I want to try Shield features and i want to give different roles for my users.
In my scenario, there are two users: "admin" and "pippo".
admin has got admin privileges, pippo has got user privileges. So, with "admin" i can use every Rest API GET, PUT, POST and DELETE. Instead user can't do anything, while i expected that he can get every index. What am i doing wrong?
This is my roles.yml
# All cluster rights
# All operations on all indices
admin:
cluster:
- all
indices:
- names: '*'
privileges:
- all
# monitoring cluster privileges
# All operations on all indices
power_user:
cluster:
- monitor
indices:
- names: '*'
privileges:
- all
# Read-only operations on indices
user:
indices:
- names: '*'
privileges:
- read
# Defines the required permissions for transport clients
transport_client:
cluster:
- transport_client
# The required permissions for the kibana 4 server
kibana4_server:
cluster:
- monitor
indices:
- names: '.kibana*'
privileges:
- all
- names: '.reporting-*'
privileges:
- all
# The required role for logstash users
logstash:
cluster:
- manage_index_templates
indices:
- names: 'logstash-*'
privileges:
- write
- read
- create_index
# Marvel user role. Assign to marvel users.
marvel_user:
indices:
- names: '.marvel-es-*'
privileges: [ "read" ]
- names: '.kibana'
privileges:
- view_index_metadata
- read
# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
# to which the marvel agent will export all its data
remote_marvel_agent:
cluster: [ "manage_index_templates" ]
indices:
- names: '.marvel-es-*'
privileges: [ "all" ]
This is my roles_mapping.yml
# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names
#roleA: this is an elasticsearch role
# - groupA-DN this is a group distinguished name
# - groupB-DN
# - user1-DN this is the full user distinguished name
#power_user:
# - "cn=admins,dc=example,dc=com"
#user:
# - "cn=users,dc=example,dc=com"
# - "cn=admins,dc=example,dc=com"
# - "cn=John Doe,cn=other users,dc=example,dc=com"
This is the error when i get index with "pippo":
"reason": "action [indices:admin/get] is unauthorized for user [pippo]"
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please see the documentation for further information on configuration options:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/setup-configuration.html>
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: kibi-distribution
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
# node.name: node-1
#
# Add custom attributes to the node:
#
# node.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
# path.data: /path/to/data
#
# Path to log files:
#
# path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
# bootstrap.memory_lock: true
#
# Make sure that the `ES_HEAP_SIZE` environment variable is set to about half the memory
# available on the system and that the owner of the process is allowed to use this limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
# network.host: 192.168.0.1
#
# Set a custom port for HTTP:
#
http.port: 9220
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html>
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
# discovery.zen.ping.unicast.hosts: ["host1", "host2"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of nodes / 2 + 1):
#
# discovery.zen.minimum_master_nodes: 3
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-discovery.html>
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
# gateway.recover_after_nodes: 3
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-gateway.html>
#
# ---------------------------------- Various -----------------------------------
#
# Disable starting multiple nodes on a single system:
#
# node.max_local_storage_nodes: 1
#
# Require explicit names when deleting indices:
#
# action.destructive_requires_name: true
transport.tcp.port: 9330
# Analyzer for the snippet field of the Article index for the Crunchbase demo
index:
analysis:
analyzer:
snippet:
type: custom
tokenizer: myTokenizer
filter: [lowerTokens,englishStopWords,removeSmallTokens]
tokenizer:
myTokenizer:
type: standard
filter:
lowerTokens:
type: lowercase
englishStopWords:
type: stop
stopwords: _english_
removeSmallTokens:
type: length
min: 2
# Siren Join plugin: It is recommended to enable index query cache for all queries.
# See https://github.com/sirensolutions/siren-join/ for more details.
index.queries.cache.everything: true
I create users on path elasticsearch/bin/shield/ using this command:
./esusers useradd admin -r admin
./esusers useradd pippo -r user
# All cluster rights
# All operations on all indices
admin:
cluster:
- all
indices:
- names: '*'
privileges:
- all
# monitoring cluster privileges
# All operations on all indices
power_user:
cluster:
- monitor
indices:
- names: '*'
privileges:
- all
# Read-only operations on indices
user:
indices:
- names: '*'
privileges:
- read
- view_index_metadata
# Defines the required permissions for transport clients
transport_client:
cluster:
- transport_client
# The required permissions for the kibana 4 server
kibana4_server:
cluster:
- monitor
indices:
- names: '.kibana*'
privileges:
- all
- names: '.reporting-*'
privileges:
- all
# The required role for logstash users
logstash:
cluster:
- manage_index_templates
indices:
- names: 'logstash-*'
privileges:
- write
- read
- create_index
# Marvel user role. Assign to marvel users.
marvel_user:
indices:
- names: '.marvel-es-*'
privileges: [ "read" ]
- names: '.kibana'
privileges:
- view_index_metadata
- read
# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
# to which the marvel agent will export all its data
remote_marvel_agent:
cluster: [ "manage_index_templates" ]
indices:
- names: '.marvel-es-*'
privileges: [ "all" ]
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.