elasticsearch运维系列_用户及角色权限相关SQL及脚本整理

这篇文章介绍ES运维过程中一些常用查询权限和角色的命令和脚本,以及如何查询某个索引可被系统中哪些用户访问。

Part1 查询用户及权限

1 查询所有用户

首先,获取所有用户的列表:

复制代码
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user?pretty"
-- 执行结果如下
{
  "flogsuperuser" : {
    "username" : "xxxsuperuser",
    "roles" : [
      "superuser"
    ],
    "full_name" : "",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  },
  "limited_user" : {
    "username" : "limited_user",
    "roles" : [
      "limited_logs_reader"
    ],
    "full_name" : "Limited User",
    "email" : "limited.user@example.com",
    "metadata" : { },
    "enabled" : true
  },
  "elastic" : {
    "username" : "elastic",
    "roles" : [
      "superuser"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "kibana" : {
    "username" : "kibana",
    "roles" : [
      "kibana_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_deprecated" : true,
      "_deprecated_reason" : "Please use the [kibana_system] user instead.",
      "_reserved" : true
    },
    "enabled" : true
  },
  "kibana_system" : {
    "username" : "kibana_system",
    "roles" : [
      "kibana_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "logstash_system" : {
    "username" : "logstash_system",
    "roles" : [
      "logstash_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "beats_system" : {
    "username" : "beats_system",
    "roles" : [
      "beats_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "apm_system" : {
    "username" : "apm_system",
    "roles" : [
      "apm_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "remote_monitoring_user" : {
    "username" : "remote_monitoring_user",
    "roles" : [
      "remote_monitoring_collector",
      "remote_monitoring_agent"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  }
}

2 查询特定用户的角色和权限

获取特定用户的角色和权限。例如,查询用户 limited_user

复制代码
-- 执行命令
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user/limited_user?pretty"
-- 执行结果如下
{
  "limited_user" : {
    "username" : "limited_user",
    "roles" : [
      "limited_logs_reader"
    ],
    "full_name" : "Limited User",
    "email" : "limited.user@example.com",
    "metadata" : { },
    "enabled" : true
  }
}

3 查询所有角色

获取所有角色的列表及其权限配置:

复制代码
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role?pretty"

-- 执行结果如下
{
  "kibana_dashboard_only_user" : {
    "cluster" : [ ],
    "indices" : [ ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "read"
        ],
        "resources" : [
          "*"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : {
      "_deprecated" : true,
      "_deprecated_reason" : "Please use Kibana feature privileges instead",
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "apm_system" : {
    "cluster" : [
      "monitor",
      "cluster:admin/xpack/monitoring/bulk"
    ],
    "indices" : [
      {
        "names" : [
          ".monitoring-beats-*"
        ],
        "privileges" : [
          "create_index",
          "create_doc"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "watcher_admin" : {
    "cluster" : [
      "manage_watcher"
    ],
    "indices" : [
      {
        "names" : [
          ".watches",
          ".triggered_watches",
          ".watcher-history-*"
        ],
        "privileges" : [
          "read"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "logstash_system" : {
    "cluster" : [
      "monitor",
      "cluster:admin/xpack/monitoring/bulk"
    ],
    "indices" : [ ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "rollup_user" : {
    "cluster" : [
      "monitor_rollup"
    ],
    "indices" : [ ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  }

4 查询特定角色的权限

获取特定角色的权限配置。例如,查询角色 limited_logs_reader

复制代码
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role/limited_logs_reader?pretty"
-- 执行结果如下
{
  "limited_logs_reader" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "xxxxxx_2024-06-14",
          "xxxxxx_2024-06-15",
          "xxxxxx_2024-06-16",
          "xxxxxx_2024-06-17"
        ],
        "privileges" : [
          "read"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "read"
        ],
        "resources" : [
          "*"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

5 汇总(查询用户及角色)命令脚本

以下是一个简单的脚本,汇总查询所有用户及其角色和权限的命令:

复制代码
#!/bin/bash

# Elasticsearch URL
ES_URL="http://192.168.1.19:9200"

# Admin credentials
ADMIN_USER="elastic"
ADMIN_PASS="esuser"

# Query all users
echo "Querying all users..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/user?pretty"

# Query all roles
echo "Querying all roles..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/role?pretty"

将上述脚本保存为 query_users_and_roles.sh,添加执行权限并运行:

复制代码
chmod +x query_users_and_roles.sh
./query_users_and_roles.sh

解释
  1) 查询所有用户:通过 GET /_security/user API 获取所有用户信息,包括用户名、角色等。
  2) 查询所有角色:通过 GET /_security/role API 获取所有角色信息,包括角色名、权限配置等。
相关推荐
蓝婷儿12 分钟前
每天一个前端小知识 Day 28 - Web Workers / 多线程模型在前端中的应用实践
前端
琹箐12 分钟前
Ant ASpin自定义 indicator 报错
前端·javascript·typescript
小小小小小惠17 分钟前
Responsetype blob会把接口接收的二进制文件转换成blob格式
前端·javascript
爱电摇的小码农17 分钟前
【深度探究系列(5)】:前端开发打怪升级指南:从踩坑到封神的解决方案手册
前端·javascript·css·vue.js·node.js·html5·xss
Otaku love travel37 分钟前
老系统改造增加初始化,自动化数据源配置(tomcat+jsp+springmvc)
java·tomcat·初始化·动态数据源
kymjs张涛42 分钟前
零一开源|前沿技术周报 #7
android·前端·ios
爱编程的喵1 小时前
React入门实战:从静态渲染到动态状态管理
前端·javascript
DKPT1 小时前
Java设计模式之行为型模式(责任链模式)介绍与说明
java·笔记·学习·观察者模式·设计模式
Tttian6221 小时前
npm init vue@latestnpm error code ETIMEDOUT
前端·vue.js·npm
L_autinue_Star1 小时前
手写vector容器:C++模板实战指南(从0到1掌握泛型编程)
java·c语言·开发语言·c++·学习·stl