户的角色。
编辑elasticsearch.yml文件, 添加如下内容
# X-Pack ldap auth
xpack:
security:
authc:
realms:
native:
type: native
order: 0
ldap1:
type: ldap
order: 1
url: "ldaps://ldap.example.net:636"
ssl:
certificate_authorities: [ "/etc/elasticsearch/certs/wildcard.example.net.crt" ]
user_search:
base_dn: "ou=stuff,dc=example,dc=net"
attribute: uid
group_search:
base_dn: "ou=Group,dc=example,dc=net"
filter: "(&(objectClass=posixGroup)(memberUid={0}))"
user_attribute: "uid"
files:
role_mapping: "role_mapping.yml"
unmapped_groups_as_roles: false编辑role_mapping.yml是用户与角色的绑定文件, 编辑此文件添加如下内容, 可以配置也可以不配置一般通过 API 配置映射关系
root@es-welog02cn-p005:/etc/elasticsearch# cat role_mapping.yml
# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names
#roleA: this is an elasticsearch role
# - groupA-DN this is a group distinguished name
# - groupB-DN
# - user1-DN this is the full user distinguished name
#power_user:
# - "cn=admins,dc=example,dc=com"
#user:
# - "cn=users,dc=example,dc=com"
# - "cn=admins,dc=example,dc=com"
# - "cn=John Doe,cn=other users,dc=example,dc=com"
# power_user_roles BEGIN ANSIBLE MANAGED BLOCK
superuser:
- "cn=yunwei,ou=Group,dc=example,dc=net"
# power_user_roles END ANSIBLE MANAGED BLOCKApi方式查询ES中的角色
Kibana界面中其实可以在Management界面中管控角色和内置用户, 但是在使用ldap做接入时没有办法使用web进行配置, 只能使用role_mapping.yml 文件进行配置, 当集群节点过多时文件同步也是一个相当麻烦的事情
PS: 使用使用http方式请求时,需要制定Basic Auth的用户名和密码分, 请求如果不带用户名和密码将报403错误。
创建角色
创建一个角色,并给这个角色一个索引权限,能读取索引中的一部分列
POST /_xpack/security/role/<rolename>
POST /_xpack/security/role/kibana_autofinance_reader
{
"cluster": [],
"indices": [
{
"names": [
"kibana_sample_data_logs",
],
"privileges": [
"read",
"view_index_metadata"
],
"field_security": {
"grant": [
"*"
]
}
}
]
}返回
{
"role": {
"created": true
}
}查询角色
GET /_xpack/security/role #查询所有角色
GET /_xpack/security/role/group_autofinance_role #查询指定角色返回
{
"kibana_autofinance_reader": {
"cluster": [],
"indices": [
{
"names": [
"logstash-autofinance-*",
"logstash-o2o.v2-nginx-*"
],
"privileges": [
"read",
"view_index_metadata"
],
"field_security": {
"grant": [
"*"
]
}
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"space_read"
],
"resources": [
"space:autofinance-space"
]
},
{
"application": "kibana-.kibana",
"privileges": [
"space_read"
],
"resources": [
"space:o2o-space"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}给用户绑定角色
本质上是创建一个用户和角色的映射关系,就是这个角色和映射关系的名称
POST /_xpack/security/role_mapping/<user_role_map_name>
POST /_xpack/security/role_mapping/group_autofinance_role
{
"enabled": true,
"roles": [
"kibana_autofinance_reader"
],
"rules": {
"field": {
"groups": "cn=auto_finance_tech,ou=Group,dc=example,dc=net"
}
},
"metadata": {}
}返回
{
"role_mapping": {
"created": true
}
}查询用户_角色绑定映射关系
GET /_xpack/security/role_mapping #查询所有的用户_角色映射关系
GET /_xpack/security/role_mapping/group_autofinance_role #查询指定的用户_角色映射关系返回
{
"group_autofinance_role": {
"enabled": true,
"roles": [
"kibana_autofinance_reader"
],
"rules": {
"field": {
"groups": "cn=auto_finance_tech,ou=Group,dc=example,dc=net"
}
},
"metadata": {}
}
}查询用户信息
GET /_xpack/security/_authenticate -u zhangyan:zhangyan
返回:
{
"username": "gongxiude",
"roles": [
"superuser"
],
"full_name": null,
"email": null,
"metadata": {
"ldap_dn": "uid=gongxiude,ou=stuff,dc=example,dc=net",
"ldap_groups": [
"cn=yunwei,ou=Group,dc=example,dc=net",
"cn=k8s-histore-cluster-admin,ou=Group,dc=example,dc=net",
"cn=apollo-beijing,ou=Group,dc=example,dc=net",
"cn=apollo-histore,ou=Group,dc=example,dc=net"
]
},
"enabled": true
}最后更新于