devbox
天景科技苑
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

elasticsearch运维系列_用户及角色权限相关SQL及脚本整理_es查看已经配置的用户及角色

作者:天景科技苑 | 2024-08-09 13:58:25

es查看已经配置的用户及角色

这篇文章介绍ES运维过程中一些常用查询权限和角色的命令和脚本,以及如何查询某个索引可被系统中哪些用户访问。

Part1 查询用户及权限

1 查询所有用户

首先,获取所有用户的列表:

  1. -- 命令如下
  2. curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user?pretty"
  3. -- 执行结果如下
  4. {
  5.   "flogsuperuser" : {
  6.     "username" : "xxxsuperuser",
  7.     "roles" : [
  8.       "superuser"
  9.     ],
  10.     "full_name" : "",
  11.     "email" : "",
  12.     "metadata" : { },
  13.     "enabled" : true
  14.   },
  15.   "limited_user" : {
  16.     "username" : "limited_user",
  17.     "roles" : [
  18.       "limited_logs_reader"
  19.     ],
  20.     "full_name" : "Limited User",
  21.     "email" : "limited.user@example.com",
  22.     "metadata" : { },
  23.     "enabled" : true
  24.   },
  25.   "elastic" : {
  26.     "username" : "elastic",
  27.     "roles" : [
  28.       "superuser"
  29.     ],
  30.     "full_name" : null,
  31.     "email" : null,
  32.     "metadata" : {
  33.       "_reserved" : true
  34.     },
  35.     "enabled" : true
  36.   },
  37.   "kibana" : {
  38.     "username" : "kibana",
  39.     "roles" : [
  40.       "kibana_system"
  41.     ],
  42.     "full_name" : null,
  43.     "email" : null,
  44.     "metadata" : {
  45.       "_deprecated" : true,
  46.       "_deprecated_reason" : "Please use the [kibana_system] user instead.",
  47.       "_reserved" : true
  48.     },
  49.     "enabled" : true
  50.   },
  51.   "kibana_system" : {
  52.     "username" : "kibana_system",
  53.     "roles" : [
  54.       "kibana_system"
  55.     ],
  56.     "full_name" : null,
  57.     "email" : null,
  58.     "metadata" : {
  59.       "_reserved" : true
  60.     },
  61.     "enabled" : true
  62.   },
  63.   "logstash_system" : {
  64.     "username" : "logstash_system",
  65.     "roles" : [
  66.       "logstash_system"
  67.     ],
  68.     "full_name" : null,
  69.     "email" : null,
  70.     "metadata" : {
  71.       "_reserved" : true
  72.     },
  73.     "enabled" : true
  74.   },
  75.   "beats_system" : {
  76.     "username" : "beats_system",
  77.     "roles" : [
  78.       "beats_system"
  79.     ],
  80.     "full_name" : null,
  81.     "email" : null,
  82.     "metadata" : {
  83.       "_reserved" : true
  84.     },
  85.     "enabled" : true
  86.   },
  87.   "apm_system" : {
  88.     "username" : "apm_system",
  89.     "roles" : [
  90.       "apm_system"
  91.     ],
  92.     "full_name" : null,
  93.     "email" : null,
  94.     "metadata" : {
  95.       "_reserved" : true
  96.     },
  97.     "enabled" : true
  98.   },
  99.   "remote_monitoring_user" : {
  100.     "username" : "remote_monitoring_user",
  101.     "roles" : [
  102.       "remote_monitoring_collector",
  103.       "remote_monitoring_agent"
  104.     ],
  105.     "full_name" : null,
  106.     "email" : null,
  107.     "metadata" : {
  108.       "_reserved" : true
  109.     },
  110.     "enabled" : true
  111.   }
  112. }

2 查询特定用户的角色和权限

获取特定用户的角色和权限。例如,查询用户 limited_user

  1. -- 执行命令
  2. curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user/limited_user?pretty"
  3. -- 执行结果如下
  4. {
  5.   "limited_user" : {
  6.     "username" : "limited_user",
  7.     "roles" : [
  8.       "limited_logs_reader"
  9.     ],
  10.     "full_name" : "Limited User",
  11.     "email" : "limited.user@example.com",
  12.     "metadata" : { },
  13.     "enabled" : true
  14.   }
  15. }

3 查询所有角色

获取所有角色的列表及其权限配置:

