这篇文章介绍ES运维过程中一些常用查询权限和角色的命令和脚本,以及如何查询某个索引可被系统中哪些用户访问。
Part1 查询用户及权限
1 查询所有用户
首先,获取所有用户的列表:
-- 命令如下 curl -u elastic:esuser -X GET "http://192.168.17.39:9200/_security/user?pretty" -- 执行结果如下 { "flogsuperuser" : { "username" : "xxxsuperuser", "roles" : [ "superuser" ], "full_name" : "", "email" : "", "metadata" : { }, "enabled" : true }, "limited_user" : { "username" : "limited_user", "roles" : [ "limited_logs_reader" ], "full_name" : "Limited User", "email" : "limited.user@example.com", "metadata" : { }, "enabled" : true }, "elastic" : { "username" : "elastic", "roles" : [ "superuser" ], "full_name" : null, "email" : null, "metadata" : { "_reserved" : true }, "enabled" : true }, "kibana" : { "username" : "kibana", "roles" : [ "kibana_system" ], "full_name" : null, "email" : null, "metadata" : { "_deprecated" : true, "_deprecated_reason" : "Please use the [kibana_system] user instead.", "_reserved" : true }, "enabled" : true }, "kibana_system" : { "username" : "kibana_system", "roles" : [ "kibana_system" ], "full_name" : null, "email" : null, "metadata" : { "_reserved" : true }, "enabled" : true }, "logstash_system" : { "username" : "logstash_system", "roles" : [ "logstash_system" ], "full_name" : null, "email" : null, "metadata" : { "_reserved" : true }, "enabled" : true }, "beats_system" : { "username" : "beats_system", "roles" : [ "beats_system" ], "full_name" : null, "email" : null, "metadata" : { "_reserved" : true }, "enabled" : true }, "apm_system" : { "username" : "apm_system", "roles" : [ "apm_system" ], "full_name" : null, "email" : null, "metadata" : { "_reserved" : true }, "enabled" : true }, "remote_monitoring_user" : { "username" : "remote_monitoring_user", "roles" : [ "remote_monitoring_collector", "remote_monitoring_agent" ], "full_name" : null, "email" : null, "metadata" : { "_reserved" : true }, "enabled" : true } }
2 查询特定用户的角色和权限
获取特定用户的角色和权限。例如,查询用户 limited_user:
-- 执行命令 curl -u elastic:esuser -X GET "http://192.168.17.39:9200/_security/user/limited_user?pretty" -- 执行结果如下 { "limited_user" : { "username" : "limited_user", "roles" : [ "limited_logs_reader" ], "full_name" : "Limited User", "email" : "limited.user@example.com", "metadata" : { }, "enabled" : true } }
3 查询所有角色
获取所有角色的列表及其权限配置:
-- 命令如下 curl -u elastic:esuser -X GET "http://192.168.17.39:9200/_security/role?pretty" -- 执行结果如下 { "kibana_dashboard_only_user" : { "cluster" : [ ], "indices" : [ ], "applications" : [ { "application" : "kibana-.kibana", "privileges" : [ "read" ], "resources" : [ "*" ] } ], "run_as" : [ ], "metadata" : { "_deprecated" : true, "_deprecated_reason" : "Please use Kibana feature privileges instead", "_reserved" : true }, "transient_metadata" : { "enabled" : true } }, "apm_system" : { "cluster" : [ "monitor", "cluster:admin/xpack/monitoring/bulk" ], "indices" : [ { "names" : [ ".monitoring-beats-*" ], "privileges" : [ "create_index", "create_doc" ], "allow_restricted_indices" : false } ], "applications" : [ ], "run_as" : [ ], "metadata" : { "_reserved" : true }, "transient_metadata" : { "enabled" : true } }, "watcher_admin" : { "cluster" : [ "manage_watcher" ], "indices" : [ { "names" : [ ".watches", ".triggered_watches", ".watcher-history-*" ], "privileges" : [ "read" ], "allow_restricted_indices" : false } ], "applications" : [ ], "run_as" : [ ], "metadata" : { "_reserved" : true }, "transient_metadata" : { "enabled" : true } }, "logstash_system" : { "cluster" : [ "monitor", "cluster:admin/xpack/monitoring/bulk" ], "indices" : [ ], "applications" : [ ], "run_as" : [ ], "metadata" : { "_reserved" : true }, "transient_metadata" : { "enabled" : true } }, "rollup_user" : { "cluster" : [ "monitor_rollup" ], "indices" : [ ], "applications" : [ ], "run_as" : [ ], "metadata" : { "_reserved" : true }, "transient_metadata" : { "enabled" : true } }
4 查询特定角色的权限
获取特定角色的权限配置。例如,查询角色 limited_logs_reader:
-- 命令如下 curl -u elastic:esuser -X GET "http://192.168.17.39:9200/_security/role/limited_logs_reader?pretty" -- 执行结果如下 { "limited_logs_reader" : { "cluster" : [ ], "indices" : [ { "names" : [ "xxxbus_2024-06-14", "xxxbus_2024-06-15", "xxxbus_2024-06-16", "xxxbus_2024-06-17" ], "privileges" : [ "read" ], "allow_restricted_indices" : false } ], "applications" : [ { "application" : "kibana-.kibana", "privileges" : [ "read" ], "resources" : [ "*" ] } ], "run_as" : [ ], "metadata" : { }, "transient_metadata" : { "enabled" : true } } }
5 汇总(查询用户及角色)命令脚本
以下是一个简单的脚本,汇总查询所有用户及其角色和权限的命令:
#!/bin/bash # Elasticsearch URL ES_URL="http://192.168.17.39:9200" # Admin credentials ADMIN_USER="elastic" ADMIN_PASS="esuser" # Query all users echo "Querying all users..." curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/user?pretty" # Query all roles echo "Querying all roles..." curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/role?pretty"
将上述脚本保存为 query_users_and_roles.sh,添加执行权限并运行:
chmod +x query_users_and_roles.sh ./query_users_and_roles.sh 解释 1) 查询所有用户:通过 GET /_security/user API 获取所有用户信息,包括用户名、角色等。 2) 查询所有角色:通过 GET /_security/role API 获取所有角色信息,包括角色名、权限配置等。
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
