本地配置 #
通过安全模块的本地 YAML 配置文件可以方便的管理默认的内置用户或
隐藏的保留资源,例如 admin
管理员用户。不过通过 INFINI Console 或者 REST API 来创建其他用户、角色、映射、操作组和租户可能更容易。
本地配置的路径位于 Easysearch 部署目录的的 config/security 下, 下面是这些文件的默认配置。
user.yml #
此文件是内置用户配置文件,用于定义系统的初始用户账户及其相关配置(如密码哈希、角色分配等)。
admin 用户是 Easysearch 系统中的默认超级管理员用户。
配置文件里面的密码不能是明文,必须使用 Hash 之后的密码,通过命令 ./bin/hash_password.sh -p <new-password>
可以生成一个密码哈希。
---
# This is the internal user database create by initialize
# The hash value is a bcrypt hash and can be generated with hash_password.sh
_meta:
type: "user"
config_version: 2
# Define your internal users here
## Default users
admin:
hash: "$2y$12$P2zO4rEJvtTqTYgQ/Ifk0eTALefRcxuiQgNUOBse/IP.d/XrNngG2"
reserved: true
external_roles:
- "admin"
description: "Default admin user"
role.yml #
role.yml 文件是 Easysearch 的 安全角色配置文件,用于定义不同用户角色的权限。
replication_leader 和 replication_follower 用于 跨集群复制。
security 的用途是允许通过 REST API 管理安全设置。
⚠️ 警告!
以下角色已被弃用,将在未来的版本中删除,请勿使用:
security_rest_api_access
cross_cluster_replication_leader_full_access
cross_cluster_replication_follower_full_access
_meta:
type: "role"
config_version: 2
# Allows users to use all cross cluster replication functionality at leader cluster
replication_leader:
reserved: true
description: "Grants read access to leader indices for cross-cluster replication."
indices:
- names:
- '*'
privileges:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/read/plugins/replication/changes"
- "indices:data/read/plugins/replication/file_chunk"
# Allows users to use all cross cluster replication functionality at follower cluster
replication_follower:
reserved: true
description: "Grants manage replication permissions on follower indices."
cluster:
- "cluster:admin/plugins/replication/autofollow/update"
indices:
- names:
- '*'
privileges:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/write/plugins/replication/changes"
- "indices:admin/plugins/replication/index/start"
- "indices:admin/plugins/replication/index/pause"
- "indices:admin/plugins/replication/index/resume"
- "indices:admin/plugins/replication/index/stop"
- "indices:admin/plugins/replication/index/update"
- "indices:admin/plugins/replication/index/status_check"
# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security:
reserved: true
description: "Grants access to the security REST API."
# Deprecated — will be removed in a future version. Do not use!
security_rest_api_access:
reserved: true
hidden: true
# Deprecated — will be removed in a future version. Do not use!
cross_cluster_replication_leader_full_access:
reserved: true
hidden: true
indices:
- names:
- '*'
privileges:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/read/plugins/replication/changes"
- "indices:data/read/plugins/replication/file_chunk"
# Deprecated — will be removed in a future version. Do not use!
cross_cluster_replication_follower_full_access:
reserved: true
hidden: true
cluster:
- "cluster:admin/plugins/replication/autofollow/update"
indices:
- names:
- '*'
privileges:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/write/plugins/replication/changes"
- "indices:admin/plugins/replication/index/start"
- "indices:admin/plugins/replication/index/pause"
- "indices:admin/plugins/replication/index/resume"
- "indices:admin/plugins/replication/index/stop"
- "indices:admin/plugins/replication/index/update"
- "indices:admin/plugins/replication/index/status_check"
role_mapping.yml #
role_mapping.yml 用于将用户(users)、外部组/角色(external_roles)以及主机(hosts)映射到 INFINI Easysearch 的安全角色。
各角色的权限定义在 role.yml,此文件仅决定“谁拥有哪些角色”。
每个角色条目下,只要当前主体命中 users、external_roles 或 hosts 中的任意一项,即会获得该角色。
提示
示例文件中包含一条已弃用的映射(all_access
)。请勿再使用此条目,未来版本会移除。
---
# In this file users, backendroles and hosts can be mapped to INFINI Easysearch Security roles.
# Permissions for Opendistro roles are configured in role.yml
_meta:
type: "role_mapping"
config_version: 2
# Define your roles mapping here
superuser:
reserved: false
external_roles:
- "admin"
description: "Maps admin to superuser"
# Deprecated — will be removed in a future version. Do not use!
all_access:
reserved: false
hidden: true
external_roles:
- "admin"
description: "Maps admin to all_access"
privilege.yml #
此文件包含您要添加到安全模块的默认权限集合。
除了一些元数据之外,该文件默认为空,因为安全模块已经内置不少了权限集合。这些集合基本上涵盖了常用的场景,这里的配置根据需要自行扩展。
_meta:
type: "privilege"
config_version: 2
nodes_dn.yml #
nodes_dn.yml 与 easysearch.yml 中的 security.nodes_dn 作用相同,均用于指定哪些证书 DN 的节点可通过 Transport 层认证加入集群。
_meta:
type: "nodesdn"
config_version: 2
# Define nodesdn mapping name and corresponding values
# cluster1:
# nodes_dn:
# - CN=*.example.com
注意 #
任何对权限配置文件的修改: 如 user.yml,role.yml,role_mapping.yml 修改后必须以管理员身份删除.security 索引,然后重启服务,才能生效。 删除命令: curl -XDELETE -k –cert admin.crt –key admin.key ‘https://localhost:9200/.security’