这篇文章介绍ES运维过程中一些常用查询权限和角色的命令和脚本,以及如何查询某个索引可被系统中哪些用户访问。
Part1 查询用户及权限
1 查询所有用户
首先,获取所有用户的列表:
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user?pretty"
-- 执行结果如下
{"flogsuperuser" : {"username" : "xxxsuperuser","roles" : ["superuser"],"full_name" : "","email" : "","metadata" : { },"enabled" : true},"limited_user" : {"username" : "limited_user","roles" : ["limited_logs_reader"],"full_name" : "Limited User","email" : "limited.user@example.com","metadata" : { },"enabled" : true},"elastic" : {"username" : "elastic","roles" : ["superuser"],"full_name" : null,"email" : null,"metadata" : {"_reserved" : true},"enabled" : true},"kibana" : {"username" : "kibana","roles" : ["kibana_system"],"full_name" : null,"email" : null,"metadata" : {"_deprecated" : true,"_deprecated_reason" : "Please use the [kibana_system] user instead.","_reserved" : true},"enabled" : true},"kibana_system" : {"username" : "kibana_system","roles" : ["kibana_system"],"full_name" : null,"email" : null,"metadata" : {"_reserved" : true},"enabled" : true},"logstash_system" : {"username" : "logstash_system","roles" : ["logstash_system"],"full_name" : null,"email" : null,"metadata" : {"_reserved" : true},"enabled" : true},"beats_system" : {"username" : "beats_system","roles" : ["beats_system"],"full_name" : null,"email" : null,"metadata" : {"_reserved" : true},"enabled" : true},"apm_system" : {"username" : "apm_system","roles" : ["apm_system"],"full_name" : null,"email" : null,"metadata" : {"_reserved" : true},"enabled" : true},"remote_monitoring_user" : {"username" : "remote_monitoring_user","roles" : ["remote_monitoring_collector","remote_monitoring_agent"],"full_name" : null,"email" : null,"metadata" : {"_reserved" : true},"enabled" : true}
}
2 查询特定用户的角色和权限
获取特定用户的角色和权限。例如,查询用户 limited_user
:
-- 执行命令
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/user/limited_user?pretty"
-- 执行结果如下
{"limited_user" : {"username" : "limited_user","roles" : ["limited_logs_reader"],"full_name" : "Limited User","email" : "limited.user@example.com","metadata" : { },"enabled" : true}
}
3 查询所有角色
获取所有角色的列表及其权限配置:
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role?pretty"-- 执行结果如下
{"kibana_dashboard_only_user" : {"cluster" : [ ],"indices" : [ ],"applications" : [{"application" : "kibana-.kibana","privileges" : ["read"],"resources" : ["*"]}],"run_as" : [ ],"metadata" : {"_deprecated" : true,"_deprecated_reason" : "Please use Kibana feature privileges instead","_reserved" : true},"transient_metadata" : {"enabled" : true}},"apm_system" : {"cluster" : ["monitor","cluster:admin/xpack/monitoring/bulk"],"indices" : [{"names" : [".monitoring-beats-*"],"privileges" : ["create_index","create_doc"],"allow_restricted_indices" : false}],"applications" : [ ],"run_as" : [ ],"metadata" : {"_reserved" : true},"transient_metadata" : {"enabled" : true}},"watcher_admin" : {"cluster" : ["manage_watcher"],"indices" : [{"names" : [".watches",".triggered_watches",".watcher-history-*"],"privileges" : ["read"],"allow_restricted_indices" : false}],"applications" : [ ],"run_as" : [ ],"metadata" : {"_reserved" : true},"transient_metadata" : {"enabled" : true}},"logstash_system" : {"cluster" : ["monitor","cluster:admin/xpack/monitoring/bulk"],"indices" : [ ],"applications" : [ ],"run_as" : [ ],"metadata" : {"_reserved" : true},"transient_metadata" : {"enabled" : true}},"rollup_user" : {"cluster" : ["monitor_rollup"],"indices" : [ ],"applications" : [ ],"run_as" : [ ],"metadata" : {"_reserved" : true},"transient_metadata" : {"enabled" : true}}
4 查询特定角色的权限
获取特定角色的权限配置。例如,查询角色 limited_logs_reader
:
-- 命令如下
curl -u elastic:esuser -X GET "http://192.168.1.19:9200/_security/role/limited_logs_reader?pretty"
-- 执行结果如下
{"limited_logs_reader" : {"cluster" : [ ],"indices" : [{"names" : ["xxxxxx_2024-06-14","xxxxxx_2024-06-15","xxxxxx_2024-06-16","xxxxxx_2024-06-17"],"privileges" : ["read"],"allow_restricted_indices" : false}],"applications" : [{"application" : "kibana-.kibana","privileges" : ["read"],"resources" : ["*"]}],"run_as" : [ ],"metadata" : { },"transient_metadata" : {"enabled" : true}}
}
5 汇总(查询用户及角色)命令脚本
以下是一个简单的脚本,汇总查询所有用户及其角色和权限的命令:
#!/bin/bash# Elasticsearch URL
ES_URL="http://192.168.1.19:9200"# Admin credentials
ADMIN_USER="elastic"
ADMIN_PASS="esuser"# Query all users
echo "Querying all users..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/user?pretty"# Query all roles
echo "Querying all roles..."
curl -u $ADMIN_USER:$ADMIN_PASS -X GET "$ES_URL/_security/role?pretty"
将上述脚本保存为 query_users_and_roles.sh
,添加执行权限并运行:
chmod +x query_users_and_roles.sh
./query_users_and_roles.sh解释1) 查询所有用户:通过 GET /_security/user API 获取所有用户信息,包括用户名、角色等。2) 查询所有角色:通过 GET /_security/role API 获取所有角色信息,包括角色名、权限配置等。