92 lines
3.2 KiB
Plaintext
92 lines
3.2 KiB
Plaintext
[float]
|
|
[[example]]
|
|
=== E-commerce Example Using esusers
|
|
|
|
The e-commerce store site in this example store has the following components:
|
|
|
|
* A webshop application, which executes queries
|
|
* A nightly bulk import process, which reindexes the documents to ensure correct pricing for the following day
|
|
* A update mechanism that writes data concurrently during business hours on a per-document base
|
|
* A sales representative that needs to read sales-specific indices
|
|
|
|
[float]
|
|
==== Defining the roles
|
|
|
|
[source,yaml]
|
|
--------------------------------------------------
|
|
bulk:
|
|
indices:
|
|
'products_*': write, manage, read
|
|
|
|
updater:
|
|
indices:
|
|
'products': index, delete, indices:admin/optimize
|
|
|
|
webshop:
|
|
indices:
|
|
'products': search, get
|
|
|
|
monitoring:
|
|
cluster: monitor
|
|
indices:
|
|
'*': monitor
|
|
|
|
sales_rep :
|
|
cluster : none
|
|
indices:
|
|
'sales_*' : all
|
|
'social_events' : data_access, monitor
|
|
--------------------------------------------------
|
|
|
|
Let's step through each of the role definitions:
|
|
|
|
* The `bulk` role definition has the privileges to create/delete all indices starting with `products_` as well as
|
|
indexing data into it. This set of privileges enables the user with this role to delete and repopulate a particular
|
|
index.
|
|
|
|
* The `updater` role does not require any information about concrete indices. The only privileges required for updating
|
|
the `products` index are the `write` and `delete` privileges, as well as index optimization.
|
|
|
|
* The `webshop` role is a read-only role that solely executes queries and GET requests.
|
|
|
|
* The `monitoring` role extracts monitoring data for display on an internal screen of the web application.
|
|
|
|
* The `sales_rep` role has write access on all indices starting with `sales` and read access to the `social_events`
|
|
index.
|
|
|
|
[float]
|
|
==== Creating Users and Their Roles
|
|
|
|
After creating the `roles.yml` file, you can use the `esusers` tool to create the needed users and the respective
|
|
user-to-role mapping.
|
|
|
|
[source,shell]
|
|
-----------------------------------------------------------
|
|
bin/shield/esusers useradd webshop -r webshop,monitoring
|
|
-----------------------------------------------------------
|
|
|
|
[source,shell]
|
|
-----------------------------------------------------------
|
|
bin/shield/esusers useradd bulk -r bulk
|
|
-----------------------------------------------------------
|
|
|
|
[source,shell]
|
|
-----------------------------------------------------------
|
|
bin/shield/esusers useradd updater -r updater
|
|
-----------------------------------------------------------
|
|
|
|
[source,shell]
|
|
--------------------------------------------------------------------
|
|
bin/shield/esusers useradd best_sales_guy_of_the_world -r sales_rep
|
|
--------------------------------------------------------------------
|
|
|
|
[source,shell]
|
|
----------------------------------------------------------------------------
|
|
bin/shield/esusers useradd second_best_sales_guy_of_the_world -r sales_rep
|
|
----------------------------------------------------------------------------
|
|
|
|
[float]
|
|
==== Modifying Your Application
|
|
|
|
With the users and roles defined, you now need to modify your application. Each part of the application must
|
|
authenticate to Elasticsearch using the username and password you gave it in the previous steps. |