elasticsearch运维系列_用户及角色权限相关SQL及脚本整理

这篇文章介绍ES运维过程中一些常用查询权限和角色的命令和脚本,以及如何查询某个索引可被系统中哪些用户访问。

Part1 查询用户及权限

1 查询所有用户

首先,获取所有用户的列表:

-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user?pretty"
-- 执行结果如下
{
  "flogsuperuser" : {
    "username" : "xxxsuperuser",
    "roles" : [
      "superuser"
    ],
    "full_name" : "",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  },
  "limited_user" : {
    "username" : "limited_user",
    "roles" : [
      "limited_logs_reader"
    ],
    "full_name" : "Limited User",
    "email" : "limited.user@example.com",
    "metadata" : { },
    "enabled" : true
  },
  "elastic" : {
    "username" : "elastic",
    "roles" : [
      "superuser"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "kibana" : {
    "username" : "kibana",
    "roles" : [
      "kibana_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_deprecated" : true,
      "_deprecated_reason" : "Please use the [kibana_system] user instead.",
      "_reserved" : true
    },
    "enabled" : true
  },
  "kibana_system" : {
    "username" : "kibana_system",
    "roles" : [
      "kibana_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "logstash_system" : {
    "username" : "logstash_system",
    "roles" : [
      "logstash_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "beats_system" : {
    "username" : "beats_system",
    "roles" : [
      "beats_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "apm_system" : {
    "username" : "apm_system",
    "roles" : [
      "apm_system"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  },
  "remote_monitoring_user" : {
    "username" : "remote_monitoring_user",
    "roles" : [
      "remote_monitoring_collector",
      "remote_monitoring_agent"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : {
      "_reserved" : true
    },
    "enabled" : true
  }
}

2 查询特定用户的角色和权限

获取特定用户的角色和权限。例如,查询用户 limited_user

-- 执行命令
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user/limited_user?pretty"
-- 执行结果如下
{
  "limited_user" : {
    "username" : "limited_user",
    "roles" : [
      "limited_logs_reader"
    ],
    "full_name" : "Limited User",
    "email" : "limited.user@example.com",
    "metadata" : { },
    "enabled" : true
  }
}

3 查询所有角色

获取所有角色的列表及其权限配置:

-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role?pretty"

-- 执行结果如下
{
  "kibana_dashboard_only_user" : {
    "cluster" : [ ],
    "indices" : [ ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "read"
        ],
        "resources" : [
          "*"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : {
      "_deprecated" : true,
      "_deprecated_reason" : "Please use Kibana feature privileges instead",
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "apm_system" : {
    "cluster" : [
      "monitor",
      "cluster:admin/xpack/monitoring/bulk"
    ],
    "indices" : [
      {
        "names" : [
          ".monitoring-beats-*"
        ],
        "privileges" : [
          "create_index",
          "create_doc"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "watcher_admin" : {
    "cluster" : [
      "manage_watcher"
    ],
    "indices" : [
      {
        "names" : [
          ".watches",
          ".triggered_watches",
          ".watcher-history-*"
        ],
        "privileges" : [
          "read"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "logstash_system" : {
    "cluster" : [
      "monitor",
      "cluster:admin/xpack/monitoring/bulk"
    ],
    "indices" : [ ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  },
  "rollup_user" : {
    "cluster" : [
      "monitor_rollup"
    ],
    "indices" : [ ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : {
      "_reserved" : true
    },
    "transient_metadata" : {
      "enabled" : true
    }
  }

4 查询特定角色的权限

获取特定角色的权限配置。例如,查询角色 limited_logs_reader

-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role/limited_logs_reader?pretty"
-- 执行结果如下
{
  "limited_logs_reader" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "xxxxxx_2024-06-14",
          "xxxxxx_2024-06-15",
          "xxxxxx_2024-06-16",
          "xxxxxx_2024-06-17"
        ],
        "privileges" : [
          "read"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "read"
        ],
        "resources" : [
          "*"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

5 汇总(查询用户及角色)命令脚本

以下是一个简单的脚本,汇总查询所有用户及其角色和权限的命令:

#!/bin/bash

# Elasticsearch URL
ES_URL="http://192.168.1.19:9200"

# Admin credentials
ADMIN_USER="elastic"
ADMIN_PASS="esuser"

# Query all users
echo "Querying all users..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/user?pretty"

# Query all roles
echo "Querying all roles..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/role?pretty"

将上述脚本保存为 query_users_and_roles.sh,添加执行权限并运行:

chmod +x query_users_and_roles.sh
./query_users_and_roles.sh

解释
  1) 查询所有用户:通过 GET /_security/user API 获取所有用户信息,包括用户名、角色等。
  2) 查询所有角色:通过 GET /_security/role API 获取所有角色信息,包括角色名、权限配置等。
相关推荐
Re.不晚11 分钟前
Java入门15——抽象类
java·开发语言·学习·算法·intellij-idea
雷神乐乐17 分钟前
Maven学习——创建Maven的Java和Web工程,并运行在Tomcat上
java·maven
码农派大星。20 分钟前
Spring Boot 配置文件
java·spring boot·后端
顾北川_野27 分钟前
Android 手机设备的OEM-unlock解锁 和 adb push文件
android·java
江深竹静,一苇以航29 分钟前
springboot3项目整合Mybatis-plus启动项目报错:Invalid bean definition with name ‘xxxMapper‘
java·spring boot
GIS程序媛—椰子42 分钟前
【Vue 全家桶】7、Vue UI组件库(更新中)
前端·vue.js
weixin_442643421 小时前
推荐FileLink数据跨网摆渡系统 — 安全、高效的数据传输解决方案
服务器·网络·安全·filelink数据摆渡系统
confiself1 小时前
大模型系列——LLAMA-O1 复刻代码解读
java·开发语言
DogEgg_0011 小时前
前端八股文(一)HTML 持续更新中。。。
前端·html
Wlq04151 小时前
J2EE平台
java·java-ee