forked from docs/doc-exports
zhengxiu
93d856d5c5
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com> Co-authored-by: zhengxiu <zhengxiu@huawei.com> Co-committed-by: zhengxiu <zhengxiu@huawei.com>
79 lines
22 KiB
HTML
79 lines
22 KiB
HTML
<a name="EN-US_TOPIC_0000002115782578"></a><a name="EN-US_TOPIC_0000002115782578"></a>
|
|
|
|
<h1 class="topictitle1">Creating Users for an Elasticsearch Cluster and Granting Cluster Access</h1>
|
|
<div id="body0000002115782578"><p id="EN-US_TOPIC_0000002115782578__p17682103664518">CSS limits access to security-mode clusters to authorized users only. When creating a security-mode cluster, an administrator account must be created. This administrator account can later use Kibana to add new users for the cluster and grant them the required permissions. This topic uses Kibana 7.10.2 as an example to describe how to use Kibana to grant users access to a security-mode cluster.</p>
|
|
<div class="section" id="EN-US_TOPIC_0000002115782578__section14743123515531"><h4 class="sectiontitle">Background</h4><p id="EN-US_TOPIC_0000002115782578__p13262512159">CSS uses the opendistro_security plug-in to provide security cluster capabilities. The opendistro_security plug-in is built based on the RBAC model. RBAC involves three core concepts: user, action, and role. RBAC simplifies the relationship between users and actions, simplifies permission management, and facilitates permission expansion and maintenance. <a href="#EN-US_TOPIC_0000002115782578__fig17424102121615">Figure 1</a> shows the relationship between the three.</p>
|
|
<div class="fignone" id="EN-US_TOPIC_0000002115782578__fig17424102121615"><a name="EN-US_TOPIC_0000002115782578__fig17424102121615"></a><a name="fig17424102121615"></a><span class="figcap"><b>Figure 1 </b>User, action, and role</span><br><span><img id="EN-US_TOPIC_0000002115782578__image1422725243218" src="figure/en-us_image_0000002151221641.png"></span></div>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000002115782578__table158124283338" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Concepts</caption><thead align="left"><tr id="EN-US_TOPIC_0000002115782578__row6812628163318"><th align="left" class="cellrowborder" valign="top" width="25.22%" id="mcps1.3.2.4.2.3.1.1"><p id="EN-US_TOPIC_0000002115782578__p18121728133318">Concept</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="74.78%" id="mcps1.3.2.4.2.3.1.2"><p id="EN-US_TOPIC_0000002115782578__p18121328193319">Description</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="EN-US_TOPIC_0000002115782578__row106955019346"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002115782578__p128131228123318">User</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002115782578__p8813172815338">A user can send operation requests to an Elasticsearch cluster. The user has credentials such as username and password, and zero or multiple backend roles and custom attributes.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000002115782578__row19659124513335"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002115782578__p10813172813320">Role</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002115782578__p17813028103311">A role is a combination of permissions or action groups, including operation permissions on clusters, indexes, documents, or fields.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000002115782578__row38131288339"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002115782578__p281317285338">Permission</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002115782578__p58131728203319">A single permission, for example, creating an index (for example, <strong id="EN-US_TOPIC_0000002115782578__b87908168731054">indices:admin/create</strong>).