当前位置:网站首页>[es practice] use the native realm security mode on es

[es practice] use the native realm security mode on es

2022-07-05 05:18:00 Gu Dong

ES6.7 Version security and audit

List of articles

Anonymous access ( Excessive safety grayscale )

stay elasticsearch.yml Add a configuration item to the file . Represent anonymous users to have super user permissions .

xpack.security.authc.anonymous.roles: superuser

Adjust the cluster configuration ( Secondary development of source code ), Support dynamic opening and closing of anonymous access .

PUT /_cluster/settings
{
    
"persistent":{
    
	"xpack.security.authc.anonymous.enabled":"true"
	}
}

Use native realm Way to authenticate account permissions

To configure native realm

native In fact, it is the default , After the security feature is turned on, the status is enabled . Can be in elasticsearch.yml User defined adjustments are made through configuration items in the file , The configuration has been adjusted and needs to be restarted to take effect .

  security:
    authc:
      realms:
        native1:
          type: native
          order: 0

Configuration item description

The attribute name explain
type mandatory . Authority authentication management type
orderrealms In the chain realm The priority of the .Defaults to Integer.MAX_VALUE.
enabledI Indicates whether realm.Defaults to true.
cache.ttl Cache the lifetime of user entries . Defaults to 20m.
cache.max_users The maximum number of user entries that can exist in the cache at any given time . Defaults to 100,000.
cache.hash_algo Hash algorithm for user credentials cached in memory .Defaults to ssha256.
authentication.enabled If set to false, Then disable this realm Authentication support in , Make it only support user search .Defaults to true.

Manage the use of API

Please refer to the official website for details security-api

establish / Modify role

Permission description reference : Permissions section 

POST _xpack/security/role/{
    rolename}
{
    
    "cluster": ["all"],
 	"indices": [{
    "names": ["*"],"privileges": ["all"]}]
}

View assigned roles 

GET _xpack/security/role/{
    rolename}

see all role 

GET _xpack/security/role

Delete the role 

DELETE _xpack/security/role/{
    rolename}

establish / Modify the user 

POST _xpack/security/user/jacknich
{
    
  "password" : "[email protected]",
  "roles" : [ "admin", "other_role1" ],
  "full_name" : "Jack Nicholson",
  "email" : "[email protected]",
}

Query the user 

GET _xpack/security/user/{
    username}

Change Password 

POST _xpack/security/user/{
    username}/_password
{
    
  "password" : "s3cr3t"
}

Disable users 

PUT _xpack/security/user/{
    username}/_disable

Enable users 

PUT /_xpack/security/user/{
    username}/_enable

Authority verification 

GET _xpack/security/user/_has_privileges
{
    
  "cluster": [ "monitor", "manage" ],
  "index" : [
    {
    
      "names": [ "suppliers", "products" ],
      "privileges": [ "read" ]
    },
    {
    
      "names": [ "inventory" ],
      "privileges" : [ "read", "write" ]
    }
  ],
  "application": [
    {
    
      "application": "inventory_manager",
      "privileges" : [ "read", "data:write/inventory" ],
      "resources" : [ "product/1852563" ]
    }
  ]
}

Be careful

  • Create a character first , The main use of cluster and indices
  • Users and roles Partial modification is not supported , When modifying, you need to bring all the configurations on the request body
  • Delete roles individually , The role attribute in the user will not be deleted . You should first clear the role name in the user , Prevent creating roles with duplicate names later , Lead to ultra vires .

Audit the security log

You can enable auditing to track security related events , For example, authentication failure and connection rejection . Logging these events enables you to monitor suspicious activity in the cluster , And provide evidence in the event of an attack .

The audit log is closed by default , Need to be in elasticsearch.yml File by setting xpack.security.audit.enabled to true Open .

There are two ways to output audit logs , But at present, the way of writing index has been abandoned . Write directly to the log file .

By default , Only use... When enabling auditing logfile Output , Implicitly output to <clustername>_audit.log and <clustername>_access.log.

Audit event type

Event type name explain
anonymous_access_denied Record when the request is rejected due to lack of authentication token .
authentication_success Record when the user successfully authenticates .
authentication_failed Record when the authentication token cannot match a known user .
realm_authentication_failed Record each realm that failed to provide a valid authentication token . <realm> Indicates the domain type .
access_denied When authenticated users try to perform what they don't need jurisdiction To perform the operation .
access_granted Record when authenticated users try to perform actions that they have the required permissions to perform . When included system_access_granted When an event is , All systems will also be recorded ( Inside ) operation . The default setting is not to record system operations to avoid log confusion .
run_as_granted When an authenticated user tries run as Another user who has the necessary permissions is recorded .
run_as_denied When an authenticated user tries [run as] Record when another user operates , They don't have to [privilege] You can do this .
tampered_request Record when the security function detects that the request has been tampered with . When rolling ID When it is considered to have been tampered with , Usually with “ Search for / rolling ” Request the relevant .
connection_granted When it comes to TCP Connect through a specific profile IP filter Time record .
connection_denied When incoming TCP The connection did not pass through a specific profile IP filter Time record .

Audit event attributes ( public )

stay 6.5.0 in , There is a new log file audit output format . This format also brings some changes to the attributes of audit events . Output the new format to <clustername>_audit.log file . Audit entries are formatted as flat JSON file ( in other words , No nested objects ), Each row of a . therefore , The property name is JSON key , They follow the dotted name syntax . Do not output any missing values (null) Properties of . The following list shows the properties common to all audit events . Their names and values are similar to those in deprecated log files or index output formats . however , It is expected that these formats will be in 6.x Independent development during version , Therefore, it is recommended to follow the attribute description of the format you are using .