  1. -- 命令如下
  2. curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role?pretty"
  3.  
  4. -- 执行结果如下
  5. {
  6.   "kibana_dashboard_only_user" : {
  7.     "cluster" : [ ],
  8.     "indices" : [ ],
  9.     "applications" : [
  10.       {
  11.         "application" : "kibana-.kibana",
  12.         "privileges" : [
  13.           "read"
  14.         ],
  15.         "resources" : [
  16.           "*"
  17.         ]
  18.       }
  19.     ],
  20.     "run_as" : [ ],
  21.     "metadata" : {
  22.       "_deprecated" : true,
  23.       "_deprecated_reason" : "Please use Kibana feature privileges instead",
  24.       "_reserved" : true
  25.     },
  26.     "transient_metadata" : {
  27.       "enabled" : true
  28.     }
  29.   },
  30.   "apm_system" : {
  31.     "cluster" : [
  32.       "monitor",
  33.       "cluster:admin/xpack/monitoring/bulk"
  34.     ],
  35.     "indices" : [
  36.       {
  37.         "names" : [
  38.           ".monitoring-beats-*"
  39.         ],
  40.         "privileges" : [
  41.           "create_index",
  42.           "create_doc"
  43.         ],
  44.         "allow_restricted_indices" : false
  45.       }
  46.     ],
  47.     "applications" : [ ],
  48.     "run_as" : [ ],
  49.     "metadata" : {
  50.       "_reserved" : true
  51.     },
  52.     "transient_metadata" : {
  53.       "enabled" : true
  54.     }
  55.   },
  56.   "watcher_admin" : {
  57.     "cluster" : [
  58.       "manage_watcher"
  59.     ],
  60.     "indices" : [
  61.       {
  62.         "names" : [
  63.           ".watches",
  64.           ".triggered_watches",
  65.           ".watcher-history-*"
  66.         ],
  67.         "privileges" : [
  68.           "read"
  69.         ],
  70.         "allow_restricted_indices" : false
  71.       }
  72.     ],
  73.     "applications" : [ ],
  74.     "run_as" : [ ],
  75.     "metadata" : {
  76.       "_reserved" : true
  77.     },
  78.     "transient_metadata" : {
  79.       "enabled" : true
  80.     }
  81.   },
  82.   "logstash_system" : {
  83.     "cluster" : [
  84.       "monitor",
  85.       "cluster:admin/xpack/monitoring/bulk"
  86.     ],
  87.     "indices" : [ ],
  88.     "applications" : [ ],
  89.     "run_as" : [ ],
  90.     "metadata" : {
  91.       "_reserved" : true
  92.     },
  93.     "transient_metadata" : {
  94.       "enabled" : true
  95.     }
  96.   },
  97.   "rollup_user" : {
  98.     "cluster" : [
  99.       "monitor_rollup"
  100.     ],
  101.     "indices" : [ ],
  102.     "applications" : [ ],
  103.     "run_as" : [ ],
  104.     "metadata" : {
  105.       "_reserved" : true
  106.     },
  107.     "transient_metadata" : {
  108.       "enabled" : true
  109.     }
  110.   }

4 查询特定角色的权限

获取特定角色的权限配置。例如,查询角色 limited_logs_reader

  1. -- 命令如下
  2. curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role/limited_logs_reader?pretty"
  3. -- 执行结果如下
  4. {
  5.   "limited_logs_reader" : {
  6.     "cluster" : [ ],
  7.     "indices" : [
  8.       {
  9.         "names" : [
  10.           "xxxxxx_2024-06-14",
  11.           "xxxxxx_2024-06-15",
  12.           "xxxxxx_2024-06-16",
  13.           "xxxxxx_2024-06-17"
  14.         ],
  15.         "privileges" : [
  16.           "read"
  17.         ],
  18.         "allow_restricted_indices" : false
  19.       }
  20.     ],
  21.     "applications" : [
  22.       {
  23.         "application" : "kibana-.kibana",
  24.         "privileges" : [
  25.           "read"
  26.         ],
  27.         "resources" : [
  28.           "*"
  29.         ]
  30.       }
  31.     ],
  32.     "run_as" : [ ],
  33.     "metadata" : { },
  34.     "transient_metadata" : {
  35.       "enabled" : true
  36.     }
  37.   }
  38. }
  39.

5 汇总(查询用户及角色)命令脚本

以下是一个简单的脚本,汇总查询所有用户及其角色和权限的命令:

  1. #!/bin/bash
  2.  
  3. # Elasticsearch URL
  4. ES_URL="http://192.168.1.19:9200"
  5.  
  6. # Admin credentials
  7. ADMIN_USER="elastic"
  8. ADMIN_PASS="esuser"
  9.  
  10. # Query all users
  11. echo "Querying all users..."
  12. curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/user?pretty"
  13.  
  14. # Query all roles
  15. echo "Querying all roles..."
  16. curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/role?pretty"
  17.

将上述脚本保存为 query_users_and_roles.sh,添加执行权限并运行:

  1. chmod +x query_users_and_roles.sh
  2. ./query_users_and_roles.sh
  3.  
  4. 解释
  5.   1) 查询所有用户:通过 GET /_security/user API 获取所有用户信息,包括用户名、角色等。
  6.   2) 查询所有角色:通过 GET /_security/role API 获取所有角色信息,包括角色名、权限配置等。
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/天景科技苑/article/detail/953634
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号