API #
通过 REST API 可以管理用户、角色、角色映射、权限集合和租户。
API 的访问控制 #
您可以控制哪些角色可以访问安全相关的 API,在配置文件 easysearch.yml:
security.restapi.roles_enabled: ["<role>", ...]
如果希望阻止访问特定的 API:
security.restapi.endpoints_disabled.<role>.<endpoint>: ["<method>", ...]
参数 endpoint 可以是:
- PRIVILEGE
- ROLE
- ROLE_MAPPING
- USER
- CONFIG
- CACHE
参数 method 可以是:
- GET
- PUT
- POST
- DELETE
- PATCH
例如,以下配置授予三个角色对 REST API 的访问权限,但随后会阻止 test-role 发送 PUT, POST, DELETE, 或 PATCH 到 _security/role 或 _security/user :
security.restapi.roles_enabled:
["superuser", "security_rest_api_access", "test-role"]
security.restapi.endpoints_disabled.test-role.ROLE:
["PUT", "POST", "DELETE", "PATCH"]
security.restapi.endpoints_disabled.test-role.USER:
["PUT", "POST", "DELETE", "PATCH"]
要为
API 配置 使用 PUT 和 PATCH 方法,请将以下行添加到 easysearch.yml:
security.unsupported.restapi.allow_securityconfig_modification: true
隐藏的保留资源 #
通过修改以下参数,您可以将用户、角色、角色映射和权限集合标记为保留。随后将无法使用 REST API 修改这些资源。
kibana_user:
reserved: true
同样,可以将用户、角色、角色映射和权限集合标记为隐藏。REST API 不会返回此标志设置为 true 的资源:
kibana_user:
hidden: true
隐藏的资源默认就是保留的资源。
账号信息 #
获取账号信息 #
返回当前用户的帐户详细信息。例如,如果您是以 admin 用户身份对请求进行登录的,则响应将包含该用户的详细信息。
请求 #
GET _security/account
示例 #
curl -XGET -k -u booksuser:password 'https://localhost:9200/_security/account?pretty'
{
"username" : "booksuser",
"reserved" : false,
"hidden" : false,
"builtin" : true,
"external_roles" : [ ],
"attributes" : [ ],
"roles" : [
"booksrole"
]
}
修改密码 #
修改当前用户的密码。
请求 #
PUT _security/account
{
"current_password" : "old-password",
"password" : "new-password"
}
示例 #
✗ curl-json -XPUT -k -u booksuser:password 'https://localhost:9200/_security/account' -d'{
"current_password" : "password",
"password" : "admin1"
}'
{"status":"OK","message":"'booksuser' updated."}%
权限集合 #
获取权限集合 #
获取一个权限集合信息。
请求 #
GET _security/privilege/<name>
示例 #
{
"custom_action_group": {
"reserved": false,
"hidden": false,
"privileges": [
"kibana_all_read",
"indices:admin/aliases/get",
"indices:admin/aliases/exists"
],
"description": "My custom action group",
"static": false
}
}
获取权限集合列表 #
获取所有的权限集合列表。
请求 #
GET _security/privilege/
示例 #
{
"read": {
"reserved": true,
"hidden": false,
"privileges": [
"indices:data/read*",
"indices:admin/mappings/fields/get*"
],
"type": "index",
"description": "Allow all read operations",
"static": true
},
...
}
删除一个权限集合 #
请求 #
DELETE _security/privilege/<name>
示例 #
{
"status": "OK",
"message": "privilege SEARCH deleted."
}
创建一个权限集合 #
创建或替换指定的限集合。
请求 #
PUT _security/privilege/<name>
{
"privileges": [
"indices:data/write/index*",
"indices:data/write/update*",
"indices:admin/mapping/put",
"indices:data/write/bulk*",
"read",
"write"
]
}
示例 #
{
"status": "CREATED",
"message": "'my-action-group' created."
