如何对Elasticsearch进行多用户认证
[英]How to authenticate Elasticsearch with multiple users
问题描述
We are trying create manage Elastic above AWS separate tenant (customer) and assign each tenant to a different index.
我们正在尝试在 AWS 独立租户(客户)之上创建管理 Elastic,并将每个租户分配给不同的索引。
Each customer will have their user name/password or similar like token, etc.每个客户都会有他们的用户名/密码或类似的令牌等。
We setup a managed ES on AWS and did integration with native Elastic sdk HighRestClient我们在 AWS 上设置托管 ES 并与原生 Elastic sdk HighRestClient 集成
<dependency>
<groupId>org.elasticsearch.client</groupId>
<artifactId>elasticsearch-rest-high-level-client</artifactId>
<version>7.10</version>
</dependency>
Everything works fine, all our actions performed from Java code like creating index/manage/searches, etc.一切正常,我们从 Java 代码执行的所有操作,如创建索引/管理/搜索等。
This piece of code simulates the basic auth as described here https://www.elastic.co/guide/en/elasticsearch/client/java-rest/master/_basic_authentication.html这段代码模拟了此处描述的基本身份验证https://www.elastic.co/guide/en/elasticsearch/client/java-rest/master/_basic_authentication.html
final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials(settings.getEsUserName(), settings.getEsUserPass()));
restClientBuilder.setHttpClientConfigCallback(builder -> builder.setDefaultCredentialsProvider(credentialsProvider));
Now we creating different index on each customer which is OK, but the problem is that now all our customers will have the same username/password.现在我们为每个客户创建不同的索引,这没问题,但问题是现在我们所有的客户都将拥有相同的用户名/密码。
Is it possible somehow to do this on multiple users, have multiple username/password?是否有可能以某种方式对多个用户执行此操作,有多个用户名/密码?
So each user can interact only with his index authenticated with password.因此,每个用户只能与通过密码验证的索引进行交互。
I saw this case - https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html#fgac-walkthrough-basic我看到了这个案例 - https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html#fgac-walkthrough-basic
As I understand from reading they are talking about multi tenancy on Kibana users.据我了解,他们正在谈论 Kibana 用户的多租户。
Am I missing something, is it possible to achieve our goal in different ways?我是否遗漏了什么,是否有可能以不同的方式实现我们的目标?
1 个解决方案
解决方案1
0 2021-09-26 16:44:24
You are confusing two concepts here.您在这里混淆了两个概念。 You can refer to the below concepts and decide which use case suits you best.您可以参考以下概念并确定最适合您的用例。
Fine grained access control provides you with internal database authentication mechanism by which you can create multiple users (having their own username/password) and attach roles/action groups to these users - so each user can have different permissions.细粒度的访问控制为您提供内部数据库身份验证机制,您可以通过该机制创建多个用户(拥有自己的用户名/密码)并将角色/操作组附加到这些用户 - 因此每个用户都可以拥有不同的权限。 Thereafter, each customer can be provided with a different username/password.此后,可以为每个客户提供不同的用户名/密码。
Tenants is a concept existing in Kibana system (with above security enabled), where a tenant can be used to store kibana related objects such as dashboards and visualisations.租户是 Kibana 系统中存在的一个概念(启用了上述安全性),其中租户可用于存储与 Kibana 相关的对象,例如仪表板和可视化。 There are two defaults tenants - global which is shared between all users, and private tenant which is exclusive to each customer.有两个默认租户 - 所有用户共享的global租户和每个客户独有的private租户。 You can create your own custom tenant, and configure it to be accessed by a group of users, so that these users can share kibana related objects.您可以创建自己的自定义租户,并将其配置为由一组用户访问,以便这些用户可以共享 kibana 相关对象。
More on tenants here: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/multi-tenancy/更多关于租户的信息: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/multi-tenancy/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.