中间件技术
LDAP配置与安装
Docker部署Openldap和phpLDAPadmin
ES LDAP 集成
ElasticSearch结合LDAP实现权限、用户管控
LDAP简介
本文档使用 MrDoc 发布
-
+
首页
ElasticSearch结合LDAP实现权限、用户管控
**项目背景** 使用ElasticSearch实现数据宽表,处理热交互数据,需要实现权限管控等功能,权限粒度要求精确到列。 最初考虑使用Es的SearchGuard开源插件,发现SearchGuard的LDAP功能需要使用企业版,收费的,并且权限粒度仅支持到索引和type,并不支持列; 后来采用Es提供的xpack插件,想办法处理下,就不收费了。 Es需要安装xpack插件,配置默认用户,修改elastic用户的密码为elastic,后续使用简单点 `注意,本文只记录ElasticSearch结合LDAP和内置角色,实现列级别的权限管控,不管SSL和TLS加密传输` **ElasticSearch、Kibana配置** /conf/elasticsearch.yml中这么添加 ``` xpack.security.enabled: true xpack: security: authc: realms: ldap1: type: ldap order: 0 url: "ldap://192.168.13.12" bind_dn: "cn=root,dc=intelli706,dc=com" #ldap管理账户dn bind_password: 123456 #ldap管理账户密码 user_search: base_dn: "dc=intelli706,dc=com" #在这个目录树里面检索用户信息 attribute: uid group_search: base_dn: "dc=intelli706,dc=com" # 在这个目录树里面检索组信息 files: # 下面这个是通过文件方式配置的LDAP用户域和Es内置角色的映射关系 role_mapping: "D:\\elasticsearch\\es-xpack\\esnew\\elasticsearch-6.8.0\\config\\role_mapping.yml" unmapped_groups_as_roles: false ``` role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系 ``` # Role mapping configuration file which has elasticsearch roles as keys # that map to one or more user or group distinguished names #roleA: this is an elasticsearch role # - groupA-DN this is a group distinguished name # - groupB-DN # - user1-DN this is the full user distinguished name #power_user: # - "cn=admins,dc=example,dc=com" #user: # - "cn=users,dc=example,dc=com" # - "cn=admins,dc=example,dc=com" # - "cn=John Doe,cn=other users,dc=example,dc=com" superuser: - "cn=admin,ou=person,dc=intelli706,dc=com" - "cn=zhangyan,ou=person,dc=intelli706,dc=com" ``` /conf/kibana.yml配置,主要添加了es的用户名密码 ``` elasticsearch.username: "elastic" elasticsearch.password: "elastic" ``` 再启动ES和kibana后,就需要输入用户名密码才能登陆和访问ES中数据了 **LDAP** 搭建过程省略; 创建dn时,使用的objectClass是inetOrgPerson rdn设置为cn=admin, sn=admin, uid=admin, userPassword=admin 使用LDAP Admin windows客户端,连接LDAP服务器,添加组(ou),和模拟用户(cn=admin),生成的dn为 `cn=admin,ou=person,dc=intelli,dc=com`,简单说明下,LDAP采用树形目录存储结构,`cn=admin,ou=person,dc=intelli,dc=com`就是一个dn(Distinguish Name),也就是一个唯一ID,能看出来这个是一个目录树的路径,所以能唯一标识entry信息(类似数据库里的一条) 验证admin用户,通过admin账户和admin的密码访问ES的/\_xpack/security/\_authenticate接口,能看到用户的信息 ``` GET /_xpack/security/_authenticate -u admin:admin 返回: { "username": "admin", "roles": [], #注意,还没有绑定任何角色,现在角色是空的 "full_name": null, "email": null, "metadata": { "ldap_dn": "cn=admin,ou=person,dc=intelli706,dc=com", #admin账户的dn "ldap_groups": [] }, "enabled": true, "authentication_realm": { "name": "ldap1", #能看到使用ldap方式获取用户了 "type": "ldap" }, "lookup_realm": { "name": "ldap1", "type": "ldap" } } ``` `以下操作用elastic:elastic账户管理` **Api方式查询ES中的角色** Kibana界面中其实可以在Management界面中管控角色和内置用户,这里使用Api方式,方便代码调用 ``` GET /_xpack/security/role ``` 注意,使用使用http方式请求时,需要制定Basic Auth的用户名和密码分别为elastic,现在加权限了,请求不带用户名和密码该驳回了。 **创建角色** 创建一个角色,并给这个角色一个索引权限,能读取索引中的一部分列 ``` POST / _xpack / security / role / <rolename> POST / _xpack / security / role /xsjc { "cluster": ["all"], "indices": [ { "names": [ "tyyw*"], "privileges": ["read"], "field_security" : { "grant" : [ "TYYW_2001_AJ__CBDW_MC", "TYYW_2001_AJ__CBDW_MC.keyword" ] } } ] } 返回: { "role": { "created": true } } ``` **查询角色** ``` GET /_xpack/security/role #查询所有角色 GET /_xpack/security/role/xsjc #查询指定角色 ``` 返回 ``` { "xsjc": { "cluster": [ "all" ], "indices": [ { "names": [ "tyyw*" ], "privileges": [ "read" ], "field_security": { "grant": [ "TYYW_2001_AJ__CBDW_MC", "TYYW_2001_AJ__CBDW_MC.keyword" #注意,这个角色只给这两列的read权限 ] }, "allow_restricted_indices": false } ], "applications": [], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } } ``` **给用户绑定角色** 本质上是创建一个用户和角色的映射关系,<user\_role\_map\_name>就是这个角色和映射关系的名称 ``` POST /_xpack/security/role_mapping/<user_role_map_name> POST /_xpack/security/role_mapping/zhangyan_role { "enabled": true, "roles": "xsjc", "rules": { "field": { "dn": "cn=zhangyan,ou=person,dc=intelli706,dc=com" } } } 返回: { "role_mapping": { "created": true } } ``` **查询用户\_角色绑定映射关系** ``` GET /_xpack/security/role_mapping #查询所有的用户_角色映射关系 GET /_xpack/security/role_mapping/zhangyan_role #查询指定的用户_角色映射关系 返回: { "zhangyan_role": { "enabled": true, "roles": [ "xsjc" ], "rules": { "field": { "dn": "cn=zhangyan,ou=person,dc=intelli706,dc=com" } }, "metadata": {} } } ``` **查询用户信息** ``` GET /_xpack/security/_authenticate -u zhangyan:zhangyan 返回: { "username": "zhangyan", "roles": [ "xsjc" # 可以看到已经有权限了 ], "full_name": null, "email": null, "metadata": { "ldap_dn": "cn=zhangyan,ou=person,dc=intelli706,dc=com", "ldap_groups": [] }, "enabled": true, "authentication_realm": { "name": "ldap1", "type": "ldap" }, "lookup_realm": { "name": "ldap1", "type": "ldap" } } ``` **使用zhangyan账户,查询es** 可以留意下,返回的数据source中只有TYYW\_2001\_AJ\_\_CBDW\_MC列 ``` { "took": 79, "timed_out": false, "_shards": { "total": 10, "successful": 10, "skipped": 0, "failed": 0 }, "hits": { "total": 201, "max_score": 1.0, "hits": [ { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "东检刑捕受[2019]770000100176", "_score": 1.0, "_source": { "TYYW_2001_AJ__CBDW_MC": "河北省院" } }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "市检刑捕受[2019]770000100063", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "东检刑捕受[2019]770000100184", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "东检刑捕受[2019]770000100146", "_score": 1.0, "_source": { "TYYW_2001_AJ__CBDW_MC": "广东省院" } }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "市检刑捕受[2019]770000100092", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "市检刑捕受[2019]770000100096", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "央检刑捕受[2019]770000100038", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "西检刑捕受[2019]770000100005", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "市检刑捕受[2019]770000100080", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "东检刑捕受[2019]770000100163", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "央检刑捕受[2019]770000100040", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "市检刑捕受[2019]770000100093", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "东检刑捕受[2019]770000100151", "_score": 1.0, "_source": { "TYYW_2001_AJ__CBDW_MC": "汉东省院" } }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "东检刑捕受[2019]770000100179", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "区检刑捕受[2019]770000100108", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "市检刑捕受[2019]770000100058", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "东检刑捕受[2019]770000100183", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "市检刑捕受[2019]770000100091", "_score": 1.0, "_source": { "TYYW_2001_AJ__CBDW_MC": "汉东省院" } }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "东检刑捕受[2019]770000100189", "_score": 1.0, "_source": {} }, { "_index": "tyyw_xsjc_0731", "_type": "_doc", "_id": "央检刑捕受[2019]770000100043", "_score": 1.0, "_source": {} } ] }, "aggregations": { "test": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [] } } } ```
adouk
2023年9月18日 09:41
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
分享
链接
类型
密码
更新密码