Doc/272 security user

README.md

@@ -27,6 +27,10 @@
             * [故障恢复](/ues/develop/recover)
             * [Logstash部署](/ues/develop/logstash)
             * [功能文档](/ues/develop/guide)
+        * 安全用户管理
+            * [创建安全用户集群](/ues/security/create)
+            * [用户管理](/ues/security/manager)
+            * [安全访问](/ues/security/access)
     * Logstash
         * [产品简介](/ues/logstash/introduction)
         * 实例管理

_sidebar.md

@@ -16,6 +16,10 @@
             * [插件管理](/ues/plugins/manage)
             * [Security插件](/ues/plugins/security)
             * [US3插件](/ues/plugins/us3)
+        * 安全用户管理
+            * [创建安全用户集群](/ues/security/create)
+            * [用户管理](/ues/security/manager)
+            * [安全访问](/ues/security/access)
         * 开发指南
             * [ES测试](/ues/develop/test)
             * [配置管理](/ues/develop/config)

security/access.md

@@ -0,0 +1,87 @@
+# 客户端访问安全用户集群
+
+## FileBeat
+使用 filebeat-oss-6.8.4 版本，配置：
+```
+filebeat.inputs:
+- type: log
+  enabled: true
+  paths:
+    - /var/log/*.log
+
+output.elasticsearch:
+  hosts: ["xx.xx.xx.xx:9200"]
+  username: "elastic"
+  password: "changeme"
+```
+## Logstash
+使用 logstash-oss-6.8.4 版本，配置：
+```
+input {
+      generator {
+        lines => [
+          "line 1",
+          "line 2",
+          "line 3"
+        ]
+        # Emit all lines 3 times.
+        count => 3
+      }
+    }
+
+output {
+      elasticsearch {
+        hosts => ["xx.xx.xx.xx:9200"]
+        user => "elastic"
+        password => "changeme"
+      }
+    }
+```
+
+## Go Lang
+```
+package main
+
+import "fmt"
+import "log"
+import "github.com/elastic/go-elasticsearch/v6"
+
+func main() {
+    fmt.Println("Hello, World!")
+   cfg := elasticsearch.Config{
+                Addresses: []string{"http://xx.xx.xx.xx:9200"},
+                Username: "elastic",
+                Password: "changeme",
+        }
+
+    es,_ := elasticsearch.NewClient(cfg)
+    log.Println(elasticsearch.Version)
+    log.Println(es.Info())
+}
+```
+
+## Python
+
+```
+from datetime import datetime
+from elasticsearch import Elasticsearch
+es = Elasticsearch(['http://user:secret@xx.xx.xx.xx:9200'])
+
+doc = {
+    'author': 'kimchy',
+    'text': 'Elasticsearch: cool. bonsai cool.',
+    'timestamp': datetime.now(),
+}
+res = es.index(index="test-index", doc_type='tweet', id=1, body=doc)
+print(res['result'])
+
+res = es.get(index="test-index", doc_type='tweet', id=1)
+print(res['_source'])
+
+es.indices.refresh(index="test-index")
+
+res = es.search(index="test-index", body={"query": {"match_all": {}}})
+print("Got %d Hits:" % res['hits']['total'])
+for hit in res['hits']['hits']:
+    print("%(timestamp)s %(author)s: %(text)s" % hit["_source"])
+```

security/create.md

@@ -0,0 +1,16 @@
+# 创建安全用户集群
+
+## 一、特别提示
+
+1.客户账号需要 **Elasticsearch Security** 权限位
+
+2.当前可以区需有支持的安全用户版本
+
+## 二、创建集群
+
+**安全设置** 选中UES安全认证
+
+![image](/images/security/create_security_1.png)
+
+**Kibana 账号** 选中UES安全认证时，默认为elastic，不可修改
+

security/manager.md

@@ -0,0 +1,66 @@
+# 用户管理
+UES 安全用户创建、修改、删除等相关功能。
+
+## 一：预定义操作组
+
+### General
+
+| Name      | Description                                                                            |
+| ----------- | ---------------------------------------------------------------------------------------- |
+| UNLIMITED | Grants complete access, can be used on index- and cluster-level. Equates to `"*"`. |
+
+### Index-level action groups
+
+| Name            | Description                                                                                                             |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------- |
+| INDICES_ALL     | Grants all permissions on the index. Equates to `indices:*`                                                         |
+| GET             | Grants permission to use get and mget actions only                                                                      |
+| READ            | Grants read permissions like get, mget or getting field mappings, and search permissons                                 |
+| WRITE           | Grants write permissions to documents                                                                                   |
+| DELETE          | Grants permission to delete documents                                                                                   |
+| CRUD            | Combines the READ, WRITE and DELETE action groups                                                                       |
+| SEARCH          | Grants permission to search documents. Includes SUGGEST.                                                                |
+| SUGGEST         | Grants permission to use the suggest API. Already included in the READ action group.                                    |
+| CREATE_INDEX    | Grants permission to create indices and mappings                                                                        |
+| INDICES_MONITOR | Grants permission to execute all actions regarding index monitoring, e.g. recovery, segments info, index stats & status |
+| MANAGE_ALIASES  | Grants permission to manage aliases                                                                                     |
+| MANAGE          | Grants all `monitor` and index administration permissions                                                           |
+
+### Cluster-level action groups
+
+| Name                     | Description                                                                                                             |
+| -------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
+| CLUSTER_ALL              | Grants all cluster permissions. Equates to `cluster:*`                                                              |
+| CLUSTER_MONITOR          | Grants all cluster monitoring permissions. Equates to `cluster:monitor/*`                                           |
+| CLUSTER_COMPOSITE_OPS_RO | Grants read-only permissions to execute multi requests like mget, msearch or mtv, plus permission to query for aliases. |
+| CLUSTER_COMPOSITE_OPS    | Same as `CLUSTER\_COMPOSITE\_OPS\_RO`, but also grants bulk write permissions and all aliases permissions.          |
+| MANAGE_SNAPSHOTS         | Grants full permissions to manage snapshots and repositories.                                                           |
+
+## 二：创建用户
+
+1. **elastic** 为默认用户，即创建集群时Kibana用户、密码 
+
+2. **创建用户**
+
+![image](/images/security/manager_create_user_1.png)
+
+集群权限和索引权限可以分别设置；索引权限需设置 **Index Pattern** 配合操作组使用。
+
+## 三：修改用户
+
+1. **权限修改**
+
+![image](/images/security/manager_update_user_1.png)
+
+可修改集群权限和索引权限
+
+2. **重置密码**
+
+![image](/images/security/manager_reset_password_1.png)
+
+## 四：删除用户
+
+![img.png](/images/security/manager_delete_user_1.png)
+
+默认用户不可删除
+