}
修改权限集合 #
修改权限集合的属性。
请求 #
PATCH _security/privilege/<name>
[
{
"op": "replace", "path": "/privileges", "value": ["indices:admin/create", "indices:admin/mapping/put"]
}
]
示例 #
{
"status": "OK",
"message": "privilege SEARCH deleted."
}
修改一批权限集合 #
一次修改多个权限集合。
请求 #
PATCH _security/privilege
[
{
"op": "add", "path": "/CREATE_INDEX", "value": { "privileges": ["indices:admin/create", "indices:admin/mapping/put"] }
},
{
"op": "remove", "path": "/CRUD"
}
]
示例 #
{
"status": "OK",
"message": "privilege SEARCH deleted."
}
用户 #
这些 API 允许您创建、更新和删除内部用户。
获取用户 #
请求 #
GET _security/user/<username>
实例 #
{
"admin": {
"hash": "",
"roles": ["captains", "starfleet"],
"attributes": {
"attribute1": "value1",
"attribute2": "value2"
}
}
}
获取用户列表 #
请求 #
GET _security/user/
示例 #
{
"admin": {
"hash": "",
"roles": ["captains", "starfleet"],
"attributes": {
"attribute1": "value1",
"attribute2": "value2"
}
}
}
删除用户 #
请求 #
DELETE _security/user/<username>
示例 #
{
"status": "OK",
"message": "user admin deleted."
}
创建用户 #
创建或替换指定的用户。您必须指定 password (明文)或 hash (哈希后的密码)。如果您指定 password,安全模块会在存储密码之前自动对密码进行哈希处理。
请注意,您在 roles 数组中提供的任何角色都必须已经存在,安全模块才能将用户映射到该角色。要查看预定义的角色,请参阅
这里。有关如何创建角色的说明,请参阅
创建角色。
请求 #
PUT _security/user/<username>
{
"password": "adminpass",
"roles": ["maintenance_staff", "weapons"],
"external_roles": ["captains", "starfleet"],
"attributes": {
"attribute1": "value1",
"attribute2": "value2"
}
}
示例 #
{
"status": "CREATED",
"message": "User admin created"
}
修改用户 #
修改用户信息。
Request #
PATCH _security/user/<username>
[
{
"op": "replace", "path": "/external_roles", "value": ["klingons"]
},
{
"op": "replace", "path": "/roles", "value": ["ship_manager"]
},
{
"op": "replace", "path": "/attributes", "value": { "newattribute": "newvalue" }
}
]
示例 #
{
"status": "OK",
"message": "'admin' updated."
}
修改一批用户 #
一次修改一批用户的操作。
请求 #
PATCH _security/user
[
{
"op": "add", "path": "/spock", "value": { "password": "testpassword1", "external_roles": ["testrole1"] }
},
{
"op": "add", "path": "/worf", "value": { "password": "testpassword2", "external_roles": ["testrole2"] }
},
{
"op": "remove", "path": "/riker"
}
]
示例 #
{
"status": "OK",
"message": "Resource updated."
}
角色 #
获取角色 #
获取一个角色信息。
请求 #
GET _security/role/<role>
示例 #
{
"test-role": {
"reserved": false,
"hidden": false,
"cluster": ["cluster_composite_ops", "indices_monitor"],
"indices": [
{
"names": ["movies*"],
"query": "",
"field_security": [],
"field_mask": [],
"privileges": ["read"]
}
],
"static": false
}
}
获取角色列表 #
请求 #
GET _security/role/
示例 #
{
"manage_snapshots": {
"reserved": true,
"hidden": false,
"description": "Provide the minimum permissions for managing snapshots",
"cluster": [
"manage_snapshots"
],
"indices": [{
"names": [
"*"
],
"field_security": [],
"field_mask": [],
"privileges": [
"indices:data/write/index",
"indices:admin/create"
]
}],
"static": true
},
...