Property name explain
@timestamp Time of event , use ISO9601 Format .
node.name Name of node . This can be done in elasticsearch.yml Change... In the configuration file .
node.id Node identification . This is automatically generated , And it will remain unchanged when the whole cluster is restarted .
host.ip Binding of nodes IP Address , Nodes can communicate with it .
host.name Unresolved node hostname .
origin.address The source of the request associated with this event IP Address . This may be the address of the remote client 、 The address of another cluster node or the binding address of the local node ( If the request originates locally ). Unless the remote client connects directly to the cluster , otherwise Client address It will actually be the first one in front of the cluster OSI The first 3 Address of layer agent .
origin.type The source type of the request associated with this event :rest( The request originated from REST API request )、transport( Request received on transmission channel ) or local_node( The local node sends a request ).
event.type The internal processing layer that generates events :resttransport or ip_filter. This is related to origin.type Different , Because from REST API The request of is translated into many transmission messages , Build with origin.type: rest and event.type: transport Audit events .
event.action Type of event that occurred : anonymous_access_denied, authentication_failed, authentication_success, realm_authentication_failed, access_denied, access_granted, connection_denied, connection_granted, tampered_request, run_as_denied, or run_as_granted.
opaque_id Of the request associated with this event X-Opaque-IdHTTP header ( If there is ) Value . Clients are free to use this header to mark API call , Because it is in Elasticsearch There is no semantics in .
x_forwarded_for Of the request associated with the audit event X-Forwarded-ForHTTP Request header ( If there is ) Verbatim record value of . This header is usually added by the agent when forwarding the request , Value is the address of the proxy client . When requests span multiple agents , The header is a comma separated list , The last value is the address of the penultimate proxy server ( The address of the last proxy server is determined by origin.address Field assignment ).

to examine REST Event attribute of event type

The events with event.type equal to rest have one of the following event.action attribute values: authentication_success, anonymous_access_denied, authentication_failed, realm_authentication_failed, tampered_request or run_as_denied.

Property name explain
url.path Associated with this event REST Requested URL The path part of ( Between port and query string ). This is a URL Coded .
url.query Associated with this event REST Requested URL The query part of (“?” after , If there is ). This is a URL Coded .
request.method Associated with this event REST Requested HTTP Method . It is GET、POST、PUT、DELETE、OPTIONS、HEAD、PATCH、TRACE and CONNECT One of .
request.body Associated with this event REST The complete content of the request ( If enabled ). This contains the query body . Text basis JSON RFC 4627 Transference .

to examine TRASNPORT Event attribute of event type

The events with event.type equal to transport have one of the following event.action attribute values: authentication_success, anonymous_access_denied, authentication_failed, realm_authentication_failed, access_granted, access_denied, run_as_granted, run_as_denied, or tampered_request.

Property name explain
action The name of the transfer operation that has been performed . This is similar to REST Requested URL.
indices The array of index names to which the request associated with this event belongs ( If applicable ).
request.name The name of the executed request handler .

Audit ip_filter Event attribute of event type

The events with event.type equal to ip_filter have one of the following event.action attribute values: connection_granted or connection_denied.

Property name explain
transport_profile The transfer profile for which the request is made .
rule To refuse a request IP Filter The rules .

Additional audit event attributes for specific events

  • authentication_success:

    • realm

      Successfully verify the name of the user's realm .

    • user.name

      It works User name . This is usually related to authenticated Same user , But if Run the function as authorized This means impersonated User name .

    • user.run_by.name

      Only if requested Run as an authorization function And indicate the name , This attribute only exists authenticated The identity of the user , Also known as impersonator.

  • authentication_failed:

    • user.name

      The name of the unauthenticated user . If the request authentication token is invalid or cannot be resolved , This information may be missing .

  • realm_authentication_failed:

    • user.name

      The name of the unauthenticated user .

    • realm

      The name of the realm that rejected this authentication . This event generates .

  • run_as_denied and run_as_granted:

    • user.roles

      User's role group .

    • user.name

      Be granted or denied impersonation Operation of the authenticated User name .

    • user.realm

      authenticated The domain name of the user .

    • user.run_as.name

      Grant or deny impersonation The name of the user who operated .

    • user.run_as.realm

      impersonated The domain name of the user .

  • access_granted or access_denied:

    • user.roles

      User's role group .

    • user.name

      Authorized or unauthorized It works User name . This is usually authenticated user , But if Run the function as authorized Instead of Express impersonated User name .

    • user.realm

      It works The domain name of the user .

    • user.run_by.name

      Only if requested Run as an authorization function And indicate the name , This attribute only exists authenticated The identity of the user , Also known as impersonator.

    • user.run_by.realm

      Only if requested Run as an authorization function And indicate the name , This attribute only exists authenticated (impersonator) The domain of the user .

The level of logs can be dynamically adjusted 

PUT /_cluster/settings
{
    
  "persistent": {
    
    "logger.org.elasticsearch.xpack.security.audit.logfile.DeprecatedLoggingAuditTrail": "off"
  }
}

Audit log events ignore policies

Through configuration items, policy related logs can be ignored in logs

  • user 

    xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users

  • Authority authentication field 

    xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms

  • role 

    xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles

  • Indexes 

    xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices

Example 

xpack.security.audit.logfile.events.ignore_filters:
  example1:
    users: ["kibana", "admin_user"]
    indices: ["app-logs*"]
    roles: ["admin", "ops_admin_*"]

The audit event log contains the request body

Please be there. elasticsearch.yml Edit the following settings in the file :

xpack.security.audit.logfile.events.emit_request_body: true
原网站

版权声明
本文为[Gu Dong]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/186/202207050516093206.html

边栏推荐

猜你喜欢

随机推荐