My deployment and strategic configuration for SG, I hope to help you

#elasticsearch.yml 添加

#################search-guard###################

searchguard.enabled: true

searchguard.key_path: /home/work/app/elasticsearch/keys

searchguard.auditlog.enabled: true

searchguard.allow_all_from_loopback: true #本地调试可打开,建议在线上关闭

searchguard.check_for_root: false

searchguard.http.enable_sessions: true

#配置认证方式

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#配置用户名和密码

searchguard.authentication.settingsdb.user.admin: admin

searchguard.authentication.settingsdb.user.user1: 123

searchguard.authentication.settingsdb.user.user2: 123

#配置用户角色

searchguard.authentication.authorization.settingsdb.roles.admin: [“root”]

searchguard.authentication.authorization.settingsdb.roles.user1: [“user1”]

searchguard.authentication.authorization.settingsdb.roles.user2: [“user2”]

#配置角色权限(只读)

searchguard.actionrequestfilter.names: [“readonly”,“deny”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/", “indices:admin/exists”,"indices:admin/mappings/”,“indices:admin/validate/query”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“indices:data/write/*”]

#配置角色权限(禁止访问)

searchguard.actionrequestfilter.deny.allowed_actions:

searchguard.actionrequestfilter.deny.forbidden_actions: [“indices:data/write/*”]

curl -XPUT ‘http://localhost:9200/searchguard/ac/ac?pretty’ -d ’

{“acl”: [

{

Comment”: “Default is to execute all filters”,

“filters_bypass”: ,

“filters_execute”: [“actionrequestfilter.deny”]

}, //默认禁止访问

{

Comment”: “This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything”,

“roles”: [

“root”

],

“filters_bypass”: ["*"],

“filters_execute”:

}, // root角色完全权限

{

Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,

“users”: [“user1”],

“indices”: [“index1-","index2-”,".kibana"],

“filters_bypass”: [“actionrequestfilter.deny”],

“filters_execute”: [“actionrequestfilter.readonly”]

}, //user1 用户只能访问index1-,index2- 索引,且只有只读权限

{

Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,

“users”: [“user2”],

“indices”: [“index3-*”,".kibana"],

“filters_bypass”: [“actionrequestfilter.deny”],

“filters_execute”: [“actionrequestfilter.readonly”]

} //user2 用户只能访问index3-* 索引,且只有只读权限

]}}

Please check in detail:

http://www.elain.org/?p=963

thx, thats great

···

Am 31.08.2015 um 08:09 schrieb elain ding <elain2013@gmail.com>:

#elasticsearch.yml 添加
#################search-guard###################
searchguard.enabled: true
searchguard.key_path: /home/work/app/elasticsearch/keys
searchguard.auditlog.enabled: true
searchguard.allow_all_from_loopback: true #本地调试可打开,建议在线上关闭
searchguard.check_for_root: false
searchguard.http.enable_sessions: true

#配置认证方式
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#配置用户名和密码
searchguard.authentication.settingsdb.user.admin: admin
searchguard.authentication.settingsdb.user.user1: 123
searchguard.authentication.settingsdb.user.user2: 123

#配置用户角色
searchguard.authentication.authorization.settingsdb.roles.admin: ["root"]
searchguard.authentication.authorization.settingsdb.roles.user1: ["user1"]
searchguard.authentication.authorization.settingsdb.roles.user2: ["user2"]

#配置角色权限(只读)
searchguard.actionrequestfilter.names: ["readonly","deny"]
searchguard.actionrequestfilter.readonly.allowed_actions: ["indices:data/read/*", "indices:admin/exists","indices:admin/mappings/*","indices:admin/validate/query"]
searchguard.actionrequestfilter.readonly.forbidden_actions: ["indices:data/write/*"]

