百度智能云
All Product Document

          Elasticsearch

          • BES
          • >
          • User Manual
          • >
          • Privilege Management

          Privilege Management

          Last Updated2020-08-13

          The main features of access control are as follows:

          • Limit the user's access to the data according to the URL. For example, the administrator wants to give a user the privileges of managing the cluster configuration parameters. The administrator can authorize the "POST" privilege of the URL "/_cluster/setting" to the user.
          • Limit the user's data read/write operation according to the Index.

          Create a User

          curl -u username:password --header "Content-Type: application/json" -XPOST 'host:port/_user/create' -d'
{
    "username" : "test",
    "password" : "test123",
    "get_path" : ["/test-", "/online-", "/_cat/health"],
    "put_path" : ["/test-"],
    "post_path" : ["/test-"],
    "del_path" : ["/test-"],
    "read_index": ["test-", "online-"],
    "write_index": ["test-"]
}'

          The command mentioned above is to create a "test" user with a login password of "test123". The user has "put", "post", "get" and "delete" privileges for the indexes starting with "test-" and "get" privilege for the indexes starting with "online-", corresponding to the four operations of Restful API.

          1. The access path with prefix matching is in "path", corresponding to 4 request methods, i.e., "PUT", "POST", "GET", and "DELETE" in the "HTTP".
          2. "Read_index" and "write_index" indicates a list of "indexes" for the user to perform read/write operations. According to prefix matching, the privilege plug-in automatically determines whether to perform read or write operation during the access according to the API accessed by the user.
          3. Only the "superuser" can execute the "Create User" command, and other users cannot do so in any case.

          Modify a User

          curl -u username:password --header "Content-Type: application/json" -XPOST 'host:port/_user/alter' -d'
{
    "username" : "test",
    "password" : "test321",
    "get_path" : ["/test-", "/_cat/health"],
    "read_index": ["test-"]
}'
          1. This API can modify the user's access privilege as well as the user's password.
          2. The fields appeared in the message body overwrite the contents of the original fields. In the hidden field, reserve the original contents. For example, if "write_index" does not appear, the user's "write" privilege for the index can not change, but the privilege of the "read index" is only for "test-xxx".
          3. Only "root" and "superuser" can execute this API.

          Delete a User

          curl -u username:password --header "Content-Type: application/json" -XPOST 'host:port/_user/delete' -d'
{
    "username" : "test"
}'

          Display the User Information

          curl -u username:password --header "Content-Type: application/json" -XPOST 'host:port/_user/show’ -d'
{
  "size" : 20
}'
          1. The API needs to add its privilege path when creating ordinary users so that they can view their user information.
          2. If "root" or "superuser" is executing the API, display all users.
          3. "Size" means the number of users returned. If not written, it is "10" by default.

          Reset the Password

          curl -u username:password --header "Content-Type: application/json" -XPOST 'host:port/_user/resetpasswd' -d'
{
    "password" : "test123"
}'
          1. The API needs to add its privilege path when creating ordinary users so that they can modify their passwords.
          2. The administrator should use the API of the updated user when modifying the password of an ordinary user.
          Previous
          Automatic Renewal
          Next
          Identity and Access Management