forked from laiweijian4/doc-exports
Wuwan, Qi
050b395397
Reviewed-by: Kacur, Michal <michal.kacur@t-systems.com> Co-authored-by: Wuwan, Qi <wuwanqi1@noreply.gitea.eco.tsi-dev.otc-service.com> Co-committed-by: Wuwan, Qi <wuwanqi1@noreply.gitea.eco.tsi-dev.otc-service.com>
84 lines
18 KiB
HTML
84 lines
18 KiB
HTML
<a name="css_01_0109"></a><a name="css_01_0109"></a>
|
|
|
|
<h1 class="topictitle1">Creating a User and Granting Permissions by Using Kibana</h1>
|
|
<div id="body0000001157244508"><p id="css_01_0109__p13262512159">CSS uses the opendistro_security plug-in to provide security cluster capabilities. The opendistro_security plug-in is built based on the RBAC model. RBAC involves three core concepts: user, action, and role. RBAC simplifies the relationship between users and actions, simplifies permission management, and facilitates permission expansion and maintenance. The following figure shows the relationship between the three.</p>
|
|
<div class="fignone" id="css_01_0109__fig17424102121615"><span class="figcap"><b>Figure 1 </b>User, action, and role</span><br><span><img id="css_01_0109__image1422725243218" src="en-us_image_0000001714802213.png"></span></div>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="css_01_0109__table158124283338" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters</caption><thead align="left"><tr id="css_01_0109__row6812628163318"><th align="left" class="cellrowborder" valign="top" width="25.22%" id="mcps1.3.3.2.3.1.1"><p id="css_01_0109__p18121728133318">Parameter</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="74.78%" id="mcps1.3.3.2.3.1.2"><p id="css_01_0109__p18121328193319">Description</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="css_01_0109__row106955019346"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.3.2.3.1.1 "><p id="css_01_0109__p128131228123318">User</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.3.2.3.1.2 "><p id="css_01_0109__p8813172815338">A user can send operation requests to Elasticsearch clusters. The user has credentials such as username and password, and zero or multiple backend roles and custom attributes.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="css_01_0109__row19659124513335"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.3.2.3.1.1 "><p id="css_01_0109__p10813172813320">Role</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.3.2.3.1.2 "><p id="css_01_0109__p17813028103311">A role is a combination of permissions and action groups, including operation permissions on clusters, indexes, documents, or fields.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="css_01_0109__row38131288339"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.3.2.3.1.1 "><p id="css_01_0109__p281317285338">Permission</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.3.2.3.1.2 "><p id="css_01_0109__p58131728203319">Single permission, for example, creating an index (for example, <strong id="css_01_0109__b527219354220">indices:admin/create</strong>)</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="css_01_0109__row1083514246343"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.3.2.3.1.1 "><p id="css_01_0109__p2081342873313">Role mapping</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.3.2.3.1.2 "><p id="css_01_0109__p88131628143310">A user will be assigned a role after successful authentication. Role mapping is to map a role to a user (or a backend role). For example, the mapping from <strong id="css_01_0109__en-us_topic_0000001223434440_b108992486533">kibana_user</strong> (role) to <strong id="css_01_0109__en-us_topic_0000001223434440_b179002488530">jdoe</strong> (user) means that John Doe obtains all permissions of <strong id="css_01_0109__en-us_topic_0000001223434440_b1090094875320">kibana_user</strong> after being authenticated by <strong id="css_01_0109__en-us_topic_0000001223434440_b3900164835311">kibana_user</strong>. Similarly, the mapping from <strong id="css_01_0109__en-us_topic_0000001223434440_b025595125317">all_access</strong> (role) to <strong id="css_01_0109__en-us_topic_0000001223434440_b19255165165316">admin</strong> (backend role) means that any user with the backend role <strong id="css_01_0109__en-us_topic_0000001223434440_b2255851115314">admin</strong> (from the LDAP/Active Directory server) has all the permissions of role <strong id="css_01_0109__en-us_topic_0000001223434440_b1325515111531">all_access</strong> after being authenticated. You can map a role to multiple users or backend roles.