0

I am currently investigating the ELK (Elasticsearch, Logstash, Kibana) stack for centralized log file analysis.

The plan is to store logs of multiple applications in the same Elasticsearch cluster using logstash and day-based indexes.

All documents contain a field called application, e.g."application": "superapp".

Now we are looking for a way to implement access control like this:

A) Superuser: is able to see log entries of all applications.

B) Developer: can only see log entries of the applications he is allowed to. For example the dev team for application "superapp" should only be able to see the entries for this application.

To wrap it up: we need access control based on the value in the field application.

While reading the documentation for Elastisearch and Shield I could not find an obvious way to do it.

Any ideas how we could realize this in a way that would also work with Kibana 3 and 4?

My first idea was to use aliases which are being automatically assigned to documents using index templates. I am wondering if this is the right direction.

4

1 回答 1

0

我在 elasticsearch Google Group 上问了这个问题得到了回复:

“您可以将不同类型的日志分离到它们自己的索引中,这会使事情变得更容易,您还可以使用过滤器设置别名,然后向某些用户提供对该别名的访问权限。目前 KB 不是多租户的,但这是一个将要添加的功能,你必须设置多个实例,每个实例都有自己的别名。”

总结一下:多租户需要在前端(Kibana)和后端(Elasticsearch)解决。

前端:为 Kibana 使用代理
https://github.com/salyh/elastic-defender
https://github.com/fangli/kibana-authentication-proxy

后端:使用过滤别名和别名模板的几种方法使用别名
限制索引和操作
伪造索引每个用户 -
http://engineering.aweber.com/using-elasticsearchs-aliases/
http://opennomad.com/content/controlling-access -elasticsearch-filtered-aliases-nginx-and-tokens

于 2015-05-22T13:08:44.843 回答