项目背景
使用ElasticSearch实现数据宽表,处理热交互数据,需要实现权限管控等功能,权限粒度要求精确到列。
最初考虑使用Es的SearchGuard开源插件,发现SearchGuard的LDAP功能需要使用企业版,收费的,并且权限粒度仅支持到索引和type,并不支持列;
后来采用Es提供的xpack插件,想办法处理下,就不收费了。
Es需要安装xpack插件,配置默认用户,修改elastic用户的密码为elastic,后续使用简单点
注意,本文只记录ElasticSearch结合LDAP和内置角色,实现列级别的权限管控,不管SSL和TLS加密传输
ElasticSearch、Kibana配置
/conf/elasticsearch.yml中这么添加
xpack.security.enabled: true
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://192.168.13.12"
bind_dn: "cn=root,dc=intelli706,dc=com" #ldap管理账户dn
bind_password: 123456 #ldap管理账户密码
user_search:
base_dn: "dc=intelli706,dc=com" #在这个目录树里面检索用户信息
attribute: uid
group_search:
base_dn: "dc=intelli706,dc=com" # 在这个目录树里面检索组信息
files:
# 下面这个是通过文件方式配置的LDAP用户域和Es内置角色的映射关系
role_mapping: "D:\\elasticsearch\\es-xpack\\esnew\\elasticsearch-6.8.0\\config\\role_mapping.yml"
unmapped_groups_as_roles: false
role_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系
# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names
#roleA: this is an elasticsearch role
# - groupA-DN this is a group distinguished name
# - groupB-DN
# - user1-DN this is the full user distinguished name
#power_user:
# - "cn=admins,dc=example,dc=com"
#user:
# - "cn=users,dc=example,dc=com"
# - "cn=admins,dc=example,dc=com"
# - "cn=John Doe,cn=other users,dc=example,dc=com"
superuser:
- "cn=admin,ou=person,dc=intelli706,dc=com"
- "cn=zhangyan,ou=person,dc=intelli706,dc=com"
/conf/kibana.yml配置,主要添加了es的用户名密码
elasticsearch.username: "elastic"
elasticsearch.password: "elastic"
再启动ES和kibana后,就需要输入用户名密码才能登陆和访问ES中数据了
LDAP
搭建过程省略;
创建dn时,使用的objectClass是inetOrgPerson
rdn设置为cn=admin, sn=admin, uid=admin, userPassword=admin
使用LDAP Admin windows客户端,连接LDAP服务器,添加组(ou),和模拟用户(cn=admin),生成的dn为 cn=admin,ou=person,dc=intelli,dc=com,简单说明下,LDAP采用树形目录存储结构,cn=admin,ou=person,dc=intelli,dc=com就是一个dn(Distinguish Name),也就是一个唯一ID,能看出来这个是一个目录树的路径,所以能唯一标识entry信息(类似数据库里的一条)
验证admin用户,通过admin账户和admin的密码访问ES的/_xpack/security/_authenticate接口,能看到用户的信息
GET /_xpack/security/_authenticate -u admin:admin
返回:
{
"username": "admin",
"roles": [], #注意,还没有绑定任何角色,现在角色是空的
"full_name": null,
"email": null,
"metadata": {
"ldap_dn": "cn=admin,ou=person,dc=intelli706,dc=com", #admin账户的dn
"ldap_groups": []
},
"enabled": true,
"authentication_realm": {
"name": "ldap1", #能看到使用ldap方式获取用户了
"type": "ldap"
},
"lookup_realm": {
"name": "ldap1",
"type": "ldap"
}
}
以下操作用elastic:elastic账户管理
Api方式查询ES中的角色
Kibana界面中其实可以在Management界面中管控角色和内置用户,这里使用Api方式,方便代码调用
GET /_xpack/security/role
注意,使用使用http方式请求时,需要制定Basic Auth的用户名和密码分别为elastic,现在加权限了,请求不带用户名和密码该驳回了。
创建角色
创建一个角色,并给这个角色一个索引权限,能读取索引中的一部分列
POST / _xpack / security / role /
POST / _xpack / security / role /xsjc
{
"cluster": ["all"],
"indices": [
{
"names": [ "tyyw*"],
"privileges": ["read"],
"field_security" : {
"grant" : [ "TYYW_2001_AJ__CBDW_MC", "TYYW_2001_AJ__CBDW_MC.keyword" ]
}
}
]
}
返回:
{
"role": {
"created": true
}
}
查询角色
GET /_xpack/security/role #查询所有角色
GET /_xpack/security/role/xsjc #查询指定角色
返回
{
"xsjc": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"tyyw*"
],
"privileges": [
"read"
],
"field_security": {
"grant": [
"TYYW_2001_AJ__CBDW_MC",
"TYYW_2001_AJ__CBDW_MC.keyword" #注意,这个角色只给这两列的read权限
]
},
"allow_restricted_indices": false
}
],