#配置角色权限(禁止访问)
searchguard.actionrequestfilter.deny.allowed_actions:
searchguard.actionrequestfilter.deny.forbidden_actions: ["indices:data/write/*"]

curl -XPUT 'http://localhost:9200/searchguard/ac/ac?pretty' -d '
{"acl": [
    {
      "__Comment__": "Default is to execute all filters",
      "filters_bypass": ,
      "filters_execute": ["actionrequestfilter.deny"]
    }, //默认禁止访问
    {
      "__Comment__": "This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything",
      "roles": [
        "root"
      ],
      "filters_bypass": ["*"],
      "filters_execute":
    }, // root角色完全权限
    {
      "__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
      "users": ["user1"],
      "indices": ["index1-*","index2-*",".kibana"],
      "filters_bypass": ["actionrequestfilter.deny"],
      "filters_execute": ["actionrequestfilter.readonly"]
    }, //user1 用户只能访问index1-*,index2-* 索引,且只有只读权限
    {
      "__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
      "users": ["user2"],
      "indices": ["index3-*",".kibana"],
      "filters_bypass": ["actionrequestfilter.deny"],
      "filters_execute": ["actionrequestfilter.readonly"]
    } //user2 用户只能访问index3-* 索引,且只有只读权限

  ]}}

Please check in detail:

http://www.elain.org/?p=963

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/737fa8c9-6439-4760-aa1c-541755361a37%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi!

May I ask about this part of configuration:

{

Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,

“users”: [“user1”],

“indices”: [“index1-","index2-”,".kibana"],

“filters_bypass”: [“actionrequestfilter.deny”],

“filters_execute”: [“actionrequestfilter.readonly”]

}

Documentation says: https://github.com/floragunncom/search-guard#no-automatic-multi-index-filters

‘If you access more than one index (e.g. search in multiple indices) only
rules will match when they list all the indices (or "*”).’

Does it mean that if I use e.g. ‘someindex-’ in kibana then I can define 'someindex-’ inside ACL - as above? Will it work?

In such situation - if I would try to search only one index - e.g. someindex-20150908 - would this ACL be appropriate for that search too?

AdamLis;

···

понедельник, 31 августа 2015 г., 8:09:50 UTC+2 пользователь elain ding написал:

#elasticsearch.yml 添加

#################search-guard###################

searchguard.enabled: true

searchguard.key_path: /home/work/app/elasticsearch/keys

searchguard.auditlog.enabled: true

searchguard.allow_all_from_loopback: true #本地调试可打开,建议在线上关闭

searchguard.check_for_root: false

searchguard.http.enable_sessions: true

#配置认证方式

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#配置用户名和密码

searchguard.authentication.settingsdb.user.admin: admin

searchguard.authentication.settingsdb.user.user1: 123

searchguard.authentication.settingsdb.user.user2: 123

#配置用户角色

searchguard.authentication.authorization.settingsdb.roles.admin: [“root”]

searchguard.authentication.authorization.settingsdb.roles.user1: [“user1”]

searchguard.authentication.authorization.settingsdb.roles.user2: [“user2”]

#配置角色权限(只读)

searchguard.actionrequestfilter.names: [“readonly”,“deny”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/", “indices:admin/exists”,"indices:admin/mappings/”,“indices:admin/validate/query”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“indices:data/write/*”]

#配置角色权限(禁止访问)

searchguard.actionrequestfilter.deny.allowed_actions:

searchguard.actionrequestfilter.deny.forbidden_actions: [“indices:data/write/*”]

curl -XPUT ‘http://localhost:9200/searchguard/ac/ac?pretty’ -d ’

{“acl”: [

{

Comment”: “Default is to execute all filters”,

“filters_bypass”: ,

“filters_execute”: [“actionrequestfilter.deny”]

}, //默认禁止访问

{

Comment”: “This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything”,

“roles”: [

“root”

],

“filters_bypass”: ["*"],

“filters_execute”:

}, // root角色完全权限

{

Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,

“users”: [“user1”],

“indices”: [“index1-","index2-”,".kibana"],

“filters_bypass”: [“actionrequestfilter.deny”],

“filters_execute”: [“actionrequestfilter.readonly”]

}, //user1 用户只能访问index1-,index2- 索引,且只有只读权限

{

Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,

“users”: [“user2”],

“indices”: [“index3-*”,".kibana"],

“filters_bypass”: [“actionrequestfilter.deny”],

“filters_execute”: [“actionrequestfilter.readonly”]

} //user2 用户只能访问index3-* 索引,且只有只读权限

]}}

Please check in detail:

http://www.elain.org/?p=963

You try to know.