</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000002115782578__row1083514246343"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002115782578__p2081342873313">Role mapping</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002115782578__p88131628143310">A user will be assigned one or multiple roles after successful authentication. Role mapping is to map a role to a user (or a backend role). For example, the mapping from <strong id="EN-US_TOPIC_0000002115782578__b207020673731054">kibana_user</strong> (role) to <strong id="EN-US_TOPIC_0000002115782578__b70082757031054">Bob</strong> (user) means that Bob obtains all permissions of <strong id="EN-US_TOPIC_0000002115782578__b13545208631054">kibana_user</strong> after authentication. Similarly, the mapping from <strong id="EN-US_TOPIC_0000002115782578__b138110677231054">all_access</strong> (role) to <strong id="EN-US_TOPIC_0000002115782578__b192472549331054">admin</strong> (backend role) means that any user with the backend role <strong id="EN-US_TOPIC_0000002115782578__b16092716131054">admin</strong> (from the LDAP/Active Directory server) has all the permissions of role <strong id="EN-US_TOPIC_0000002115782578__b152853520531054">all_access</strong> after being authenticated. You can map each role to multiple users or backend roles.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000002115782578__row14813162863314"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002115782578__p1781312280333">Action group</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002115782578__p2813528153315">An action group is a group of permissions. For example, the predefined <strong id="EN-US_TOPIC_0000002115782578__b137555795731054">SEARCH</strong> action group grants roles permissions to use <strong id="EN-US_TOPIC_0000002115782578__b85153712831054">_search</strong> and <strong id="EN-US_TOPIC_0000002115782578__b163136067631054">_msearch</strong> APIs.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<p id="EN-US_TOPIC_0000002115782578__p5896111911313">In addition to the RBAC model, Elasticsearch also uses a concept called tenant. The RBAC model addresses the problem of user-level authorization, while the tenant model addresses the problem of data and resource sharing between different tenants. Within a tenant space, tenants can share information such as dashboards and index patterns.</p>
|
|
<p id="EN-US_TOPIC_0000002115782578__p5745166135911">By default, users can only see the index patterns and dashboards in their own private tenant space. When a new user <strong id="EN-US_TOPIC_0000002115782578__b66785056531054">test</strong> is added, the system automatically generates an index named <span class="parmvalue" id="EN-US_TOPIC_0000002115782578__parmvalue9171949131054"><b>.kibana_xxx_test</b></span>. The data in this user's private space will be stored in this index. Similarly, the data of the administrator's private tenant space is stored in the <span class="parmvalue" id="EN-US_TOPIC_0000002115782578__parmvalue16685301306"><b>.kibana_xxx_admin</b></span> index. To share an index pattern or dashboard with other tenants, you can create them in the global tenant space. Other users can access the shared resource only by switching to the global tenant space.</p>
|
|
<p id="EN-US_TOPIC_0000002115782578__p1770883133318">On the Kibana console, you can configure user permissions on an Elasticsearch cluster under <strong id="EN-US_TOPIC_0000002115782578__b61007843131054">Security</strong> to implement fine-grained access control at four levels: cluster, index, document, and field.</p>
|
|
<p id="EN-US_TOPIC_0000002115782578__p1884939342">Users can be added or deleted for a cluster, and mapped to roles. This way, you assign roles to users.</p>
|
|
<p id="EN-US_TOPIC_0000002115782578__p456112285323">With role mapping, you can configure the members of each role and assign roles to users based on usernames, backend roles, and host names. For each role, you can configure cluster, index, and document permissions, as well as the permission to use Kibana.</p>
|
|
<p id="EN-US_TOPIC_0000002115782578__p185614287325">For more about security configuration for a security-mode cluster and the detailed guide, see the official Elasticsearch document <a href="https://opendistro.github.io/for-elasticsearch-docs/docs/security/" target="_blank" rel="noopener noreferrer">here</a>.</p>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000002115782578__section1992610471567"><h4 class="sectiontitle">Constraints</h4><ul id="EN-US_TOPIC_0000002115782578__ul11823695718"><li id="EN-US_TOPIC_0000002115782578__li133417116719">You can customize the username, role name, and tenant name in Kibana.</li><li id="EN-US_TOPIC_0000002115782578__li5733145714911">The Kibana GUI varies depending on the Kibana version. Kibana 7.10.2 is used as an example here.