Open Distro 用户可以自行更改密码
在 Open Distro 中使用 REST API 进行的更改
在没有REST API权限的用户中,尝试在Kibana控制台上更改自己的密码。
PUT _opendistro/_security/api/internalusers/<ユーザ名>
{
"password": "パスワード"
}
即使进行了
{
"status": "FORBIDDEN",
"message": "No permission to access REST API: User <ユーザ名> with Open Distro Security Roles [<ロール名>, own_index] does not have any role privileged for admin access. No client TLS certificate found in request"
}
如果没有权限就会出错。
- <ロール名>は、今ログインしているアカウントとマッピングされているロール名が表示されます。
opendistro-for-elasticsearch/security的问题已经被标记为改进,但并不清楚什么时候会解决。
https://github.com/opendistro-for-elasticsearch/security/issues/47
REST API可以按角色进行访问控制。
请参阅https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#access-control-for-the-api。
在elasticsearch.yml中有以下的描述,允许all_access和security_rest_api_access角色访问。
:
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
:
在这里进行指定将使所有的API都可用。此外,您可以指定可以禁用每个终端点的方法。
:
opendistro_security.restapi.endpoints_disabled.<role>.<endpoint>: ["<method>", ...]
:
只需允许对internalusers进行PUT操作,因为只是更改自己的密码而已。
:
opendistro_security.restapi.endpoints_disabled.<role>.ACTIONGROUPS: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.<role>.ROLES: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.<role>.ROLESMAPPING: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.<role>.INTERNALUSERS: ["GET", "POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.<role>.CONFIG: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.<role>.CACHE: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.<role>.LICENSE: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.<role>.SYSTEMINFO: ["GET", "PUT","POST","DELETE","PATCH"]
:
如果只有一个账号一个角色的话,就没有问题,但是如果有多个账号的话,甚至可以更改别人的密码,可能有点不好。
如果只有一个账号一个角色的话,每增加一个角色都需要添加定义,有点麻烦。
尝试假装成一个能够访问REST API的帐户,在插件中进行变身。
为此,在插件中进行转化不是很好吗?因此,我试着去制作一个。
https://www.elastic.co/guide/en/kibana/current/development-elasticsearch.html这里的`admin`是用来管理Kibana状态的帐户。只需向该帐户添加`PUT`权限即可。
const {callWithInternalUser} = server.plugins.elasticsearch.getCluster('admin');
const {callWithRequest} = server.plugins.elasticsearch.getCluster('data');
:
//var username = _opendistro/_security/authinfo で、現在のセッションの情報から取得
//var userPassword = クライアントから送られてきたパス。;
:
await callWithInternalUser('transport.request', {
method: "PUT",
path: "_opendistro/_security/api/internalusers/" + username,
body: { password : userPassword }
}
).then(function(resp){
// なんか処理
});
可以以类似的方式完成,这是我的想法。
管理员角色是什么?这个管理员不是Open Distro的管理员,而是Kibana的状态管理账户。
:
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
:
根据情况,Kibana服务器的角色。
在OpenDistro中,将kibanaserver映射为kibana_server,因此需要在此角色上添加权限。
:
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "kibana_server"]
:
opendistro_security.restapi.endpoints_disabled.kibana_server.ACTIONGROUPS: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.kibana_server.ROLES: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.kibana_server.ROLESMAPPING: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.kibana_server.INTERNALUSERS: ["GET", "POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.kibana_server.CONFIG: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.kibana_server.CACHE: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.kibana_server.LICENSE: ["GET", "PUT","POST","DELETE","PATCH"]
opendistro_security.restapi.endpoints_disabled.kibana_server.SYSTEMINFO: ["GET", "PUT","POST","DELETE","PATCH"]
:
暂时,使用插件已经能够更改密码了,
看起来对于操作有一定的理解。
现阶段的避免方法之一。。。
