Authentication Based on Users and Roles
Scenario
Create and configure an Elasticsearch role on Manager as an MRS cluster administrator. The Elasticsearch role can be configured with administrator permissions and read and write access to indexed data.
Users need to set permissions on specified data in Elasticsearch to query, delete, and update data.
- Users can create Elasticsearch roles only in security mode.
- If the current component uses Ranger for permission control, you need to configure permission management policies based on Ranger. For details, see Adding a Ranger Access Permission Policy for Elasticsearch. In normal mode, Ranger cannot be used for permission control.
Prerequisites
The administrator has planned permissions based on business needs.
Procedure
- Log in to Manager.
- Choose System > Permission > Role.
- On the displayed page, click Create Role and enter a Role Name and Description.
- Set Configure Resource Permission.
Elasticsearch permissions:
- SUPER_USER_GROUP: admin rights, read and write access to all indexes.
- Elasticsearch Scope: Resource management with read and write access to specified indexes.
Table 1 Setting a role Scenario
Role Authorization
Setting the administrator permission
In Configure Resource Permission, choose Name of the desired cluster > Elasticsearch and select SUPER_USER_GROUP.
Setting a user's read and write permissions on a specified index
- In Configure Resource Permission, choose Name of the desired cluster > Elasticsearch > Elasticsearch Scope.
- In the Permission column of the specified index, select read and write.
- Click OK. Return to Manage Role.
After the Elasticsearch role is created, create an Elasticsearch user and bind the user to the role and user group.
For details about common Elasticsearch user permissions, see Table 2.
Table 2 Common Elasticsearch user permissions User Group
Role
User Permission
- elasticsearch
- supergroup
-
The user can create indexes, read and write all the indexes, and has administrative permissions on the all indexes.
elasticsearch
-
The user can create indexes, read and write the indexes that are created, and has administrative permissions on the created indexes.
elasticsearch
The user is given a role with read and write permission on created indexes.
The user has read and write and data deleting permissions on both created indexes and the indexes to which he has permissions. However, the user cannot perform management operations on indexes created by other users, such as forced flushing or migrating shard.
-
The user is given an Elasticsearch super permission role.
The user, like other users of the Elasticsearch user group, can create indexes and have read and write permission on all indexes.
supergroup
-
The user can create indexes and have read and write permission on all indexes.
-
The user is given a role with read and write permission on created indexes.
The user has read and write permission to these indexes, but cannot perform management operations on them, such as forced flushing or migrating shard.
-
-
The user cannot access the Elasticsearch system.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
