当前位置：网站首页>[es practice] use the native realm security mode on es

[es practice] use the native realm security mode on es

2022-07-05 05:18:00 【Gu Dong】

ES6.7 Version security and audit

List of articles

ES6.7 Version security and audit

Anonymous access （ Excessive safety grayscale ）

stay elasticsearch.yml Add a configuration item to the file . Represent anonymous users to have super user permissions .

xpack.security.authc.anonymous.roles: superuser

Adjust the cluster configuration ( Secondary development of source code ), Support dynamic opening and closing of anonymous access .

PUT /_cluster/settings
{
    
"persistent":{
    
	"xpack.security.authc.anonymous.enabled":"true"
	}
}

Use native realm Way to authenticate account permissions

To configure native realm

native In fact, it is the default , After the security feature is turned on, the status is enabled . Can be in elasticsearch.yml User defined adjustments are made through configuration items in the file , The configuration has been adjusted and needs to be restarted to take effect .

  security:
    authc:
      realms:
        native1:
          type: native
          order: 0

Configuration item description

The attribute name	explain
type	mandatory . Authority authentication management type
order	realms In the chain realm The priority of the .Defaults to `Integer.MAX_VALUE`.
enabled	I Indicates whether realm.Defaults to `true`.
cache.ttl	Cache the lifetime of user entries . Defaults to `20m`.
cache.max_users	The maximum number of user entries that can exist in the cache at any given time . Defaults to 100,000.
cache.hash_algo	Hash algorithm for user credentials cached in memory .Defaults to `ssha256`.
authentication.enabled	If set to `false`, Then disable this realm Authentication support in , Make it only support user search .Defaults to `true`.

Manage the use of API

Please refer to the official website for details security-api

establish / Modify role

Permission description reference ： Permissions section

POST _xpack/security/role/{
    rolename}
{
    
    "cluster": ["all"],
 	"indices": [{
    "names": ["*"],"privileges": ["all"]}]
}

View assigned roles

GET _xpack/security/role/{
    rolename}

see all role

GET _xpack/security/role

Delete the role

DELETE _xpack/security/role/{
    rolename}

establish / Modify the user

POST _xpack/security/user/jacknich
{
    
  "password" : "[email protected]",
  "roles" : [ "admin", "other_role1" ],
  "full_name" : "Jack Nicholson",
  "email" : "[email protected]",
}

Query the user

GET _xpack/security/user/{
    username}

Change Password

POST _xpack/security/user/{
    username}/_password
{
    
  "password" : "s3cr3t"
}

Disable users

PUT _xpack/security/user/{
    username}/_disable

Enable users

PUT /_xpack/security/user/{
    username}/_enable

Authority verification

GET _xpack/security/user/_has_privileges
{
    
  "cluster": [ "monitor", "manage" ],
  "index" : [
    {
    
      "names": [ "suppliers", "products" ],
      "privileges": [ "read" ]
    },
    {
    
      "names": [ "inventory" ],
      "privileges" : [ "read", "write" ]
    }
  ],
  "application": [
    {
    
      "application": "inventory_manager",
      "privileges" : [ "read", "data:write/inventory" ],
      "resources" : [ "product/1852563" ]
    }
  ]
}

Be careful

Create a character first , The main use of cluster and indices
Users and roles Partial modification is not supported , When modifying, you need to bring all the configurations on the request body
Delete roles individually , The role attribute in the user will not be deleted . You should first clear the role name in the user , Prevent creating roles with duplicate names later , Lead to ultra vires .

Audit the security log

You can enable auditing to track security related events , For example, authentication failure and connection rejection . Logging these events enables you to monitor suspicious activity in the cluster , And provide evidence in the event of an attack .

The audit log is closed by default , Need to be in elasticsearch.yml File by setting xpack.security.audit.enabled to true Open .

There are two ways to output audit logs , But at present, the way of writing index has been abandoned . Write directly to the log file .