</li></ul>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000002115782578__section111313114129"><h4 class="sectiontitle">Creating a User and Granting Permissions</h4><ol id="EN-US_TOPIC_0000002115782578__ol1146124181315"><li id="EN-US_TOPIC_0000002115782578__li6131431182019"><span id="EN-US_TOPIC_0000002115782578__ph152259618315">Log in to the CSS management console.</span></li><li id="EN-US_TOPIC_0000002115782578__li9385183319204">In the navigation pane on the left, choose <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol5576445585135"><b>Clusters > Elasticsearch</b></span>.</li><li id="EN-US_TOPIC_0000002115782578__li11194728121310">In the cluster list, find the target cluster, and click <strong id="EN-US_TOPIC_0000002115782578__b394511558445">Kibana</strong> in the <strong id="EN-US_TOPIC_0000002115782578__b6945175524415">Operation</strong> column to log in to Kibana using the administrator account.<ul id="EN-US_TOPIC_0000002115782578__ul11224131791311"><li id="EN-US_TOPIC_0000002115782578__li18223171731318">Username: <strong id="EN-US_TOPIC_0000002115782578__b56563789931054">admin</strong> (default administrator account name)</li><li id="EN-US_TOPIC_0000002115782578__li1722491721319">Password: Enter the administrator password you set when creating the cluster in security mode.</li></ul>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li14379949186">After a successful login, choose <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol1440584819218"><b>Security</b></span> in the navigation tree on the left of the Kibana operation page. The <span class="wintitle" id="EN-US_TOPIC_0000002115782578__wintitle1012919819227"><b>Security</b></span> page is displayed.</li><li id="EN-US_TOPIC_0000002115782578__li6987194241414">Add a new user <strong id="EN-US_TOPIC_0000002115782578__b22310991331054">test</strong> for the security-mode cluster.<ol type="a" id="EN-US_TOPIC_0000002115782578__ol1332615710149"><li id="EN-US_TOPIC_0000002115782578__li194620411311">Click <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol3468418134"><b>Internal users</b></span> in the navigation area.</li><li id="EN-US_TOPIC_0000002115782578__li13461141135">On the <strong id="EN-US_TOPIC_0000002115782578__b1715151691714">Internal users</strong> page, click <strong id="EN-US_TOPIC_0000002115782578__b1401152212177">Create internal user</strong>. The page for creating a new user is displayed.<div class="fignone" id="EN-US_TOPIC_0000002115782578__fig114619417139"><span class="figcap"><b>Figure 2 </b>Create internal user</span><br><span><img id="EN-US_TOPIC_0000002115782578__image1125216578365" src="figure/en-us_image_0000002117887706.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li1899122632920">On the displayed page, set <span class="parmname" id="EN-US_TOPIC_0000002115782578__parmname164620401315"><b>Username</b></span>, <span class="parmname" id="EN-US_TOPIC_0000002115782578__parmname19467451311"><b>Password</b></span>, and <span class="parmname" id="EN-US_TOPIC_0000002115782578__parmname1625214810234"><b>Re-enter password</b></span>. The username <strong id="EN-US_TOPIC_0000002115782578__b72858002631054">test</strong> is used as an example here.<p id="EN-US_TOPIC_0000002115782578__p197021622173417">The following two parameters are optional. You can click <strong id="EN-US_TOPIC_0000002115782578__b20731207121910">Learn more</strong> on the page to learn more about them.</p>
|
|
<ul id="EN-US_TOPIC_0000002115782578__ul172521935132917"><li id="EN-US_TOPIC_0000002115782578__li1125283511296"><strong id="EN-US_TOPIC_0000002115782578__b125281491344">Backend roles</strong>: used to map external users (such as those from LDAP or SAML) to Open Distro security roles.</li><li id="EN-US_TOPIC_0000002115782578__li11917759182910"><strong id="EN-US_TOPIC_0000002115782578__b1682762016340">Attributes</strong>: used to further describe users. More importantly, they can be used to enable document-level access control on top of the index permissions of a role. This makes it possible to conduct dynamic document-level security (DLS) queries based on user attributes.</li></ul>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li1846184141315">Click <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol1158516165363"><b>Create</b></span>. Upon successful creation, the new user is displayed in the user list.