OpenSearch/shield/docs/public/example-deployments/e-commerce.asciidoc

92 lines
3.2 KiB
Plaintext

[float]
[[example]]
=== E-commerce Example Using esusers
The e-commerce store site in this example store has the following components:
* A webshop application, which executes queries
* A nightly bulk import process, which reindexes the documents to ensure correct pricing for the following day
* A update mechanism that writes data concurrently during business hours on a per-document base
* A sales representative that needs to read sales-specific indices
[float]
==== Defining the roles
[source,yaml]
--------------------------------------------------
bulk:
indices:
'products_*': write, manage, read
updater:
indices:
'products': index, delete, indices:admin/optimize
webshop:
indices:
'products': search, get
monitoring:
cluster: monitor
indices:
'*': monitor
sales_rep :
cluster : none
indices:
'sales_*' : all
'social_events' : data_access, monitor
--------------------------------------------------
Let's step through each of the role definitions:
* The `bulk` role definition has the privileges to create/delete all indices starting with `products_` as well as
indexing data into it. This set of privileges enables the user with this role to delete and repopulate a particular
index.
* The `updater` role does not require any information about concrete indices. The only privileges required for updating
the `products` index are the `write` and `delete` privileges, as well as index optimization.
* The `webshop` role is a read-only role that solely executes queries and GET requests.
* The `monitoring` role extracts monitoring data for display on an internal screen of the web application.
* The `sales_rep` role has write access on all indices starting with `sales` and read access to the `social_events`
index.
[float]
==== Creating Users and Their Roles
After creating the `roles.yml` file, you can use the `esusers` tool to create the needed users and the respective
user-to-role mapping.
[source,shell]
-----------------------------------------------------------
bin/shield/esusers useradd webshop -r webshop,monitoring
-----------------------------------------------------------
[source,shell]
-----------------------------------------------------------
bin/shield/esusers useradd bulk -r bulk
-----------------------------------------------------------
[source,shell]
-----------------------------------------------------------
bin/shield/esusers useradd updater -r updater
-----------------------------------------------------------
[source,shell]
--------------------------------------------------------------------
bin/shield/esusers useradd best_sales_guy_of_the_world -r sales_rep
--------------------------------------------------------------------
[source,shell]
----------------------------------------------------------------------------
bin/shield/esusers useradd second_best_sales_guy_of_the_world -r sales_rep
----------------------------------------------------------------------------
[float]
==== Modifying Your Application
With the users and roles defined, you now need to modify your application. Each part of the application must
authenticate to Elasticsearch using the username and password you gave it in the previous steps.