1
我正在嘗試在Kibana上設置基本的readonlyrest示例。我的配置如下:Readonlyrest和Kibana權限配置
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: Accept requests from users in group team1 on index1
type: allow
hosts: [localhost,127.0.0.1,10.0.0.0/24]
groups: ["team1"]
actions: ["indices:data/read","indices:data/read/mge/*","indices:data/read/mget","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create", "cluster:monitor/*"]
indices: ["<no-index>", ".kibana*", "logstash*", "default" ,"sha*" ,"ba*"]
users:
- username: alice
auth_key: alice:p455phrase
groups: ["team1"]
不幸的是,這是行不通的。我不斷收到授權異常,出現以下錯誤消息elasticsearch日誌:
no block has matched, forbidding by default: { action: indices:data/read/mget,
OA:127.0.0.1, indices:[.kibana], M:POST, P:/_mget, C:{"docs":[{"_index":".kibana",
"_type":"config","_id":"4.6.1"}]}, Headers:[]}
什麼在我的配置缺失?
在kibana.yml配置爲:
elasticsearch.username: "alice"
elasticsearch.password: "p455phrase"
謝謝。如果我允許所有索引和所有操作,基本的kibana示例就可以工作。但是我想要做的就是限制Kibana訪問以sha開頭的索引和以ba開頭的索引。爲了達到這個目的,我添加了索引:[「」,「.kibana」,「.kibana/*」,「default」,「sha *」,「ba *」]。這導致權限錯誤。沒有塊匹配,默認禁止:{action:indices:data/read/search,OA:127.0.0.1,indices:[shakespeare sha *],M:POST,P:/ _ msearch,C:{「index」 [「sha *」],「ignore_unavailable」:true} ... –
Klaus
我做了一些更多的挖掘。看起來readonlyrest似乎按預期工作。看起來當kibana啓動時,它會用logstash patterrn發出一個或多個請求。如果用戶對logstash- *沒有讀權限,則訪問被拒絕。所以現在的問題是如何防止kibana使用logstash索引模式創建此初始請求? – Klaus
試試這個:啓動禁用插件的kibana,更改'logstash- *'索引模式,重新啓用插件,Kibana應該知道要查找什麼,而不需要查找'logstash- *' – sscarduzio