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="css_01_0109__row14813162863314"><td class="cellrowborder" valign="top" width="25.22%" headers="mcps1.3.3.2.3.1.1 "><p id="css_01_0109__p1781312280333">Action group</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="74.78%" headers="mcps1.3.3.2.3.1.2 "><p id="css_01_0109__p2813528153315">A group of permissions. For example, the predefined <strong id="css_01_0109__b1616213112248">SEARCH</strong> action group grants roles to use <strong id="css_01_0109__b12162113118243">_search</strong> and <strong id="css_01_0109__b201625318248">_msearchAPI</strong>.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<p id="css_01_0109__p386321121315">In addition to the RBAC model, Elasticsearch has an important concept called tenant. RBAC is used to manage user authorization, and tenants are used for information sharing across tenants. In a tenant space, IAM users can share information such as dashboard data and index patterns.</p>
|
|
<p id="css_01_0109__p129851423165110">This section describes how to use Kibana to create a user and grant permissions to the user. Kibana can be used to create users and grant permissions only when the security mode is enabled for the cluster.</p>
|
|
<div class="note" id="css_01_0109__note1738054512527"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="css_01_0109__ul163811345165215"><li id="css_01_0109__li6381194505217">The Kibana UI varies depending on the Kibana version, but their operations are similar. This section takes Kibana 7.6.2 as an example to describe the procedure.</li><li id="css_01_0109__li538114525217">You can customize the username, role name, and tenant name in Kibana.</li></ul>
|
|
</div></div>
|
|
<ul id="css_01_0109__ul359745416616"><li id="css_01_0109__li55976548610">Step 1: <a href="#css_01_0109__en-us_topic_0000001223434440_section12163507442">Logging in to Kibana</a></li><li id="css_01_0109__li1522618141674">Step 2: <a href="#css_01_0109__section111313114129">Creating a User</a></li><li id="css_01_0109__li152152236720">Step 3: <a href="#css_01_0109__section1028814911138">Creating a Role and Granting Permissions</a></li><li id="css_01_0109__li4108533671">Step 4: <a href="#css_01_0109__section1997772813158">Configuring a Role for a User</a></li></ul>
|
|
<div class="section" id="css_01_0109__en-us_topic_0000001223434440_section12163507442"><a name="css_01_0109__en-us_topic_0000001223434440_section12163507442"></a><a name="en-us_topic_0000001223434440_section12163507442"></a><h4 class="sectiontitle">Logging in to Kibana</h4><ol id="css_01_0109__en-us_topic_0000001223434440_ol13831428473"><li id="css_01_0109__en-us_topic_0000001223434440_li483113274712">Log in to the CSS management console.</li><li id="css_01_0109__en-us_topic_0000001223434440_li201191431164715">Choose <strong id="css_01_0109__en-us_topic_0000001223434440_b935865211267">Clusters</strong> in the navigation pane. On the <span class="uicontrol" id="css_01_0109__en-us_topic_0000001223434440_uicontrol16358135219263"><b>Clusters</b></span> page, locate the target cluster and click <span class="uicontrol" id="css_01_0109__en-us_topic_0000001223434440_uicontrol535916529262"><b>Access Kibana</b></span> in the <strong id="css_01_0109__en-us_topic_0000001223434440_b2359165232610">Operation</strong> column.<div class="p" id="css_01_0109__en-us_topic_0000001223434440_p16866200171414">Enter the administrator username and password to log in to Kibana.<ul id="css_01_0109__en-us_topic_0000001223434440_ul14197184017151"><li id="css_01_0109__en-us_topic_0000001223434440_li10197340141516">Username: admin (default administrator account name)</li><li id="css_01_0109__en-us_topic_0000001223434440_li319714011152">Password: Enter the administrator password you set when creating the cluster in security mode.</li></ul>
|
|
<div class="fignone" id="css_01_0109__en-us_topic_0000001223434440_fig921015524911"><span class="figcap"><b>Figure 2 </b>Login page</span><br><span><img id="css_01_0109__en-us_topic_0000001223434440_image32151031135017" src="en-us_image_0000001666842726.png"></span></div>
|
|
</div>
|
|
</li></ol>
|
|
</div>
|
|
<div class="section" id="css_01_0109__section111313114129"><a name="css_01_0109__section111313114129"></a><a name="section111313114129"></a><h4 class="sectiontitle">Creating a User</h4><p id="css_01_0109__p154519254187">Log in to Kibana and create a user on the <strong id="css_01_0109__b166318289320">Security</strong> page.</p>
|
|
<ol id="css_01_0109__ol1146124181315"><li id="css_01_0109__li14379949186">After a successful login, choose <span class="uicontrol" id="css_01_0109__uicontrol1440584819218"><b>Security</b></span> in the navigation tree on the left of the Kibana operation page. The <span class="wintitle" id="css_01_0109__wintitle1012919819227"><b>Security</b></span> page is displayed.<div class="fignone" id="css_01_0109__fig173791247189"><span class="figcap"><b>Figure 3 </b>Accessing the <strong id="css_01_0109__b19472172533510">Security</strong> page</span><br><span><img id="css_01_0109__image5379144181" src="en-us_image_0000001714922041.png"></span></div>
