Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://www.alibabacloud.com/help/en/es/use-cases/configure-ad-user-authentication below:

Configure AD user authentication for an Alibaba Cloud Elasticsearch cluster - Elasticsearch

Alibaba Cloud Elasticsearch allows you to configure Active Directory (AD) user authentication for your Elasticsearch cluster. This way, users in an AD realm that are assigned Elasticsearch roles can be used to access the cluster. This topic describes how to configure AD user authentication for an Alibaba Cloud Elasticsearch cluster.

• An Alibaba Cloud Elasticsearch cluster is created. In this example, an Elasticsearch V7.10 cluster is created.

  For more information, see Create an Alibaba Cloud Elasticsearch cluster.

• An AD realm is created and configured on an Elastic Compute Service (ECS) instance that runs the Windows operating system and resides in the same virtual private cloud (VPC) as the Elasticsearch cluster. In this example, the Windows Server 2012 operating system is used. In addition, data is prepared.

  In this example, the ccy1 user and the ccy.com root realm are used.

The network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted since October 2020. The adjustment has the following impacts on clusters:

• If you want to connect a cluster that is deployed in the original network architecture to the Internet, you can use an ECS instance for which SNAT is enabled or use an NGINX proxy to forward requests.

• In the new network architecture, the AD user authentication feature is limited. You can use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want to connect a cluster that is deployed in the new network architecture to the Internet, configure an NGINX proxy to forward requests.

• In the original network architecture, only single-zone Elasticsearch clusters support AD user authentication.

1. Step 1: (Optional) Obtain the domain name of an endpoint

2. Step 2: Configure AD user authentication

3. Step 3: Map the user to a role

4. Step 4: Verify the result

Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. These Elasticsearch clusters reside in the VPC of the Elasticsearch service account. If your Elasticsearch cluster is deployed in the new network architecture, you need to use the PrivateLink service to establish a private connection between the VPC and your VPC. Then, obtain the domain name of the related endpoint for future use. To obtain the domain name of an endpoint, perform the following steps:

1. Create a Classic Load Balancer (CLB) instance that supports the PrivateLink service and resides in the same VPC as the created Elasticsearch cluster.

   For more information, see Step 1: Create and configure a CLB instance.

2. Configure the CLB instance.

3. Create an endpoint service.

   For more information, see Step 2: Create an endpoint service.

4. Configure a private connection to the Elasticsearch cluster.

   For more information, see Step 3: Create a private connection for the Elasticsearch cluster.

5. Obtain the domain name of the endpoint that is used to access the endpoint service.

An Elasticsearch cluster uses its security features to communicate with the AD realm and authenticate users. The security features communicate with the AD realm based on LDAP. An AD realm is similar to an LDAP realm. Like an LDAP directory, an AD realm stores users and groups in a hierarchical manner. An AD realm authenticates a user by sending an LDAP bind request. After the user passes the authentication, the AD realm searches for the entry of the user in the AD realm. After the AD realm finds the entry, the AD realm retrieves the group membership of the user from the tokenGroups attribute of the entry. For more information, see Configuring an Active Directory realm.

• Elasticsearch clusters of V6.X, V7.X, or V8.X

  Add the following configurations to the YML configuration file of your cluster to configure AD user authentication. For more information, see Configure the YML file.

• Elasticsearch clusters of other versions

  Add the following configurations to the YML configuration file of your cluster. If the YML configuration file cannot be modified and the cluster cannot be restarted, you can submit a ticket to technical support personnel to help you configure the configuration.

xpack.security.authc.realms.active_directory.my_ad.order: 2
xpack.security.authc.realms.active_directory.my_ad.domain_name: ccy.com
xpack.security.authc.realms.active_directory.my_ad.url: ldap://ep-bp1i321219*********-cn-hangzhou-h.epsrv-bp15571d5ps*********.cn-hangzhou.privatelink.aliyuncs.com:389
xpack.security.authc.realms.active_directory.my_ad.bind_dn: cc**@ccy.com
xpack.security.authc.realms.active_directory.my_ad.bind_password: your_password

Parameter

Description

order

The priority of the AD realm. The priority determines the sequence in which the AD realm is checked during user authentication.

For Elasticsearch V8.X clusters, the value of this parameter must be unique among different requests. We recommend that you set this parameter to 2.

domain_name

The name of the root realm.

url

The URL and port number that are used to establish a private network connection between the AD realm and the ECS instance. For more information, see Configuring an Active Directory realm.

If your cluster is deployed in the new network architecture, you must set this parameter to a value that is in the format of ldap://<Domain name of the related endpoint>:<Port number>. In this example, ldap://ep-bp1i321219*********-cn-hangzhou-h.epsrv-bp15571d5ps*********.cn-hangzhou.privatelink.aliyuncs.com:389 is used.

bind_dn

The distinguished number (DN) of the user that is used to perform searches.

bind_password

The password that is used to authenticate the user.

1. Log on to the Kibana console of the Elasticsearch cluster.

   For more information, see Log on to the Kibana console.

   Note

   Operations on clusters of different versions may vary. The actual operations in the console prevail.

2. Go to the homepage of the Kibana console as prompted and click Dev Tools.

3. On the Console tab, run the following command to map the ccy1 user in the AD realm to the administrator role:

   PUT /_security/role_mapping/basic_users
   {
     "roles": [ "superuser" ],
     "enabled": true,
     "rules": {
       "any": [
         {
           "field": {
             "groups": "cn=ali,dc=ccy,dc=com"
           }
         },
         {
           "field": {
             "dn": "cn=ccy1,cn=ali,dc=ccy,dc=com"
           }
         }
       ]
     }
   }

1. Use the ccy1 user to log on to the Kibana console of the Elasticsearch cluster.

2. Go to the homepage of the Kibana console as prompted and click Dev Tools.

3. On the Console tab, run the following command to check whether the ccy1 user has permissions to perform the related operation:

   GET _cat/indices

   If permissions are granted to the ccy1 user, the result shown in the following figure is returned.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4