diff --git a/README.md b/README.md index 8bc8b78..a7b9f51 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,10 @@ * [故障恢复](/ues/develop/recover) * [Logstash部署](/ues/develop/logstash) * [功能文档](/ues/develop/guide) + * 安全用户管理 + * [创建安全用户集群](/ues/security/create) + * [用户管理](/ues/security/manager) + * [安全访问](/ues/security/access) * Logstash * [产品简介](/ues/logstash/introduction) * 实例管理 diff --git a/_sidebar.md b/_sidebar.md index 7d34d1a..39485ec 100644 --- a/_sidebar.md +++ b/_sidebar.md @@ -16,6 +16,10 @@ * [插件管理](/ues/plugins/manage) * [Security插件](/ues/plugins/security) * [US3插件](/ues/plugins/us3) + * 安全用户管理 + * [创建安全用户集群](/ues/security/create) + * [用户管理](/ues/security/manager) + * [安全访问](/ues/security/access) * 开发指南 * [ES测试](/ues/develop/test) * [配置管理](/ues/develop/config) diff --git a/images/security/create_security_1.png b/images/security/create_security_1.png new file mode 100644 index 0000000..ecea8ce Binary files /dev/null and b/images/security/create_security_1.png differ diff --git a/images/security/manager_create_user_1.png b/images/security/manager_create_user_1.png new file mode 100644 index 0000000..796f50e Binary files /dev/null and b/images/security/manager_create_user_1.png differ diff --git a/images/security/manager_delete_user_1.png b/images/security/manager_delete_user_1.png new file mode 100644 index 0000000..cd69f87 Binary files /dev/null and b/images/security/manager_delete_user_1.png differ diff --git a/images/security/manager_reset_password_1.png b/images/security/manager_reset_password_1.png new file mode 100644 index 0000000..7a3fefa Binary files /dev/null and b/images/security/manager_reset_password_1.png differ diff --git a/images/security/manager_update_user_1.png b/images/security/manager_update_user_1.png new file mode 100644 index 0000000..da76478 Binary files /dev/null and b/images/security/manager_update_user_1.png differ diff --git a/security/access.md b/security/access.md new file mode 100644 index 0000000..1c6d563 --- /dev/null +++ b/security/access.md @@ -0,0 +1,87 @@ +# 客户端访问安全用户集群 + +## FileBeat +使用 filebeat-oss-6.8.4 版本,配置: +``` +filebeat.inputs: +- type: log + enabled: true + paths: + - /var/log/*.log + +output.elasticsearch: + hosts: ["xx.xx.xx.xx:9200"] + username: "elastic" + password: "changeme" +``` +## Logstash +使用 logstash-oss-6.8.4 版本,配置: +``` +input { + generator { + lines => [ + "line 1", + "line 2", + "line 3" + ] + # Emit all lines 3 times. + count => 3 + } + } + +output { + elasticsearch { + hosts => ["xx.xx.xx.xx:9200"] + user => "elastic" + password => "changeme" + } + } +``` + +## Go Lang +``` +package main + +import "fmt" +import "log" +import "github.com/elastic/go-elasticsearch/v6" + +func main() { + fmt.Println("Hello, World!") + cfg := elasticsearch.Config{ + Addresses: []string{"http://xx.xx.xx.xx:9200"}, + Username: "elastic", + Password: "changeme", + } + + es,_ := elasticsearch.NewClient(cfg) + log.Println(elasticsearch.Version) + log.Println(es.Info()) +} +``` + +## Python + +``` +from datetime import datetime +from elasticsearch import Elasticsearch +es = Elasticsearch(['http://user:secret@xx.xx.xx.xx:9200']) + +doc = { + 'author': 'kimchy', + 'text': 'Elasticsearch: cool. bonsai cool.', + 'timestamp': datetime.now(), +} +res = es.index(index="test-index", doc_type='tweet', id=1, body=doc) +print(res['result']) + +res = es.get(index="test-index", doc_type='tweet', id=1) +print(res['_source']) + +es.indices.refresh(index="test-index") + +res = es.search(index="test-index", body={"query": {"match_all": {}}}) +print("Got %d Hits:" % res['hits']['total']) +for hit in res['hits']['hits']: + print("%(timestamp)s %(author)s: %(text)s" % hit["_source"]) +``` \ No newline at end of file diff --git a/security/create.md b/security/create.md new file mode 100644 index 0000000..9ce7b0f --- /dev/null +++ b/security/create.md @@ -0,0 +1,16 @@ +# 创建安全用户集群 + +## 一、特别提示 + +1.客户账号需要 **Elasticsearch Security** 权限位 + +2.当前可以区需有支持的安全用户版本 + +## 二、创建集群 + +**安全设置** 选中UES安全认证 + +![image](/images/security/create_security_1.png) + +**Kibana 账号** 选中UES安全认证时,默认为elastic,不可修改 + diff --git a/security/manager.md b/security/manager.md new file mode 100644 index 0000000..38d0925 --- /dev/null +++ b/security/manager.md @@ -0,0 +1,66 @@ +# 用户管理 +UES 安全用户创建、修改、删除等相关功能。 + +## 一:预定义操作组 + +### General + +| Name | Description | +| ----------- | ---------------------------------------------------------------------------------------- | +| UNLIMITED | Grants complete access, can be used on index- and cluster-level. Equates to `"*"`. | + +### Index-level action groups + +| Name | Description | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------- | +| INDICES_ALL | Grants all permissions on the index. Equates to `indices:*` | +| GET | Grants permission to use get and mget actions only | +| READ | Grants read permissions like get, mget or getting field mappings, and search permissons | +| WRITE | Grants write permissions to documents | +| DELETE | Grants permission to delete documents | +| CRUD | Combines the READ, WRITE and DELETE action groups | +| SEARCH | Grants permission to search documents. Includes SUGGEST. | +| SUGGEST | Grants permission to use the suggest API. Already included in the READ action group. | +| CREATE_INDEX | Grants permission to create indices and mappings | +| INDICES_MONITOR | Grants permission to execute all actions regarding index monitoring, e.g. recovery, segments info, index stats & status | +| MANAGE_ALIASES | Grants permission to manage aliases | +| MANAGE | Grants all `monitor` and index administration permissions | + +### Cluster-level action groups + +| Name | Description | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------- | +| CLUSTER_ALL | Grants all cluster permissions. Equates to `cluster:*` | +| CLUSTER_MONITOR | Grants all cluster monitoring permissions. Equates to `cluster:monitor/*` | +| CLUSTER_COMPOSITE_OPS_RO | Grants read-only permissions to execute multi requests like mget, msearch or mtv, plus permission to query for aliases. | +| CLUSTER_COMPOSITE_OPS | Same as `CLUSTER\_COMPOSITE\_OPS\_RO`, but also grants bulk write permissions and all aliases permissions. | +| MANAGE_SNAPSHOTS | Grants full permissions to manage snapshots and repositories. | + +## 二:创建用户 + +1. **elastic** 为默认用户,即创建集群时Kibana用户、密码 + +2. **创建用户** + +![image](/images/security/manager_create_user_1.png) + +集群权限和索引权限可以分别设置;索引权限需设置 **Index Pattern** 配合操作组使用。 + +## 三:修改用户 + +1. **权限修改** + +![image](/images/security/manager_update_user_1.png) + +可修改集群权限和索引权限 + +2. **重置密码** + +![image](/images/security/manager_reset_password_1.png) + +## 四:删除用户 + +![img.png](/images/security/manager_delete_user_1.png) + +默认用户不可删除 +