My deployment and strategic configuration for SG, I hope to help you
160 views
Skip to first unread message
elain ding
Aug 31, 2015, 2:09:50 AM8/31/15
to Search Guard
#elasticsearch.yml 添加
#################search-guard###################
searchguard.enabled: true
searchguard.key_path: /home/work/app/elasticsearch/keys
searchguard.auditlog.enabled: true
searchguard.allow_all_from_loopback: true #本地调试可打开,建议在线上关闭
searchguard.check_for_root: false
searchguard.http.enable_sessions: true
#配置认证方式
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator
#配置用户名和密码
searchguard.authentication.settingsdb.user.admin: admin
searchguard.authentication.settingsdb.user.user1: 123
searchguard.authentication.settingsdb.user.user2: 123
#配置用户角色
searchguard.authentication.authorization.settingsdb.roles.admin: ["root"]
searchguard.authentication.authorization.settingsdb.roles.user1: ["user1"]
searchguard.authentication.authorization.settingsdb.roles.user2: ["user2"]
#配置角色权限(只读)
searchguard.actionrequestfilter.names: ["readonly","deny"]
searchguard.actionrequestfilter.readonly.allowed_actions: ["indices:data/read/*", "indices:admin/exists","indices:admin/mappings/*","indices:admin/validate/query"]
searchguard.actionrequestfilter.readonly.forbidden_actions: ["indices:data/write/*"]
#配置角色权限(禁止访问)
searchguard.actionrequestfilter.deny.allowed_actions: []
searchguard.actionrequestfilter.deny.forbidden_actions: ["indices:data/write/*"]
curl -XPUT 'http://localhost:9200/searchguard/ac/ac?pretty' -d '
{"acl": [
{
"__Comment__": "Default is to execute all filters",
"filters_bypass": [],
"filters_execute": ["actionrequestfilter.deny"]
}, //默认禁止访问
{
"__Comment__": "This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything",
"roles": [
"root"
],
"filters_bypass": ["*"],
"filters_execute": []
}, // root角色完全权限
{
"__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
"users": ["user1"],
"indices": ["index1-*","index2-*",".kibana"],
"filters_bypass": ["actionrequestfilter.deny"],
"filters_execute": ["actionrequestfilter.readonly"]
}, //user1 用户只能访问index1-*,index2-* 索引,且只有只读权限
{
"__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
"users": ["user2"],
"indices": ["index3-*",".kibana"],
"filters_bypass": ["actionrequestfilter.deny"],
"filters_execute": ["actionrequestfilter.readonly"]
} //user2 用户只能访问index3-* 索引,且只有只读权限
]}}
Please check in detail:
SG
Aug 31, 2015, 6:49:40 PM8/31/15
to search...@googlegroups.com
thx, thats great
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/737fa8c9-6439-4760-aa1c-541755361a37%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/737fa8c9-6439-4760-aa1c-541755361a37%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
adam...@gmail.com
Sep 8, 2015, 10:40:57 AM9/8/15
to Search Guard
Hi!
May I ask about this part of configuration:
{
"__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
"users": ["user1"],
"indices": ["index1-*","index2-*",".kibana"],
"filters_bypass": ["actionrequestfilter.deny"],
"filters_execute": ["actionrequestfilter.readonly"]
}
Documentation says: https://github.com/floragunncom/search-guard#no-automatic-multi-index-filters
'If you access more than one index (e.g. search in multiple indices) only
rules will match when they list all the indices (or "*”).'
Does it mean that if I use e.g. 'someindex-*' in kibana then I can define 'someindex-*' inside ACL - as above? Will it work?
In such situation - if I would try to search only one index - e.g. someindex-20150908 - would this ACL be appropriate for that search too?
AdamLis;
понедельник, 31 августа 2015 г., 8:09:50 UTC+2 пользователь elain ding написал:
elain ding
Sep 15, 2015, 10:06:51 AM9/15/15
to Search Guard
You try to know.
Someindex-20150908 includes someindex-*, so it's possible.
在 2015年9月8日星期二 UTC+8下午10:40:57,adam...@gmail.com写道:
Reply all
Reply to author
Forward
0 new messages