Начало Каталог Помощ
Вход
lqb
/
elasticsearch
огледало от https://gitee.com/mirrors/elasticsearch.git
1
0
Разклонения 0
Файлове Задачи 0 Уики
ИН на ревизия: fd33eb0d12
Клонове Маркери
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
authentication
/
realm-chains.asciidoc

realm-chains.asciidoc 4.1 KB
История Директен файл

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697 
  1. [role="xpack"]
    2. 

  2. [[realm-chains]]
    3. 

  3. === Realm chains
    4. 

  4. 

  5. <<realms,Realms>> live within a _realm chain_. It is essentially a prioritized
    6. 

  6. list of configured realms (typically of various types). Realms are consulted in
    7. 

  7. ascending order (that is to say, the realm with the lowest `order` value is
    8. 

  8. consulted first). You should make sure each configured realm has a distinct
    9. 

  9. `order` setting. In the event that two or more realms have the same `order`,
    10. 

  10. they are processed in `name` order.
    11. 

  11. 

  12. During the authentication process, {stack} {security-features} consult and try
    13. 

  13. to authenticate the request one realm at a time. Once one of the realms
    14. 

  14. successfully authenticates the request, the authentication is considered to be
    15. 

  15. successful. The authenticated user is associated with the request, which then
    16. 

  16. proceeds to the authorization phase. If a realm cannot authenticate the request,
    17. 

  17. the next realm in the chain is consulted. If all realms in the chain cannot
    18. 

  18. authenticate the request, the authentication is considered to be unsuccessful
    19. 

  19. and an authentication error is returned (as HTTP status code `401`).
    20. 

  20. 

  21. NOTE: Some systems (e.g. Active Directory) have a temporary lock-out period
    22. 

  22. after several successive failed login attempts. If the same username exists in
    23. 

  23. multiple realms, unintentional account lockouts are possible. For more
    24. 

  24. information, see <<trouble-shoot-active-directory>>.
    25. 

  25. 

  26. The default realm chain contains the `native` and `file` realms. To explicitly
    27. 

  27. configure a realm chain, you specify the chain in the `elasticsearch.yml` file.
    28. 

  28. When you configure a realm chain, only the realms you specify are used for
    29. 

  29. authentication. To use the `native` and `file` realms, you must include them in
    30. 

  30. the chain.
    31. 

  31. 

  32. The following snippet configures a realm chain that includes the `file` and
    33. 

  33. `native` realms, as well as two LDAP realms and an Active Directory realm.
    34. 

  34. 

  35. [source,yaml]
    36. 

  36. ----------------------------------------
    37. 

  37. xpack.security.authc.realms:
    38. 

  38.   file.file1:
    39. 

  39.       order: 0
    40. 

  40. 

  41.   native.native1:
    42. 

  42.       order: 1
    43. 

  43. 

  44.   ldap.ldap1:
    45. 

  45.       order: 2
    46. 

  46.       enabled: false
    47. 

  47.       url: 'url_to_ldap1'
    48. 

  48.       ...
    49. 

  49. 

  50.   ldap.ldap2:
    51. 

  51.       order: 3
    52. 

  52.       url: 'url_to_ldap2'
    53. 

  53.       ...
    54. 

  54. 

  55.   active_directory.ad1:
    56. 

  56.       order: 4
    57. 

  57.       url: 'url_to_ad'
    58. 

  58. ----------------------------------------
    59. 

  59. 

  60. As can be seen above, each realm has a unique name that identifies it. Each type
    61. 

  61. of realm dictates its own set of required and optional settings. That said,
    62. 

  62. there are 
    63. 

  63. <<ref-realm-settings,settings that are common to all realms>>. 
    64. 

  64. 

  65. [[authorization_realms]]
    66. 

  66. ==== Delegating authorization to another realm
    67. 

  67. 

  68. Some realms have the ability to perform _authentication_ internally, but
    69. 

  69. delegate the lookup and assignment of roles (that is, _authorization_) to
    70. 

  70. another realm.
    71. 

  71. 

  72. For example, you may wish to use a PKI realm to authenticate your users with
    73. 

  73. TLS client certificates, then lookup that user in an LDAP realm and use their
    74. 

  74. LDAP group assignments to determine their roles in Elasticsearch.
    75. 

  75. 

  76. Any realm that supports retrieving users (without needing their credentials) can
    77. 

  77. be used as an _authorization realm_ (that is, its name may appear as one of the
    78. 

  78. values in the list of `authorization_realms`). See <<run-as-privilege>> for
    79. 

  79. further explanation on which realms support this.
    80. 

  80. 

  81. For realms that support this feature, it can be enabled by configuring the
    82. 

  82. `authorization_realms` setting on the authenticating realm. Check the list of
    83. 

  83. <<realm-settings,supported settings>> for each realm
    84. 

  84. to see if they support the `authorization_realms` setting. 
    85. 

  85. 

  86. If delegated authorization is enabled for a realm, it authenticates the user in 
    87. 

  87. its standard manner (including relevant caching) then looks for that user in the 
    88. 

  88. configured list of authorization realms. It tries each realm in the order they 
    89. 

  89. are specified in the `authorization_realms` setting. The user is retrieved by 
    90. 

  90. principal - the user must have identical usernames in the _authentication_ and 
    91. 

  91. _authorization realms_. If the user cannot be found in any of the authorization 
    92. 

  92. realms, authentication fails.
    93. 

  93. 

  94. See <<configuring-authorization-delegation>> for more details.
    95. 

  95. 

  96. NOTE: Delegated authorization requires a
    97. 

  97. https://www.elastic.co/subscriptions[Platinum or Trial license].
    98.