在AWS上的Kibana中获得细化权限

时间:2019-03-28 21:51:01

标签: amazon-web-services permissions kibana

背景

接线

我在AWS Elasticsearch Service上有一个Elasticsearch集群。它启用了一个Kibana端点。 Cognito根据用户组提供AWS角色。

认知组和AWS角色

AWS Cognito设置为组html{ height: 100vh; width: 100vw; margin:unset; } .container { display: flex; justify-content: center; align-items: center; width: 100%; height: 600px; } .clockface{ position:relative; height:500px; width:500px; background-image:url("https://images.homedepot-static.com/productImages/4fe72a29-ac1e-4699-ac41-998ca8a64d4c/svn/designer-stencils-stencils-3697h-64_1000.jpg"); background-size:cover; } .clockface.simple:after { background: #000; border-radius: 50%; content: ""; position: absolute; left: 50%; top: 50%; transform: translate(-50%, -50%); width: 5%; height: 5%; z-index: 10; } .longesthand-container, .bighand-container, .smallhand-container { position: absolute; top: 0; right: 0; bottom: 0; left: 0; } /*.smallhand-container { animation: rotate 43200s infinite linear; } .bighand-container { animation: rotate 3600s infinite steps(60); } .longesthand-container { animation: rotate 60s infinite steps(60); }*/ .longesthand{ background: #000; height: 45%; left: 49.5%; position: absolute; top: 14%; transform-origin: 50% 80%; width: 1%; z-index:8; } .bighand{ background: #000; height: 30%; left: 49%; position: absolute; top: 20%; transform-origin: 50% 100%; width: 2%; } .smallhand{ background: #000; height: 20%; left: 48.75%; position: absolute; top: 30%; transform-origin: 50% 100%; width: 2.5%; } @keyframes rotate { 100% { transform: rotateZ(360deg); } } #inputbox{ height:50px; font-size:2em; } footer { display: flex; justify-content: center; }的AWS角色为 <div class="container"> <div class="clockface simple"> <div class="longesthand-container"> <div class="longesthand"> </div> </div> <div class="bighand-container"> <div class="bighand" id="bh"> </div> </div> <div class="smallhand-container"> <div class="smallhand"> </div> </div> </div> </div> <div> Enter your time: <input type="text" id="inbox" placeholder="12:00"> <input type="button" value="Submit" onclick="verify()"> </div> <footer>&#169;mukherj</footer>

AWS Cognito设置为组viewer的AWS角色为arn:aws:iam:123:role/kibana-viewer

所需限制

在使用Kibana查看数据时,只有admin组可以访问特定的索引模式。受限索引Elasticsearch模式为arn:aws:iam:123:role/kibana-admin

admin组应该不能能够通过Kibana访问secret-*

问题

如何防止仅角色viewer访问AWS Elasticsearch集群中的secret-*索引模式?

我尝试过的

第一次尝试

在访问策略中设置以下语句:

arn:aws:iam:123:role/kibana-viewer

secret-*能够访问索引{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:123:role/kibana-viewer" }, "Action": "es:*", "Resource": "arn:aws:es:my-region:123:domain/my-domain/*" }

第二次尝试

将以上viewer设置为secret-1,由于以下原因,Resource无法登录:

arn:aws:es:my-region:123:domain/my-domain/secret-*

第三次尝试

设置两个语句:

viewer

User: x:x:x::xx:x is not authorized to perform: es:ESHttpGet 可以登录到Kibana,但由于API调用{ "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam:123:role/kibana-viewer" }, "Action": "es:ESHttpGet", "Resource": "arn:aws:es:my-region:123:domain/my-domain/secret-*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:123:role/kibana-viewer" }, "Action": "es:ESHttpGet", "Resource": "arn:aws:es:my-region:123:domain/my-domain/*" } 上的viewer错误而看不到任何数据。

1 个答案:

答案 0 :(得分:0)

我无法使用AWS Elasticsearch解决它。

但是,我能够在Open Distro for Elasticsearch的{​​{1}}上获得所需的结果。还写了detailed blog post about it

相关问题
最新问题