本地配置

本地配置 #

通过安全模块的本地 YAML 配置文件可以方便的管理默认的内置用户或 隐藏的保留资源,例如 admin 管理员用户。不过通过 INFINI Console 或者 REST API 来创建其他用户、角色、映射、操作组和租户可能更容易。

本地配置的路径位于 Easysearch 部署目录的的 config/security 下, 下面是这些文件的默认配置。

user.yml #

此文件是内置用户配置文件,用于定义系统的初始用户账户及其相关配置(如密码哈希、角色分配等)。

admin 用户是 Easysearch 系统中的默认超级管理员用户。

配置文件里面的密码不能是明文,必须使用 Hash 之后的密码,通过命令 ./bin/hash_password.sh -p <new-password> 可以生成一个密码哈希。

---
# This is the internal user database create by initialize
# The hash value is a bcrypt hash and can be generated with hash_password.sh

_meta:
  type: "user"
  config_version: 2

# Define your internal users here

## Default users
admin:
  hash: "$2y$12$P2zO4rEJvtTqTYgQ/Ifk0eTALefRcxuiQgNUOBse/IP.d/XrNngG2"
  reserved: true
  external_roles:
    - "admin"
  description: "Default admin user"

role.yml #

role.yml 文件是 Easysearch 的 安全角色配置文件,用于定义不同用户角色的权限。

replication_leader 和 replication_follower 用于 跨集群复制。

security 的用途是允许通过 REST API 管理安全设置。

⚠️ 警告!
以下角色已被弃用,将在未来的版本中删除,请勿使用:

  • security_rest_api_access
  • cross_cluster_replication_leader_full_access
  • cross_cluster_replication_follower_full_access
_meta:
  type: "role"
  config_version: 2

# Allows users to use all cross cluster replication functionality at leader cluster
replication_leader:
  reserved: true
  description: "Grants read access to leader indices for cross-cluster replication."
  indices:
    - names:
        - '*'
      privileges:
        - "indices:admin/plugins/replication/index/setup/validate"
        - "indices:data/read/plugins/replication/changes"
        - "indices:data/read/plugins/replication/file_chunk"

# Allows users to use all cross cluster replication functionality at follower cluster
replication_follower:
  reserved: true
  description: "Grants manage replication permissions on follower indices."
  cluster:
    - "cluster:admin/plugins/replication/autofollow/update"
  indices:
    - names:
        - '*'
      privileges:
        - "indices:admin/plugins/replication/index/setup/validate"
        - "indices:data/write/plugins/replication/changes"
        - "indices:admin/plugins/replication/index/start"
        - "indices:admin/plugins/replication/index/pause"
        - "indices:admin/plugins/replication/index/resume"
        - "indices:admin/plugins/replication/index/stop"
        - "indices:admin/plugins/replication/index/update"
        - "indices:admin/plugins/replication/index/status_check"

# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security:
  reserved: true
  description: "Grants access to the security REST API."


# Deprecated — will be removed in a future version. Do not use!
security_rest_api_access:
  reserved: true
  hidden: true

# Deprecated — will be removed in a future version. Do not use!
cross_cluster_replication_leader_full_access:
  reserved: true
  hidden: true
  indices:
    - names:
        - '*'
      privileges:
        - "indices:admin/plugins/replication/index/setup/validate"
        - "indices:data/read/plugins/replication/changes"
        - "indices:data/read/plugins/replication/file_chunk"

# Deprecated — will be removed in a future version. Do not use!
cross_cluster_replication_follower_full_access:
  reserved: true
  hidden: true
  cluster:
    - "cluster:admin/plugins/replication/autofollow/update"
  indices:
    - names:
        - '*'
      privileges:
        - "indices:admin/plugins/replication/index/setup/validate"
        - "indices:data/write/plugins/replication/changes"
        - "indices:admin/plugins/replication/index/start"
        - "indices:admin/plugins/replication/index/pause"
        - "indices:admin/plugins/replication/index/resume"
        - "indices:admin/plugins/replication/index/stop"
        - "indices:admin/plugins/replication/index/update"
        - "indices:admin/plugins/replication/index/status_check"

role_mapping.yml #

role_mapping.yml 用于将用户(users)、外部组/角色(external_roles)以及主机(hosts)映射到 INFINI Easysearch 的安全角色。

各角色的权限定义在 role.yml,此文件仅决定“谁拥有哪些角色”。

每个角色条目下,只要当前主体命中 users、external_roles 或 hosts 中的任意一项,即会获得该角色。

提示
示例文件中包含一条已弃用的映射(all_access)。请勿再使用此条目,未来版本会移除。

---
# In this file users, backendroles and hosts can be mapped to INFINI Easysearch Security roles.
# Permissions for Opendistro roles are configured in role.yml

_meta:
  type: "role_mapping"
  config_version: 2

# Define your roles mapping here

superuser:
  reserved: false
  external_roles:
    - "admin"
  description: "Maps admin to superuser"


# Deprecated — will be removed in a future version. Do not use!
all_access:
  reserved: false
  hidden: true
  external_roles:
    - "admin"
  description: "Maps admin to all_access"

privilege.yml #

此文件包含您要添加到安全模块的默认权限集合。

除了一些元数据之外,该文件默认为空,因为安全模块已经内置不少了权限集合。这些集合基本上涵盖了常用的场景,这里的配置根据需要自行扩展。

_meta:
  type: "privilege"
  config_version: 2

nodes_dn.yml #

nodes_dn.yml 与 easysearch.yml 中的 security.nodes_dn 作用相同,均用于指定哪些证书 DN 的节点可通过 Transport 层认证加入集群。

_meta:
  type: "nodesdn"
  config_version: 2
# Define nodesdn mapping name and corresponding values
# cluster1:
#   nodes_dn:
#       - CN=*.example.com

注意 #

任何对权限配置文件的修改: 如 user.yml,role.yml,role_mapping.yml 修改后必须以管理员身份删除.security 索引,然后重启服务,才能生效。 删除命令: curl -XDELETE -k –cert admin.crt –key admin.key ‘https://localhost:9200/.security’