</li></ol>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li7556131418157">Create a role named <strong id="EN-US_TOPIC_0000002115782578__b213765822331054">role_test</strong> and assign permissions to it.<ol type="a" id="EN-US_TOPIC_0000002115782578__ol0598831131614"><li id="EN-US_TOPIC_0000002115782578__li5480216181611">Click <strong id="EN-US_TOPIC_0000002115782578__b1039418417369">Roles</strong> under <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol839474103616"><b>Security</b></span>. The system has preset roles. For the permissions of each role, click <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol4103115533610"><b>Learn more</b></span> on the page. If the preset roles can already meet your needs, you are advised to use these preset roles.</li><li id="EN-US_TOPIC_0000002115782578__li144801616151615">On the <strong id="EN-US_TOPIC_0000002115782578__b14247174213475">Roles</strong> page, click <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol1481171613167"><b>Create Role</b></span>.</li><li id="EN-US_TOPIC_0000002115782578__li205602505161">Set the role name, for example, <strong id="EN-US_TOPIC_0000002115782578__b13771665487">role_test</strong>.<div class="fignone" id="EN-US_TOPIC_0000002115782578__fig9481141619163"><span class="figcap"><b>Figure 3 </b>Setting the role name</span><br><span><img id="EN-US_TOPIC_0000002115782578__image1973154144010" src="figure/en-us_image_0000002117891886.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li18860413121719">On the <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol1756512532480"><b>Cluster Permissions</b></span> page, set cluster permissions based on service requirements. If they are not configured for a role, the role will not have any cluster-level permissions. The following uses the cluster_monitor permission as an example.<div class="note" id="EN-US_TOPIC_0000002115782578__note22031937409"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0000002115782578__p12756114164011">In Elasticsearch, the cluster_monitor permission allows users to monitor and observe cluster status, but not to perform any operations that may alter the cluster status. Specifically, the cluster_monitor permission enables users to perform the following operations:</p>
|
|
<ul id="EN-US_TOPIC_0000002115782578__ul28437474918"><li id="EN-US_TOPIC_0000002115782578__li13843144164917">Check a cluster's status and health.</li><li id="EN-US_TOPIC_0000002115782578__li209663634915">Check the nodes of a cluster.</li><li id="EN-US_TOPIC_0000002115782578__li511917914917">View cluster statistics.</li><li id="EN-US_TOPIC_0000002115782578__li127431911114914">Check the pending tasks of a cluster.</li><li id="EN-US_TOPIC_0000002115782578__li814416149491">Check information about cluster recovery, segments, and indexes.</li></ul>
|
|
</div></div>
|
|
<div class="fignone" id="EN-US_TOPIC_0000002115782578__fig17588155016166"><span class="figcap"><b>Figure 4 </b>Cluster Permissions</span><br><span><img id="EN-US_TOPIC_0000002115782578__image10536174714443" src="figure/en-us_image_0000002153294397.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li6235122213183">Configure index permissions on the <strong id="EN-US_TOPIC_0000002115782578__b7603141445819">Index Permissions</strong> page. This configuration is optional. It allows you to define the permissions of users assigned this role on specific indexes.<ul id="EN-US_TOPIC_0000002115782578__ul13880171351717"><li id="EN-US_TOPIC_0000002115782578__li10880113181716"><span class="parmname" id="EN-US_TOPIC_0000002115782578__parmname1688012138173"><b>Index</b></span>: Set the index name. For example, <span class="parmvalue" id="EN-US_TOPIC_0000002115782578__parmvalue1388010132172"><b>my_store</b></span>.<div class="note" id="EN-US_TOPIC_0000002115782578__note288015135174"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0000002115782578__p19880131314179">Use different names for the index and the user.</p>
|
|