By default , Only use... When enabling auditing logfile Output , Implicitly output to <clustername>_audit.log and <clustername>_access.log.

Audit event type

Event type name	explain
`anonymous_access_denied`	Record when the request is rejected due to lack of authentication token .
`authentication_success`	Record when the user successfully authenticates .
`authentication_failed`	Record when the authentication token cannot match a known user .
`realm_authentication_failed`	Record each realm that failed to provide a valid authentication token . `<realm>` Indicates the domain type .
`access_denied`	When authenticated users try to perform what they don't need jurisdiction To perform the operation .
`access_granted`	Record when authenticated users try to perform actions that they have the required permissions to perform . When included `system_access_granted` When an event is , All systems will also be recorded （ Inside ） operation . The default setting is not to record system operations to avoid log confusion .
`run_as_granted`	When an authenticated user tries run as Another user who has the necessary permissions is recorded .
`run_as_denied`	When an authenticated user tries [run as] Record when another user operates , They don't have to [privilege] You can do this .
`tampered_request`	Record when the security function detects that the request has been tampered with . When rolling ID When it is considered to have been tampered with , Usually with “ Search for / rolling ” Request the relevant .
`connection_granted`	When it comes to TCP Connect through a specific profile IP filter Time record .
`connection_denied`	When incoming TCP The connection did not pass through a specific profile IP filter Time record .

Audit event attributes （ public ）

stay 6.5.0 in , There is a new log file audit output format . This format also brings some changes to the attributes of audit events . Output the new format to <clustername>_audit.log file . Audit entries are formatted as flat JSON file （ in other words , No nested objects ）, Each row of a . therefore , The property name is JSON key , They follow the dotted name syntax . Do not output any missing values (null) Properties of . The following list shows the properties common to all audit events . Their names and values are similar to those in deprecated log files or index output formats . however , It is expected that these formats will be in 6.x Independent development during version , Therefore, it is recommended to follow the attribute description of the format you are using .

Property name	explain
`@timestamp`	Time of event , use ISO9601 Format .
`node.name`	Name of node . This can be done in `elasticsearch.yml` Change... In the configuration file .
`node.id`	Node identification . This is automatically generated , And it will remain unchanged when the whole cluster is restarted .
`host.ip`	Binding of nodes IP Address , Nodes can communicate with it .
`host.name`	Unresolved node hostname .
`origin.address`	The source of the request associated with this event IP Address . This may be the address of the remote client 、 The address of another cluster node or the binding address of the local node （ If the request originates locally ）. Unless the remote client connects directly to the cluster , otherwise Client address It will actually be the first one in front of the cluster OSI The first 3 Address of layer agent .
`origin.type`	The source type of the request associated with this event ：`rest`（ The request originated from REST API request ）、`transport`（ Request received on transmission channel ） or `local_node`（ The local node sends a request ）.
`event.type`	The internal processing layer that generates events ：`rest`、`transport` or `ip_filter`. This is related to `origin.type` Different , Because from REST API The request of is translated into many transmission messages , Build with `origin.type: rest` and `event.type: transport` Audit events .
`event.action`	Type of event that occurred ： `anonymous_access_denied`, `authentication_failed`, `authentication_success`, `realm_authentication_failed`, `access_denied`, `access_granted`, `connection_denied`, `connection_granted`, `tampered_request`, `run_as_denied`, or `run_as_granted`.
`opaque_id`	Of the request associated with this event `X-Opaque-Id`HTTP header （ If there is ） Value . Clients are free to use this header to mark API call , Because it is in Elasticsearch There is no semantics in .
`x_forwarded_for`	Of the request associated with the audit event `X-Forwarded-For`HTTP Request header （ If there is ） Verbatim record value of . This header is usually added by the agent when forwarding the request , Value is the address of the proxy client . When requests span multiple agents , The header is a comma separated list , The last value is the address of the penultimate proxy server （ The address of the last proxy server is determined by `origin.address` Field assignment ）.

to examine REST Event attribute of event type

The events with event.type equal to rest have one of the following event.action attribute values: authentication_success, anonymous_access_denied, authentication_failed, realm_authentication_failed, tampered_request or run_as_denied.

