I started using the create role API and it works as expected : https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html
I got the list of default roles in elasticsearch, /_security/role but I don't know to create the following roles and not able to find the proper docs for it.
I want to segregate the user based on the following needs,
Role which has the privilege to perform only READ / WRITE in all the indices in Elastic Search (This role should not have privilege to CREATE / DELETE indices
Role which has the privilege to perform only operations on Kibana
Role which has the privilege to perform only operations on Logstash
I want to segregate the user based on the following needs,
Role which has the privilege to perform only operations on Kibana
Role which has the privilege to perform only operations on Logstash
when Creating / Updating a role, you can find all valid privileges in security privilege of elasticsearch 7.x documentation then add / delete some of them into the role you update.
The role setup below should cover typical use cases of Kibana and Logstash :
For Logstash user
add manage_index_templates to cluster privilege list
add create_index and index to indice privilege list, for each index pattern
you may need create or create_doc in the indice privilege list, in case that you generate _id field of a document externally (instead of auto-generated ID by elasticsearch)
assign the new role you created to whatever users you like
# Quick example, with POST request /_security/role/my_logstash_role
{
"cluster": ["manage_index_templates"],
"indices": [
{
"names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
"privileges": ["create_index", "index"],
}
],
"applications": [
{
"application": "YOUR_APP_NAME",
"privileges": [ "YOUR_APP_PRIV" ],
}
],
}
For Kibana user
add read to indice privilege list, for each index pattern
assign the new role you created, and built-in role kibana_system to whatever users you like, note kibana_system includes (1) a cluster privilege named monitor and (2) access permissions to some index patterns e.g. .kibana*, .reporting-*, .monitoring-* , which are required by Kibana.
if you also use DevTool console of Kibana to interact with elasticsearch REST API, you may need to add few more privileges like write,delete,manage ...etc to the role, which highly depends on the API endpoints you attempt to call.
# Quick example, with POST request /_security/role/my_kibana_role
{
"cluster": [],
"indices": [
{
"names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
"privileges": ["read"],
}
],
"applications": [
{
"application": "YOUR_APP_NAME",
"privileges": [ "YOUR_CUSTOM_APP_PRIV" ],
}
],
}
Related
Using Elastic Painless scripting, is it possible to get the user submitting a document update via the Kibana GUI?
Using ingest pipelines, I've tried to append the Security User to the context
{
"set_security_user": {
"field": "_security",
"properties": [
"roles",
"username",
"email",
"full_name",
"metadata",
"api_key",
"realm",
"authentication_type"
]
}
}
However regardless of which user is submitting a change to the document (via the Kibana GUI) it always sets it to:
...
"roles": [
"kibana_system",
"cloud-internal-enterprise_search-server"
],
"realm": {
"name": "found",
"type": "file"
},
"authentication_type": "REALM",
"username": "cloud-internal-enterprise_search-server"
...
Context:
What I'm trying to achieve is an additional layer of restrictions when users are modifying the Enterprise Search indexes. I want Developer Roles to be able to see all the configuration items within App Search (Enterprise Search via Kibana), but to only be able to read and not write. There doesn't seem to be a way to do this using the standard Enterprise Search roles which give Admins, Owners and Devs full read/write permissions for the engine.
I used
substrate-node-template
substrate-front-end-template
Pallet balance have default accounts.
I had create and edit a chainspec json file
"palletBalances": {
"balances": [
[
"5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY", //Alice
1152921504606846976
],
[
"5Fem9dGJe9a6CxuGdFmpuNusGJ1GJ5CvYG78fnjngAbwY3D6",//Custom
1152921504606846976
],
[
"5EZX3rWueuPSVag6TT34G1mJmJLQZcVNiSqxSdjSoMnYoFkG",//Custom
1152921504606846976
]
]
},
"palletSudo": {
"key": "5Ffm9dHJe9a6CxuGdFmpuNusGJ1GJ5CvYG78fnjngAbwY3D6"
}
When i run substrate-front-end-template
i can't see my accounts
5Fem9dGJe9a6CxuGsFmpuNusGJ1GJ8CvYG78fnjngAbwY3D6
5EZX3rWueuPSVag6Tt34G1mJmJLqZcVNiSqxSdjSoMnYoFkG
How added custom accounts in pallet balance ?