</div></div>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li7880161301710"><span class="parmname" id="EN-US_TOPIC_0000002115782578__parmname148808133172"><b>Index permissions</b></span>: Set the index permissions to grant.</li></ul>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li224313465189"><span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol124918229181"><b>Tenant Permissions</b></span>: Set tenant permissions. This configuration is optional. Tenants in Kibana are spaces for saving index patterns, visualizations, dashboards, and other Kibana objects. By default, all Kibana users have access to two tenants: Private and Global. The global tenant is shared between every Kibana user. The private tenant is exclusive to each user and cannot be shared. For more on tenant permissions, click <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol062620234407"><b>Learn more</b></span> on the page.</li><li id="EN-US_TOPIC_0000002115782578__li34839161161">Click <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol1548313164162"><b>Create</b></span> to save the role settings. The new role is displayed in the <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol112754411417"><b>Roles</b></span> list.</li></ol>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li6725381196">Map a role to a user to assign permissions to that user.<ol type="a" id="EN-US_TOPIC_0000002115782578__ol1647145662019"><li id="EN-US_TOPIC_0000002115782578__li11473851192011">Choose <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol5473551172012"><b>Security</b></span> > <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol14473175111201"><b>Roles</b></span>, and click <strong id="EN-US_TOPIC_0000002115782578__b1097116615106">role_test</strong>. The role details page is displayed.</li><li id="EN-US_TOPIC_0000002115782578__li1314143714162">Click the <strong id="EN-US_TOPIC_0000002115782578__b65521152201010">Mapped users</strong> tab, then click <span class="uicontrol" id="EN-US_TOPIC_0000002115782578__uicontrol15473125162017"><b>Map user</b></span>.</li><li id="EN-US_TOPIC_0000002115782578__li1447315162016">On the <strong id="EN-US_TOPIC_0000002115782578__b8744458191018">Map user</strong> page, select user <strong id="EN-US_TOPIC_0000002115782578__b1938951051111">test</strong> created earlier from the <strong id="EN-US_TOPIC_0000002115782578__b19213164701116">Users</strong> list.</li><li id="EN-US_TOPIC_0000002115782578__li1347410513208">Click <strong id="EN-US_TOPIC_0000002115782578__b172499230631054">Map</strong>.<p id="EN-US_TOPIC_0000002115782578__p12856195111911"><span><img id="EN-US_TOPIC_0000002115782578__image5994115413154" src="figure/en-us_image_0000002117941118.png"></span></p>
|
|
</li></ol>
|
|
</li><li id="EN-US_TOPIC_0000002115782578__li16474165119208">Verify that the user permissions have taken effect.<ol type="a" id="EN-US_TOPIC_0000002115782578__ol01841819132816"><li id="EN-US_TOPIC_0000002115782578__li768216719297">Log in to Kibana as user <strong id="EN-US_TOPIC_0000002115782578__b1764982613124">test</strong>.</li><li id="EN-US_TOPIC_0000002115782578__li204052554312">Click <strong id="EN-US_TOPIC_0000002115782578__b1416224418123">Dev Tools</strong> in the navigation tree on the left.</li><li id="EN-US_TOPIC_0000002115782578__li1415661717437">Run the <b><span class="cmdname" id="EN-US_TOPIC_0000002115782578__cmdname57163782815">GET /_cluster/health?pretty</span></b> command to check the cluster health. The code 200 is returned. Basic information about the cluster can be queried, indicating that the user has the permission to check cluster status.</li><li id="EN-US_TOPIC_0000002115782578__li16591754123011">Run the <b><span class="cmdname" id="EN-US_TOPIC_0000002115782578__cmdname32002022143016">PUT /my_test</span></b> command to create an index. The code 403 is returned, indicating that the user is not authorized to create indexes.</li></ol>
|
|
<p id="EN-US_TOPIC_0000002115782578__p1519425143112">We can see that user <strong id="EN-US_TOPIC_0000002115782578__b154311725171512">test</strong> only has the permission check cluster status but cannot create indexes. The configuration is successful.</p>
|
|
<p id="EN-US_TOPIC_0000002115782578__p19996165364315">If necessary, you can add the index creation permission for the role later. The returned error message provides tips on adding role permissions.</p>
|
|
</li></ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0009.html">Managing Elasticsearch Clusters</a></div>
|
|
</div>
|
|
</div>
|
|
|