ElasticSearch 8.0创建用户,用户组,授权,查询权限

默认账号和角色
ES数据库安装好后，默认有如下7个账号，分别是elastic(角色superuser),kibana(角色kibana_system),kibana_system(角色kibana_system),logstash_system(角色logstash_system),beats_system(角色beats_system),apm_system(角色apm_system),remote_monitoring_user(角色remote_monitoring_collector,remote_monitoring_agent)

ES数据库安装好后，默认有大概30来个角色包含superuser,transform_admin,kibana_admin,kibana_user,kibana_system,watcher_admin,watcher_user,monitoring_user等

查看用户和角色
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/role?pretty” -k
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/user?pretty” -k

查看本机用户，本机用户可以理解为非内置用户，就是使用_security/user api创建的用户
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/_query/user?pretty” -k

查看指定的用户user1，可以是本机用户也可以是内置用户，可以看到用户匹配了哪个角色
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/user/user1” -k

查看指定的本机用户user1，可以看到用户匹配了哪个角色
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/_query/user?pretty” -k -H “Content-Type: application/json” -d’{“query”: {“match”: {“username”:“user1”}}}’

查看本机角色，本机角色可以理解为非内置角色，就是使用_security/role api创建的用户
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/_query/role?pretty” -k

查看指定的角色role1，可以是本机角色也可以是内置角色，可以看到角色拥有哪些权限
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/role/role1” -k

查看指定的本机角色role1,可以看到角色拥有哪些权限
curl -XGET -uelastic:XXXXXX “https://woncnesdbtest1:9200/_security/_query/role?pretty” -k -H “Content-Type: application/json” -d’{“query”: {“match”: {“name”:“role1”}}}’

创建或修改用户_security/user/username，必须password和role两个参数同时存在
创建或修改用户kibanauser1,密码为88888，授予权限角色为kibana_admin和kibana_system。如果用户不存在就是创建，如果用户已经存在就是修改用户

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibanauser1" -k -H "Content-Type: application/json" -d'{"password" : "888888","roles" : [ "kibana_admin","kibana_system" ]}'

只有password参数存在时则报错如下

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibanauser1" -k -H "Content-Type: application/json" -d'{"password" : "888888"}'
{"error":{"root_cause":[{"type":"action_request_validation_exception","reason":"Validation Failed: 1: roles are missing;"}],"type":"action_request_validation_exception","reason":"Validation Failed: 1: roles are missing;"},"status":400}

只有role参数存在，如果用户之前不存在则无法创建报错如下，如果用户之前存在则表示修改用户的role角色关系

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/lukes12" -k -H "Content-Type: application/json" -d'{"roles" :"superuser"}'
{"error":{"root_cause":[{"type":"validation_exception","reason":"Validation Failed: 1: password must be specified unless you are updating an existing user;"}],"type":"validation_exception","reason":"Validation Failed: 1: password must be specified unless you are updating an existing user;"},"status":400}

只修改用户kibanauser1的密码_security/user/username/_password

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibanauser1/_password" -k -H "Content-Type: application/json" -d'{"password" : "666666"}'

有些内置用户只能修改密码，不能修改授于的权限角色，比如内置用户kibana
修改用户kibana的密码为123456

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibana/_password" -k -H "Content-Type: application/json" -d'{"password" : "123456"}'

修改用户kibana的密码为123456，报错user [kibana] is reserved and only the password can be changed

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibana" -k -H "Content-Type: application/json" -d'{"password" : "123456","roles" : [ "kibana_admin","kibana_system" ]}'
{"error":{"root_cause":[{"type":"action_request_validation_exception","reason":"Validation Failed: 1: user [kibana] is reserved and only the password can be changed;"}],"type":"action_request_validation_exception","reason":"Validation Failed: 1: user [kibana] is reserved and only the password can be changed;"}

修改用户kibana的权限为kibana_admin，报错user [kibana] is reserved and only the password can be changed

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/user/kibana" -k -H "Content-Type: application/json" -d'{"roles" : "kibana_admin"}'
{"error":{"root_cause":[{"type":"action_request_validation_exception","reason":"Validation Failed: 1: user [kibana] is reserved and only the password can be changed;"}],"type":"action_request_validation_exception","reason":"Validation Failed: 1: user [kibana] is reserved and only the password can be changed;"}

创建或修改角色_security/role/rolename
创建或修改角色kibanarole1，授权索引级别的权限是read所有索引,write所有索引，write包含create,update,delete,index这些document层面的权限。如果角色不存在就是创建，如果角色已经存在就是修改角色

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/role/kibanarole1" -k -H "Content-Type: application/json" -d'{"indices": [{"names": [ "*" ],"privileges": [ "read","write","create_index", "delete_index"]}]}'

创建或修改角色readonly，授权索引级别的权限是read所有索引

curl -XPOST -uelastic:XXXXXX "https://woncnesdbtest1:9200/_security/role/readonly" -k -H "Content-Type: application/json" -d'{"indices": [{"names": [ "*" ],"privileges": [ "read" ]}]}'