elasticsearch运维系列_用户及角色权限相关SQL及脚本整理

这篇文章介绍ES运维过程中一些常用查询权限和角色的命令和脚本,以及如何查询某个索引可被系统中哪些用户访问。

Part1 查询用户及权限

1 查询所有用户

首先,获取所有用户的列表:

-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user?pretty"
-- 执行结果如下
{
  "flogsuperuser" : {
    "username" : "xxxsuperuser",
    "roles" : [
      "superuser"
    ],
    "full_name" : "",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  },
  "limited_user" : {
    "username" : "limited_user",
    "roles" : [
      "limited_logs_reader"
    ],
    "full_name" : "Limited User",
    "email" : "limited.user@example.com",
    "metadata" : { },
    "enabled" : true
  },
  "elastic" : {
    "username" : "elastic",
    "roles" : [
      "superuser"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "kibana" : {
    "username" : "kibana",
    "roles" : [
      "kibana_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_deprecated" : true,
      "_deprecated_reason" : "Please use the [kibana_system] user instead.",
      "_reserved" : true
    },
    "enabled" : true
  },
  "kibana_system" : {
    "username" : "kibana_system",
    "roles" : [
      "kibana_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "logstash_system" : {
    "username" : "logstash_system",
    "roles" : [
      "logstash_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "beats_system" : {
    "username" : "beats_system",
    "roles" : [
      "beats_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "apm_system" : {
    "username" : "apm_system",
    "roles" : [
      "apm_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "remote_monitoring_user" : {
    "username" : "remote_monitoring_user",
    "roles" : [
      "remote_monitoring_collector",
      "remote_monitoring_agent"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  }
}

2 查询特定用户的角色和权限

获取特定用户的角色和权限。例如,查询用户 limited_user

-- 执行命令
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user/limited_user?pretty"
-- 执行结果如下
{
  "limited_user" : {
    "username" : "limited_user",
    "roles" : [
      "limited_logs_reader"
    ],
    "full_name" : "Limited User",
    "email" : "limited.user@example.com",
    "metadata" : { },
    "enabled" : true
  }
}

3 查询所有角色

获取所有角色的列表及其权限配置:

-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role?pretty"

-- 执行结果如下
{
  "kibana_dashboard_only_user" : {
    "cluster" : [ ],
    "indices" : [ ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "read"
        ],
        "resources" : [
          "*"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : {
      "_deprecated" : true,
      "_deprecated_reason" : "Please use Kibana feature privileges instead",
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "apm_system" : {
    "cluster" : [
      "monitor",
      "cluster:admin/xpack/monitoring/bulk"
    ],
    "indices" : [
      {
        "names" : [
          ".monitoring-beats-*"
        ],
        "privileges" : [
          "create_index",
          "create_doc"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "watcher_admin" : {
    "cluster" : [
      "manage_watcher"
    ],
    "indices" : [
      {
        "names" : [
          ".watches",
          ".triggered_watches",
          ".watcher-history-*"
        ],
        "privileges" : [
          "read"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "logstash_system" : {
    "cluster" : [
      "monitor",
      "cluster:admin/xpack/monitoring/bulk"
    ],
    "indices" : [ ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "rollup_user" : {
    "cluster" : [
      "monitor_rollup"
    ],
    "indices" : [ ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  }

4 查询特定角色的权限

获取特定角色的权限配置。例如,查询角色 limited_logs_reader

-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role/limited_logs_reader?pretty"
-- 执行结果如下
{
  "limited_logs_reader" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "xxxxxx_2024-06-14",
          "xxxxxx_2024-06-15",
          "xxxxxx_2024-06-16",
          "xxxxxx_2024-06-17"
        ],
        "privileges" : [
          "read"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "read"
        ],
        "resources" : [
          "*"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

5 汇总(查询用户及角色)命令脚本

以下是一个简单的脚本,汇总查询所有用户及其角色和权限的命令:

#!/bin/bash

# Elasticsearch URL
ES_URL="http://192.168.1.19:9200"

# Admin credentials
ADMIN_USER="elastic"
ADMIN_PASS="esuser"

# Query all users
echo "Querying all users..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/user?pretty"

# Query all roles
echo "Querying all roles..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/role?pretty"

将上述脚本保存为 query_users_and_roles.sh,添加执行权限并运行:

chmod +x query_users_and_roles.sh
./query_users_and_roles.sh

解释
  1) 查询所有用户:通过 GET /_security/user API 获取所有用户信息,包括用户名、角色等。
  2) 查询所有角色:通过 GET /_security/role API 获取所有角色信息,包括角色名、权限配置等。
相关推荐
吾日三省吾码3 小时前
JVM 性能调优
java
y先森3 小时前
CSS3中的伸缩盒模型(弹性盒子、弹性布局)之伸缩容器、伸缩项目、主轴方向、主轴换行方式、复合属性flex-flow
前端·css·css3
前端Hardy3 小时前
纯HTML&CSS实现3D旋转地球
前端·javascript·css·3d·html
susu10830189113 小时前
vue3中父div设置display flex,2个子div重叠
前端·javascript·vue.js
弗拉唐4 小时前
springBoot,mp,ssm整合案例
java·spring boot·mybatis
sun0077004 小时前
ubuntu dpkg 删除安装包
运维·服务器·ubuntu
oi774 小时前
使用itextpdf进行pdf模版填充中文文本时部分字不显示问题
java·服务器
IT女孩儿4 小时前
CSS查缺补漏(补充上一条)
前端·css