}
删除一个角色 #
请求 #
DELETE _security/role/<role>
示例 #
{
"status": "OK",
"message": "role test-role deleted."
}
创建一个角色 #
请求 #
PUT _security/role/<role>
{
"cluster": [
"cluster_composite_ops",
"indices_monitor"
],
"indices": [{
"names": [
"movies*"
],
"query": "",
"field_security": [],
"field_mask": [],
"privileges": [
"read"
]
}]
}
示例 #
{
"status": "OK",
"message": "'test-role' updated."
}
修改角色 #
修改角色的属性。
请求 #
PATCH _security/role/<role>
[
{
"op": "replace", "path": "/indices/0/field_security", "value": ["myfield1", "myfield2"]
},
{
"op": "remove", "path": "/indices/0/query"
}
]
示例 #
{
"status": "OK",
"message": "'<role>' updated."
}
批量修改角色 #
一次操作批量修改角色信息。
请求 #
PATCH _security/role
[
{
"op": "replace", "path": "/role1/indices/0/field_security", "value": ["test1", "test2"]
},
{
"op": "remove", "path": "/role1/indices/0/query"
},
{
"op": "add", "path": "/role2/cluster", "value": ["manage_snapshots"]
}
]
示例 #
{
"status": "OK",
"message": "Resource updated."
}
角色映射 #
获取一个角色映射 #
获取一个角色映射信息。
请求 #
GET _security/role_mapping/<role>
示例 #
{
"role_starfleet": {
"external_roles": [
"starfleet",
"captains",
"defectors",
"cn=ldaprole,ou=groups,dc=example,dc=com"
],
"hosts": ["*.starfleetintranet.com"],
"users": ["worf"]
}
}
获取角色映射列表。 #
获取所有的角色映射列表。
请求 #
GET _security/role_mapping
示例 #
{
"role_starfleet": {
"external_roles": [
"starfleet",
"captains",
"defectors",
"cn=ldaprole,ou=groups,dc=example,dc=com"
],
"hosts": ["*.starfleetintranet.com"],
"users": ["worf"]
}
}
删除角色映射 #
请求 #
DELETE _security/role_mapping/<role>
示例 #
{
"status": "OK",
"message": "'my-role' deleted."
}
创建角色映射 #
请求 #
PUT _security/role_mapping/<role>
{
"external_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
"hosts" : [ "*.starfleetintranet.com" ],
"users" : [ "worf" ]
}
示例 #
{
"status": "CREATED",
"message": "'my-role' created."
}
修改角色映射 #
请求 #
PATCH _security/role_mapping/<role>
[
{
"op": "replace", "path": "/users", "value": ["myuser"]
},
{
"op": "replace", "path": "/external_roles", "value": ["mybackendrole"]
}
]
示例 #
{
"status": "OK",
"message": "'my-role' updated."
}
批量修改角色映射 #
请求 #
PATCH _security/role_mapping
[
{
"op": "add", "path": "/human_resources", "value": { "users": ["user1"], "external_roles": ["backendrole2"] }
},
{
"op": "add", "path": "/finance", "value": { "users": ["user2"], "external_roles": ["backendrole2"] }
}
]
示例 #
{
"status": "OK",
"message": "Resource updated."
}
缓存 #
刷新缓存 #
请求 #
DELETE _security/cache
示例 #
{
"status": "OK",
"message": "Cache flushed successfully."
}
admin #
修改admin密码 #
进入Easysearch的config路径下,通过证书的方式进行密码修改,具体可查看 这里。
示例 #
cd easysearch/config
#执行 admin 密码修改
curl -k -XPUT --cert admin.crt --key admin.key -H 'Content-Type: application/json' 'https://localhost:9200/_security/user/admin' -d '
{
"password": "C0mp1exP@ezs",
"external_roles": ["admin"]
}'
#用新密码验证是否修改成功
curl -ku 'admin:C0mp1exP@ezs' https://localhost:9200