Someindex-20150908 includes someindex-*, so it’s possible.

在 2015年9月8日星期二 UTC+8下午10:40:57,adam…@gmail.com写道:

···

Hi!

May I ask about this part of configuration:

{

Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,

“users”: [“user1”],

“indices”: [“index1-","index2-”,".kibana"],

“filters_bypass”: [“actionrequestfilter.deny”],

“filters_execute”: [“actionrequestfilter.readonly”]

}

Documentation says: https://github.com/floragunncom/search-guard#no-automatic-multi-index-filters

‘If you access more than one index (e.g. search in multiple indices) only
rules will match when they list all the indices (or "*”).’

Does it mean that if I use e.g. ‘someindex-’ in kibana then I can define 'someindex-’ inside ACL - as above? Will it work?

In such situation - if I would try to search only one index - e.g. someindex-20150908 - would this ACL be appropriate for that search too?

AdamLis;

понедельник, 31 августа 2015 г., 8:09:50 UTC+2 пользователь elain ding написал:

#elasticsearch.yml 添加

#################search-guard###################

searchguard.enabled: true

searchguard.key_path: /home/work/app/elasticsearch/keys

searchguard.auditlog.enabled: true

searchguard.allow_all_from_loopback: true #本地调试可打开,建议在线上关闭

searchguard.check_for_root: false

searchguard.http.enable_sessions: true

#配置认证方式

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#配置用户名和密码

searchguard.authentication.settingsdb.user.admin: admin

searchguard.authentication.settingsdb.user.user1: 123

searchguard.authentication.settingsdb.user.user2: 123

#配置用户角色

searchguard.authentication.authorization.settingsdb.roles.admin: [“root”]

searchguard.authentication.authorization.settingsdb.roles.user1: [“user1”]

searchguard.authentication.authorization.settingsdb.roles.user2: [“user2”]

#配置角色权限(只读)

searchguard.actionrequestfilter.names: [“readonly”,“deny”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/", “indices:admin/exists”,"indices:admin/mappings/”,“indices:admin/validate/query”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“indices:data/write/*”]

#配置角色权限(禁止访问)

searchguard.actionrequestfilter.deny.allowed_actions:

searchguard.actionrequestfilter.deny.forbidden_actions: [“indices:data/write/*”]

curl -XPUT ‘http://localhost:9200/searchguard/ac/ac?pretty’ -d ’

{“acl”: [

{

Comment”: “Default is to execute all filters”,

“filters_bypass”: ,

“filters_execute”: [“actionrequestfilter.deny”]

}, //默认禁止访问

{

Comment”: “This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything”,

“roles”: [

“root”

],

“filters_bypass”: ["*"],

“filters_execute”:

}, // root角色完全权限

{

Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,

“users”: [“user1”],

“indices”: [“index1-","index2-”,".kibana"],

“filters_bypass”: [“actionrequestfilter.deny”],

“filters_execute”: [“actionrequestfilter.readonly”]

}, //user1 用户只能访问index1-,index2- 索引,且只有只读权限

{

Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,

“users”: [“user2”],

“indices”: [“index3-*”,".kibana"],

“filters_bypass”: [“actionrequestfilter.deny”],

“filters_execute”: [“actionrequestfilter.readonly”]

} //user2 用户只能访问index3-* 索引,且只有只读权限

]}}

Please check in detail:

http://www.elain.org/?p=963