6.4.6.5 LDAP user authentication

LDAP 可用于身份验证和授权，因此可以在配置的 authc 和 authz 部分中使用。authc 部分用于配置身份验证，这意味着可用于检查用户是否输入了正确的凭证。authz 用于授权，定义如何检索和映射经过身份验证的用户的角色。

编辑elasticsearch.yml文件，添加如下内容

# X-Pack ldap auth
xpack:
  security:
    authc:
      realms:
        native:
          type: native
          order: 0
        ldap1:
          type: ldap
          order: 1
          url: "ldaps://ldap.example.net:636"
          ssl:
            certificate_authorities: [ "/etc/elasticsearch/certs/wildcard.example.net.crt" ]
          user_search:
            base_dn: "ou=stuff,dc=example,dc=net"
            attribute: uid
          group_search:
            base_dn: "ou=Group,dc=example,dc=net"
            filter: "(&(objectClass=posixGroup)(memberUid={0}))"
            user_attribute: "uid"
          files:
            role_mapping: "role_mapping.yml"
          unmapped_groups_as_roles: false

编辑role_mapping.yml是用户与角色的绑定文件，编辑此文件添加如下内容，可以配置也可以不配置一般通过 API 配置映射关系

root@es-welog02cn-p005:/etc/elasticsearch# cat role_mapping.yml
# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names

#roleA:   this is an elasticsearch role
#  - groupA-DN  this is a group distinguished name
#  - groupB-DN
#  - user1-DN   this is the full user distinguished name

#power_user:
#  - "cn=admins,dc=example,dc=com"
#user:
#  - "cn=users,dc=example,dc=com"
#  - "cn=admins,dc=example,dc=com"
#  - "cn=John Doe,cn=other users,dc=example,dc=com"
# power_user_roles BEGIN ANSIBLE MANAGED BLOCK
superuser:
  - "cn=yunwei,ou=Group,dc=example,dc=net"
# power_user_roles END ANSIBLE MANAGED BLOCK

Api方式查询ES中的角色

Kibana界面中其实可以在Management界面中管控角色和内置用户，但是在使用ldap做接入时没有办法使用web进行配置, 只能使用role_mapping.yml 文件进行配置，当集群节点过多时文件同步也是一个相当麻烦的事情

PS: 使用使用http方式请求时，需要制定Basic Auth的用户名和密码分, 请求如果不带用户名和密码将报403错误。

创建角色

创建一个角色，并给这个角色一个索引权限，能读取索引中的一部分列

POST /_xpack/security/role/<rolename>

POST /_xpack/security/role/kibana_autofinance_reader
{
        "cluster": [],
        "indices": [
            {
                "names": [
                    "kibana_sample_data_logs",
                ],
                "privileges": [
                    "read",
                    "view_index_metadata"
                ],
                "field_security": {
                    "grant": [
                        "*"
                    ]
                }
            }
        ]
}

{
  "role": {
    "created": true
  }
}

查询角色

GET /_xpack/security/role #查询所有角色
GET /_xpack/security/role/group_autofinance_role #查询指定角色

{
    "kibana_autofinance_reader": {
        "cluster": [],
        "indices": [
            {
                "names": [
                    "logstash-autofinance-*",
                    "logstash-o2o.v2-nginx-*"
                ],
                "privileges": [
                    "read",
                    "view_index_metadata"
                ],
                "field_security": {
                    "grant": [
                        "*"
                    ]
                }
            }
        ],
        "applications": [
            {
                "application": "kibana-.kibana",
                "privileges": [
                    "space_read"
                ],
                "resources": [
                    "space:autofinance-space"
                ]
            },
            {
                "application": "kibana-.kibana",
                "privileges": [
                    "space_read"
                ],
                "resources": [
                    "space:o2o-space"
                ]
            }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
            "enabled": true
        }
    }
}

给用户绑定角色

本质上是创建一个用户和角色的映射关系，就是这个角色和映射关系的名称

POST /_xpack/security/role_mapping/<user_role_map_name>

POST /_xpack/security/role_mapping/group_autofinance_role
{
        "enabled": true,
        "roles": [
            "kibana_autofinance_reader"
        ],
        "rules": {
            "field": {
                "groups": "cn=auto_finance_tech,ou=Group,dc=example,dc=net"
            }
        },
        "metadata": {}
}

{
  "role_mapping": {
    "created": true
  }
}

查询用户_角色绑定映射关系

GET /_xpack/security/role_mapping #查询所有的用户_角色映射关系

GET /_xpack/security/role_mapping/group_autofinance_role #查询指定的用户_角色映射关系

{
    "group_autofinance_role": {
        "enabled": true,
        "roles": [
            "kibana_autofinance_reader"
        ],
        "rules": {
            "field": {
                "groups": "cn=auto_finance_tech,ou=Group,dc=example,dc=net"
            }
        },
        "metadata": {}
    }
}

查询用户信息

GET /_xpack/security/_authenticate -u zhangyan:zhangyan
返回:
{
    "username": "gongxiude",
    "roles": [
        "superuser"
    ],
    "full_name": null,
    "email": null,
    "metadata": {
        "ldap_dn": "uid=gongxiude,ou=stuff,dc=example,dc=net",
        "ldap_groups": [
            "cn=yunwei,ou=Group,dc=example,dc=net",
            "cn=k8s-histore-cluster-admin,ou=Group,dc=example,dc=net",
            "cn=apollo-beijing,ou=Group,dc=example,dc=net",
            "cn=apollo-histore,ou=Group,dc=example,dc=net"
        ]
    },
    "enabled": true
}

上一页6.4.6.4 xpack破解下一页6.4.7 Cerebro configuration

最后更新于5年前

hashtagApi方式查询ES中的角色

hashtag创建角色

hashtag查询角色

hashtag给用户绑定角色

hashtag查询用户_角色绑定映射关系

hashtag查询用户信息