|
|
</li><li id="css_01_0109__li194620411311">Choose <span class="uicontrol" id="css_01_0109__uicontrol111651328103517"><b>Authentication Backends</b></span> > <span class="uicontrol" id="css_01_0109__uicontrol9165428113512"><b>Internal Users Database</b></span>.<div class="fignone" id="css_01_0109__fig54612419132"><span class="figcap"><b>Figure 4 </b>Adding a user (1)</span><br><span><img id="css_01_0109__image44644181316" src="en-us_image_0000001667002442.png"></span></div>
|
|
</li><li id="css_01_0109__li13461141135">On the <strong id="css_01_0109__b387133512350">Internal Users Database</strong> page, choose <span><img id="css_01_0109__image346174131320" src="en-us_image_0000001714802205.png"></span>. The page for adding user information is displayed.<div class="fignone" id="css_01_0109__fig114619417139"><span class="figcap"><b>Figure 5 </b>Adding a user (2)</span><br><span><img id="css_01_0109__image13463471313" src="en-us_image_0000001714922057.png"></span></div>
|
|
</li><li id="css_01_0109__li1846184141315">On the user creation page, specify <span class="parmname" id="css_01_0109__parmname164620401315"><b>Username</b></span>, <span class="parmname" id="css_01_0109__parmname19467451311"><b>Password</b></span>, and <span class="parmname" id="css_01_0109__parmname1625214810234"><b>Repeatpassword</b></span>, and click <span class="uicontrol" id="css_01_0109__uicontrol74618417139"><b>Submit</b></span>.</li></ol>
|
|
<p id="css_01_0109__p204610417133">The user will be displayed in the user list.</p>
|
|
</div>
|
|
<div class="section" id="css_01_0109__section1028814911138"><a name="css_01_0109__section1028814911138"></a><a name="section1028814911138"></a><h4 class="sectiontitle">Creating a Role and Granting Permissions</h4><p id="css_01_0109__p26323062412">Create a role and grant permissions to the role.</p>
|
|
<ol id="css_01_0109__ol29618218159"><li id="css_01_0109__li0963218154">Click <strong id="css_01_0109__b4809223173811">Roles</strong>.<div class="fignone" id="css_01_0109__fig19692111158"><span class="figcap"><b>Figure 6 </b>Adding a role</span><br><span><img id="css_01_0109__image1896182131516" src="en-us_image_0000001667002438.png"></span></div>
|
|
</li><li id="css_01_0109__li39672131520">On the <strong id="css_01_0109__b1430413793915">Open Distro Security Roles</strong> page, click <span><img id="css_01_0109__image199692114158" src="en-us_image_0000001714802229.png"></span>.<ol type="a" id="css_01_0109__ol79615213156"><li id="css_01_0109__li1796172118154">On the <strong id="css_01_0109__b010901912397">Overview</strong> tab page, set the role name.<div class="fignone" id="css_01_0109__fig096152161515"><span class="figcap"><b>Figure 7 </b>Entering a role name</span><br><span><img id="css_01_0109__image29622171512" src="en-us_image_0000001666842730.png"></span></div>
|
|
</li><li id="css_01_0109__li49611219158">On the <span class="uicontrol" id="css_01_0109__uicontrol596821101512"><b>Cluster Permissions</b></span> tab page, set CSS cluster permissions. Set cluster permissions based on service requirements. If this parameter is not specified for a role, the role has no cluster-level permissions.<ul id="css_01_0109__ul779302389"><li id="css_01_0109__li9763023814"><span class="parmname" id="css_01_0109__parmname20546153412384"><b>Permissions: Action Groups</b></span>: You can click <span class="uicontrol" id="css_01_0109__uicontrol178561457113410"><b>Add Action Group</b></span> to set cluster permissions. For example, if you select the <strong id="css_01_0109__b18718125934010">read</strong> permission for a cluster, you can only view information such as the cluster status and cluster nodes.</li><li id="css_01_0109__li18703073813"><span class="parmname" id="css_01_0109__parmname1523413371388"><b>Permissions: Single Permissions</b></span>: Select <strong id="css_01_0109__b2682715164112">Show Advanced</strong> and click <span class="uicontrol" id="css_01_0109__uicontrol128471725163710"><b>Add Single Permission</b></span> to set more refined permissions for the cluster. For example, if this parameter is set to <strong id="css_01_0109__b58752207433">indices:data/read</strong>, you can only read specified indexes.</li></ul>
|
|
<div class="fignone" id="css_01_0109__fig2473856182916"><span class="figcap"><b>Figure 8 </b><strong id="css_01_0109__b19589573429">Cluster Permissions</strong> tab page</span><br><span><img id="css_01_0109__image114735563296" src="en-us_image_0000001666842722.png"></span></div>
|
|
