这篇文章介绍ES运维过程中一些常用查询权限和角色的命令和脚本,以及如何查询某个索引可被系统中哪些用户访问。
Part1 查询用户及权限
1 查询所有用户
首先,获取所有用户的列表:
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user?pretty"
-- 执行结果如下
{
"flogsuperuser" : {
"username" : "xxxsuperuser",
"roles" : [
"superuser"
],
"full_name" : "",
"email" : "",
"metadata" : { },
"enabled" : true
},
"limited_user" : {
"username" : "limited_user",
"roles" : [
"limited_logs_reader"
],
"full_name" : "Limited User",
"email" : "limited.user@example.com",
"metadata" : { },
"enabled" : true
},
"elastic" : {
"username" : "elastic",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"kibana" : {
"username" : "kibana",
"roles" : [
"kibana_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_deprecated" : true,
"_deprecated_reason" : "Please use the [kibana_system] user instead.",
"_reserved" : true
},
"enabled" : true
},
"kibana_system" : {
"username" : "kibana_system",
"roles" : [
"kibana_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"logstash_system" : {
"username" : "logstash_system",
"roles" : [
"logstash_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"beats_system" : {
"username" : "beats_system",
"roles" : [
"beats_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"apm_system" : {
"username" : "apm_system",
"roles" : [
"apm_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"remote_monitoring_user" : {
"username" : "remote_monitoring_user",
"roles" : [
"remote_monitoring_collector",
"remote_monitoring_agent"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
}
}
2 查询特定用户的角色和权限
获取特定用户的角色和权限。例如,查询用户 limited_user:
-- 执行命令
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user/limited_user?pretty"
-- 执行结果如下
{
"limited_user" : {
"username" : "limited_user",
"roles" : [
"limited_logs_reader"
],
"full_name" : "Limited User",
"email" : "limited.user@example.com",
"metadata" : { },
"enabled" : true
}
}
3 查询所有角色
获取所有角色的列表及其权限配置:
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role?pretty"
-- 执行结果如下
{
"kibana_dashboard_only_user" : {
"cluster" : [ ],
"indices" : [ ],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"read"
],
"resources" : [
"*"
]
}
],
"run_as" : [ ],
"metadata" : {
"_deprecated" : true,
"_deprecated_reason" : "Please use Kibana feature privileges instead",
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"apm_system" : {
"cluster" : [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices" : [
{
"names" : [
".monitoring-beats-*"
],
"privileges" : [
"create_index",
"create_doc"
],
"allow_restricted_indices" : false
}
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"watcher_admin" : {
"cluster" : [
"manage_watcher"
],
"indices" : [
{
"names" : [
".watches",
".triggered_watches",
".watcher-history-*"
],
"privileges" : [
"read"
],
"allow_restricted_indices" : false
}
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"logstash_system" : {
"cluster" : [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices" : [ ],
"applications" : [ ],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"rollup_user" : {
"cluster" : [
"monitor_rollup"
],
"indices" : [ ],
"applications" : [ ],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
}
4 查询特定角色的权限
获取特定角色的权限配置。例如,查询角色 limited_logs_reader:
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role/limited_logs_reader?pretty"
-- 执行结果如下
{
"limited_logs_reader" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
"xxxxxx_2024-06-14",
"xxxxxx_2024-06-15",
"xxxxxx_2024-06-16",
"xxxxxx_2024-06-17"
],
"privileges" : [
"read"
],
"allow_restricted_indices" : false
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"read"
],
"resources" : [
"*"
]
}
],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
5 汇总(查询用户及角色)命令脚本
以下是一个简单的脚本,汇总查询所有用户及其角色和权限的命令:
#!/bin/bash
# Elasticsearch URL
ES_URL="http://192.168.1.19:9200"
# Admin credentials
ADMIN_USER="elastic"
ADMIN_PASS="esuser"
# Query all users
echo "Querying all users..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/user?pretty"
# Query all roles
echo "Querying all roles..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/role?pretty"
将上述脚本保存为 query_users_and_roles.sh,添加执行权限并运行:
chmod +x query_users_and_roles.sh
./query_users_and_roles.sh
解释
1) 查询所有用户:通过 GET /_security/user API 获取所有用户信息,包括用户名、角色等。
2) 查询所有角色:通过 GET /_security/role API 获取所有角色信息,包括角色名、权限配置等。