说明:
ldap信息配置到es配置文件上,然后kibana读取es的配置信息
用户与角色的关系通过role_mapping.yml文件配置获取
角色与权限的关系通过elastic stack提供的DevTools或API进行维护
一、前置条件:
1.1 es已开启xpack(已开启的可忽略)
es01:
environment:
- xpack.security.enabled=true1.2 新建ldap 映射文件:role_mapping.yml
superuser:
- "cn=Manager,dc=houpu,dc=com"
kibana_user:
- "uid=langpf,ou=people,dc=houpu,dc=com"
test:
- "uid=chasy,ou=people,dc=houpu,dc=com"1.3 将映射文件挂载到es容器
es01:
volumes:
- ./role_mapping.yml:/usr/share/elasticsearch/config/role_mapping.yml二、在es配置中开启ldap
es01:
environment:
- xpack.security.authc.realms.ldap.ldap1.type=ldap #此项已弃用
- xpack.security.authc.realms.ldap.ldap1.order=0
- xpack.security.authc.realms.ldap.ldap1.url=ldap://192.168.31.240:389
- xpack.security.authc.realms.ldap.ldap1.bind_dn=cn=Manager,dc=houpu,dc=com
- xpack.security.authc.realms.ldap.ldap1.bind_password=changeme
- xpack.security.authc.realms.ldap.ldap1.user_search.base_dn=dc=houpu,dc=com
- xpack.security.authc.realms.ldap.ldap1.user_search.filter=(cn={0})
- xpack.security.authc.realms.ldap.ldap1.group_search.base_dn=dc=houpu,dc=com
- xpack.security.authc.realms.ldap.ldap1.files.role_mapping=/usr/share/elasticsearch/config/role_mapping.yml
- xpack.security.authc.realms.ldap.ldap1.unmapped_groups_as_roles=false三、重启elk
docker-compose down
docker-compose up -d四、查看效果
管理员用户:拥有所有权限
kibana_user用户:无discover权限,无stack monitor权限,也无dev-tools api权限
test用户:不在角色列表中,无任何权限
附:角色管理API常用请求:
# Click the Variables button, above, to create your own variables.
GET ${exampleVariable1} // _search
{
"query": {
"${exampleVariable2}": {} // match_all
}
}
GET /_security/role
GET /_security/role_mapping
GET /_security/role/kibana_user
GET /_security/role/test
PUT /_security/role/test
{
"indices": [
{
"names": ["index1", "index2", "log-test-*"],
"privileges": ["read"]
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"all"
],
"resources": [
"*"
]
}
]
}
POST /_security/realm_cache/_clear