"applications": [],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}
给用户绑定角色
本质上是创建一个用户和角色的映射关系,
POST /_xpack/security/role_mapping/
POST /_xpack/security/role_mapping/zhangyan_role
{
"enabled": true,
"roles": "xsjc",
"rules": {
"field": {
"dn": "cn=zhangyan,ou=person,dc=intelli706,dc=com"
}
}
}
返回:
{
"role_mapping": {
"created": true
}
}
查询用户_角色绑定映射关系
GET /_xpack/security/role_mapping #查询所有的用户_角色映射关系
GET /_xpack/security/role_mapping/zhangyan_role #查询指定的用户_角色映射关系
返回:
{
"zhangyan_role": {
"enabled": true,
"roles": [
"xsjc"
],
"rules": {
"field": {
"dn": "cn=zhangyan,ou=person,dc=intelli706,dc=com"
}
},
"metadata": {}
}
}
查询用户信息
GET /_xpack/security/_authenticate -u zhangyan:zhangyan
返回:
{
"username": "zhangyan",
"roles": [
"xsjc" # 可以看到已经有权限了
],
"full_name": null,
"email": null,
"metadata": {
"ldap_dn": "cn=zhangyan,ou=person,dc=intelli706,dc=com",
"ldap_groups": []
},
"enabled": true,
"authentication_realm": {
"name": "ldap1",
"type": "ldap"
},
"lookup_realm": {
"name": "ldap1",
"type": "ldap"
}
}
使用zhangyan账户,查询es
可以留意下,返回的数据source中只有TYYW_2001_AJ__CBDW_MC列
{
"took": 79,
"timed_out": false,
"_shards": {
"total": 10,
"successful": 10,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 201,
"max_score": 1.0,
"hits": [
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "东检刑捕受[2019]770000100176",
"_score": 1.0,
"_source": {
"TYYW_2001_AJ__CBDW_MC": "河北省院"
}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "市检刑捕受[2019]770000100063",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "东检刑捕受[2019]770000100184",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "东检刑捕受[2019]770000100146",
"_score": 1.0,
"_source": {
"TYYW_2001_AJ__CBDW_MC": "广东省院"
}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "市检刑捕受[2019]770000100092",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "市检刑捕受[2019]770000100096",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "央检刑捕受[2019]770000100038",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "西检刑捕受[2019]770000100005",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "市检刑捕受[2019]770000100080",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "东检刑捕受[2019]770000100163",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "央检刑捕受[2019]770000100040",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "市检刑捕受[2019]770000100093",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "东检刑捕受[2019]770000100151",
"_score": 1.0,
"_source": {
"TYYW_2001_AJ__CBDW_MC": "汉东省院"
}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "东检刑捕受[2019]770000100179",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "区检刑捕受[2019]770000100108",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "市检刑捕受[2019]770000100058",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "东检刑捕受[2019]770000100183",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "市检刑捕受[2019]770000100091",
"_score": 1.0,
"_source": {
"TYYW_2001_AJ__CBDW_MC": "汉东省院"
}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "东检刑捕受[2019]770000100189",
"_score": 1.0,
"_source": {}
},
{
"_index": "tyyw_xsjc_0731",
"_type": "_doc",
"_id": "央检刑捕受[2019]770000100043",
"_score": 1.0,
"_source": {}
}
]
},
"aggregations": {
"test": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": []
}
}
}