You need to ensure you have the keys in your keyring. here is where they are loaded - the easiest way to manage these is via the https://polkadot.js.org/extension/ and I would highly recommend using that. Then the accounts will appear on the frontend template. You should see the endowed accounts in the chain state, if you query for it. Here is an example
When we try to execute the below elastic alias swap query with custom user, it throws action [indices:admin/aliases] is unauthorized for user.
POST /_aliases
{
"actions" : [
{ "add": { "index": "test_2", "alias": "test" } },
{ "remove_index": { "index": "test" } }
]
}
But with the same user, the following alias creation query works fine.
POST /_aliases
{
"actions" : [
{ "add": { "index": "test_2", "alias": "test" } }
]
}
Custom user has all privileges for indices starting with test* (we want this user only to be used for indices & alias management starting with test)
If we add all indices for this user, then first query works. I don't know why the user needs permission to all indices if I need to delete index starting with test.
The user should be assigned a role with the following index privileges:
Indices: test*
Privileges: manage
This will ensure the user will have all the privileges to manage all the indices/aliases that start with test
I have a multi-tenant system and I am trying to design ElasticSearch to support multi-tenancy. I've searched on the net but all post I've found does not specify in practice how to do it.
The basic idea is to have on each index, 1 shard per customer and use custom routing to query the customer dedicated shard. This is clear. Now, how can I implement this? How can create multiple shards per index specifying the "key value" in order to query that specific shard in future? Code example will be helpful.
Thank you so much.
I don't think this is the correct way to achieve multi-tenancy, not at the shard-level.
What do you want to achieve exactly? I'd assume that you want that different users (or, better, different roles) can access different portions of an index. In this case, you should have a look at document-level security permissions.
How to achieve this in practice? Let's say that you have an index named multitenants-index, and you have two tenants such that: (i) the first tenant can read/write only those documents having the field "tenant": 1, (ii) the second tenant can read/write only those documents having the field "tenant": 2. Then, you might create the following two roles:
POST /_xpack/security/role/first_tenant
{
"indices": [
{
"names": [ "multitenants-index" ],
"privileges": [ "read", "write" ],
"query": "{\"match\": {\"tenant\": 1}}"
}
]
}
POST /_xpack/security/role/second_tenant
{
"indices": [
{
"names": [ "multitenants-index" ],
"privileges": [ "read", "write" ],
"query": "{\"match\": {\"tenant\": 2}}"
}
]
}
I am very new to document based databases and am using the Cosmos Document DB from Azure in my Springboot application.
I have a data structure like this:
User:
{
"firstname": "Bob",
"password": "asdf",
"roles": [
{
"rights": [
{
"name": "RIGHT_READ"
},
{
"name": "RIGHT_WRITE"
}
],
"name": "ROLE_ADMIN",
"id": "0d5299e0-836c-494d-9299-e0836c294d55"
}
],
"id": "0a9030f1-30f8-4d23-9030-f130f85d23e7",
"email": "email#mail.com",
"username": "admin",
"lastname": "Martin"
}
Role:
{
"rights": [
{
"name": "RIGHT_READ"
},
{
"name": "RIGHT_WRITE"
}
],
"name": "ROLE_ADMIN",
"id": "0d5299e0-836c-494d-9299-e0836c294d55"
}
The user stores all roles that he is assigned to. In this case, the user stores the role ROLE_ADMIN that contains several rights.
If I am now updating the role ROLE_ADMIN, e.g. by adding a right, and storing this again in the database via documentClient.replaceDocument(docLink, role, null); the reference of this entity that is stored in the user is not updated. User still contains a role with two rights instead of three then.
Do I have to update all references manually or am I missing something?
CosmosDB is a non-relational database. If you are using it as a relational database then you have to do all the cascading updates manually, as CosmosDB itself doesn't know that you are referencing another document from the database. Each document is agnostic from the other.
Based on this example you also have a data integrity issue. You are storing the rights in both the role object but also the user object. What you should do instead is store the rights in the role object and then just use the role id in the user object and query for the rights based on the role id. That that way you only update the roles.