</li><li id="css_01_0109__li99615215158">Configure index permissions on the <strong id="css_01_0109__b3391414411">Index Permissions</strong> page.<ul id="css_01_0109__ul64609221398"><li id="css_01_0109__li18460182213913"><strong id="css_01_0109__b688924134511">Index patterns</strong>: Set this parameter to the name of the index whose permission needs to be configured. For example, my_store.<div class="note" id="css_01_0109__note396102116156"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="css_01_0109__p250192619920">Use different names for the index and the user.</p>
|
|
</div></div>
|
|
</li><li id="css_01_0109__li174604221598"><span class="parmname" id="css_01_0109__parmname14370753174012"><b>Permissions: Action Groups</b></span>: Click <span class="uicontrol" id="css_01_0109__uicontrol85248208415"><b>Add Action Group</b></span> and set the permission as required. For example, select the read-only permission <strong id="css_01_0109__b11362122124615">Search</strong>.</li></ul>
|
|
</li><li id="css_01_0109__li119612218152">On the <span class="uicontrol" id="css_01_0109__uicontrol7899154184613"><b>Tenant Permissions</b></span> page, set role permissions based on service requirements.<ul id="css_01_0109__ul11575932493"><li id="css_01_0109__li557520329918"><span class="parmname" id="css_01_0109__parmname51381918695"><b>Global permissions</b></span>: Click <span class="uicontrol" id="css_01_0109__uicontrol1186912231592"><b>Add Field</b></span> to set the kibana read and write permissions of a role, for example, kibana_all_read or kibana_all_write.</li><li id="css_01_0109__li95752321191"><span class="parmname" id="css_01_0109__parmname2027924515104"><b>Tenant permissions</b></span>: Click <span class="uicontrol" id="css_01_0109__uicontrol11344124281014"><b>Add tenant pattern</b></span> to add a tenant mode and set the <strong id="css_01_0109__b12451359195214">kibana_all_read</strong> or <strong id="css_01_0109__b263716212530">kibana_all_write</strong> permission for a new tenant mode.<div class="fignone" id="css_01_0109__fig169715211156"><span class="figcap"><b>Figure 9 </b><strong id="css_01_0109__b936912274469">Tenant Permissions</strong> tab</span><br><span><img id="css_01_0109__image89718215156" src="en-us_image_0000001714802217.png"></span></div>
|
|
</li></ul>
|
|
</li></ol>
|
|
</li><li id="css_01_0109__li8851769106">Click <span class="uicontrol" id="css_01_0109__uicontrol851814031419"><b>Save Role Definition</b></span> and you can view the configured role.</li></ol>
|
|
</div>
|
|
<div class="section" id="css_01_0109__section1997772813158"><a name="css_01_0109__section1997772813158"></a><a name="section1997772813158"></a><h4 class="sectiontitle">Configuring a Role for a User</h4><p id="css_01_0109__p4546175911159">After creating a role and granting permissions to the role, you need to map the role to a user so that the user can obtain the permissions of the mapped role.</p>
|
|
<ol id="css_01_0109__ol15535122161618"><li id="css_01_0109__li195351922161611">Click <span class="uicontrol" id="css_01_0109__uicontrol185358223163"><b>Role Mappings</b></span>. On the displayed <strong id="css_01_0109__b79494212558">Role Mappings</strong> page, map the roles.<div class="fignone" id="css_01_0109__fig10535162251619"><span class="figcap"><b>Figure 10 </b>Role mapping</span><br><span><img id="css_01_0109__image1535822121616" src="en-us_image_0000001714922065.png"></span></div>
|
|
</li><li id="css_01_0109__li0535922161615">On the <strong id="css_01_0109__b10426523125015">Role Mappings</strong> page, click <span><img id="css_01_0109__image1753512222165" src="en-us_image_0000001667002454.png"></span> to select a role and add users.<ul id="css_01_0109__ul1618217361298"><li id="css_01_0109__li718263620291"><span class="parmname" id="css_01_0109__parmname3757135132810"><b>Role</b></span>: Select the name of the role to be mapped.</li><li id="css_01_0109__li918223614299"><span class="parmname" id="css_01_0109__parmname1695545310285"><b>Users</b></span>: Click <span class="uicontrol" id="css_01_0109__uicontrol1181844815281"><b>Add User</b></span> and enter the name of the user whose role is mapped.</li></ul>
|
|
<div class="fignone" id="css_01_0109__fig171011838142616"><span class="figcap"><b>Figure 11 </b>Users and roles</span><br><span><img id="css_01_0109__image1082241812317" src="en-us_image_0000001666842710.png"></span></div>
|
|
</li><li id="css_01_0109__li175367220164">Click <strong id="css_01_0109__en-us_topic_0000001223434440_b3117122311316">Submit</strong>.</li><li id="css_01_0109__li95582034131619">Verify that the configuration takes effect in Kibana.</li></ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0107.html">Kibana Platform</a></div>
|
|
</div>
|
|
</div>
|
|
|