Property name	explain
url.path	Associated with this event REST Requested URL The path part of （ Between port and query string ）. This is a URL Coded .
url.query	Associated with this event REST Requested URL The query part of （“？” after , If there is ）. This is a URL Coded .
request.method	Associated with this event REST Requested HTTP Method . It is GET、POST、PUT、DELETE、OPTIONS、HEAD、PATCH、TRACE and CONNECT One of .
request.body	Associated with this event REST The complete content of the request （ If enabled ）. This contains the query body . Text basis JSON RFC 4627 Transference .

to examine TRASNPORT Event attribute of event type

The events with event.type equal to transport have one of the following event.action attribute values: authentication_success, anonymous_access_denied, authentication_failed, realm_authentication_failed, access_granted, access_denied, run_as_granted, run_as_denied, or tampered_request.

Property name	explain
action	The name of the transfer operation that has been performed . This is similar to REST Requested URL.
indices	The array of index names to which the request associated with this event belongs （ If applicable ）.
`request.name`	The name of the executed request handler .

Audit ip_filter Event attribute of event type

The events with event.type equal to ip_filter have one of the following event.action attribute values: connection_granted or connection_denied.

Property name	explain
transport_profile	The transfer profile for which the request is made .
rule	To refuse a request IP Filter The rules .

Additional audit event attributes for specific events

authentication_success:
- realm
  Successfully verify the name of the user's realm .
- user.name
  It works User name . This is usually related to authenticated Same user , But if Run the function as authorized This means impersonated User name .
- user.run_by.name
  Only if requested Run as an authorization function And indicate the name , This attribute only exists authenticated The identity of the user , Also known as impersonator.
authentication_failed:
- user.name
  The name of the unauthenticated user . If the request authentication token is invalid or cannot be resolved , This information may be missing .
realm_authentication_failed:
- user.name
  The name of the unauthenticated user .
- realm
  The name of the realm that rejected this authentication . This event generates .
run_as_denied and run_as_granted:
- user.roles
  User's role group .
- user.name
  Be granted or denied impersonation Operation of the authenticated User name .
- user.realm
  authenticated The domain name of the user .
- user.run_as.name
  Grant or deny impersonation The name of the user who operated .
- user.run_as.realm
  impersonated The domain name of the user .
access_granted or access_denied:
- user.roles
  User's role group .
- user.name
  Authorized or unauthorized It works User name . This is usually authenticated user , But if Run the function as authorized Instead of Express impersonated User name .
- user.realm
  It works The domain name of the user .
- user.run_by.name
  Only if requested Run as an authorization function And indicate the name , This attribute only exists authenticated The identity of the user , Also known as impersonator.
- user.run_by.realm
  Only if requested Run as an authorization function And indicate the name , This attribute only exists authenticated (impersonator) The domain of the user .

The level of logs can be dynamically adjusted

PUT /_cluster/settings
{
    
  "persistent": {
    
    "logger.org.elasticsearch.xpack.security.audit.logfile.DeprecatedLoggingAuditTrail": "off"
  }
}

Audit log events ignore policies

Through configuration items, policy related logs can be ignored in logs

user

xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users

Authority authentication field

xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms

role

xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles

Indexes

xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices

Example

xpack.security.audit.logfile.events.ignore_filters:
  example1:
    users: ["kibana", "admin_user"]
    indices: ["app-logs*"]
    roles: ["admin", "ops_admin_*"]

The audit event log contains the request body

Please be there. elasticsearch.yml Edit the following settings in the file ：

xpack.security.audit.logfile.events.emit_request_body: true

原网站

版权声明
本文为[Gu Dong]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/186/202207050516093206.html