hertzbeat
hertzbeat copied to clipboard
apache
希望可以自动建立运维采集最小权限的账号
在运维管理规范的企业中,是不允许root账户远程直接登录采集的。而像一些数据库,比如Oracle,非root需要逐个对相关表或视图赋权后才可以执行系统级别查询。类似的linux会因为环境量和用户组拒绝执行一些指令。而指令增多后,不仅要排查问题是哪个语句出问题,还要联系运维人员赋权添加权限。 希望初始化的时候录入root账号,选择自动的建立或赋权,采集账号各类权限,系统不保存root用户的信息。 并且改写采集规则时候,需要后续继续赋权。
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
In enterprises with standardized operation and maintenance management, the root account is not allowed to log in directly to collect data. And like some databases, such as Oracle, non-root needs to be able to perform system-level queries after granting the relevant tables or views one by one. Similar linux will refuse to execute some commands because of environment volume and user group. After the number of commands increases, not only should you check which statement is the problem, but also contact the operation and maintenance personnel to empower them to add permissions. You want to enter the root account during initialization, select automatic establishment or authorization, and collect various permissions of the account. The system does not save the information of the root user. And when the collection rules are rewritten, subsequent empowerment is required.
hi 感谢建议 这个需要考虑下 因为涉及到自动到用户主机创建账号 会对一些不想这样的用户比较敏感
我们这个比如SSH指令 默认的脚本只需要查询权限 一般情况只需要给一个普通运维账户就行,数据库类似也只需要查询权限的账户。
像您说的
类似的linux会因为环境量和用户组拒绝执行一些指令。而指令增多后,不仅要排查问题是哪个语句出问题,还要联系运维人员赋权添加权限。
这个确实会有麻烦,考虑下后面改怎么做避免好些,或者在帮助文档把需要的权限说明清楚。
thanks again!
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@tomsun28 Is there a way to create a guest-only account? The role1 and role2 mentioned in the document failed to understand the meaning of these roles
有没有办法创建只有访客权限的账户?文档中提到的role1、role2,没能理解这些角色的意义 @gcdd1993 理论上是可以的,已有用户根据sureness.yml配置角色与URL接口资源的权限关系,来建立出访客权限的账户
# 加载到匹配字典的资源,也就是需要被保护的,设置了所支持角色访问的资源
# 没有配置的资源也默认被认证保护,但不鉴权
# eg: /api/v1/source1===get===[role2] 表示 /api/v2/host===post 这条资源支持 role2 这一种角色访问
# eg: /api/v1/source2===get===[] 表示 /api/v1/source2===get 这条资源不支持任何角色访问
resourceRole:
- /account/auth/refresh===post===[role1,role2,role3,role4]
# 用户账户信息
# 下面有 admin tom lili 三个账户
# eg: admin 拥有[role1,role2]角色,密码为admin
# eg: tom 拥有[role1,role2,role3],密码为tom@123
# eg: lili 拥有[role1,role2],明文密码为lili, 加盐密码为1A676730B0C7F54654B0E09184448289
account:
- appId: admin
credential: admin
role: [role1,role2]
sureness.yml的配置中 resourceRole 就是配置后台资源URL接口与角色的映射关系,这样就可以把查询新增删除修改的操作接口给role1,查询接口给role2,用户账户那里用户tom 就只配role2角色 就代表tom用户只拥有访客查询权限
目前是这样配置解决 后期看出下教程优化下前端无权限时显示
@tomsun28 可以这样写吗?/apps/**===post,put,delete===[admin],因为我看了下Controller,不光是post,还有put和delete,如果不行,就只能写成这样了
-
/apps/**===get===[visitor] -
/apps/**===post===[admin] -
/apps/**===put===[admin] -
/apps/**===delete===[admin]
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@tomsun28 Can it be written like this? /apps/**===post,put,delete===[admin], because I looked at the Controller, not only post, but also put and delete, if not, it can only be written like this
-
/apps/**===get===[visitor] -
/apps/**===post===[admin] -
/apps/**===put===[admin] -
/apps/**===delete===[admin]
@gcdd1993 不行 只能是第二种写法,如下
- /apps/**===get===[visitor,admin]
- /apps/**===post===[admin]
- /apps/**===put===[admin]
- /apps/**===delete===[admin]
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@gcdd1993 No, it can only be the second way of writing, as follows
- /apps/**===get===[visitor,admin]
- /apps/**===post===[admin]
- /apps/**===put===[admin]
- /apps/**===delete===[admin]
@tomsun28 嗯,找到文档了,是您的另一个项目:https://github.com/dromara/sureness 顺便提供下我的访客配置
## -- sureness.yml文本数据源 -- ##
# 加载到匹配字典的资源,也就是需要被保护的,设置了所支持角色访问的资源
# 没有配置的资源也默认被认证保护,但不鉴权
# eg: /api/v1/source1===get===[role2] 表示 /api/v2/host===post 这条资源支持 role2 这一种角色访问
# eg: /api/v1/source2===get===[] 表示 /api/v1/source2===get 这条资源不支持任何角色访问
resourceRole:
- /account/auth/refresh===get,post===[admin,visitor]
- /apps/**===get===[admin,visitor]
- /monitor/**===get===[admin,visitor]
- /monitor/**===post===[admin]
- /monitor/**===put===[admin]
- /monitor/**===delete==[admin]
- /monitors/**===get===[admin,visitor]
- /monitors/**===post===[admin]
- /monitors/**===put===[admin]
- /monitors/**===delete===[admin]
- /notice/**===get===[admin,visitor]
- /notice/**===post===[admin]
- /notice/**===put===[admin]
- /notice/**===delete===[admin]
- /summary/**===get===[admin,visitor]
- /summary/**===post===[admin]
- /summary/**===put===[admin]
- /summary/**===delete===[admin]
# 需要被过滤保护的资源,不认证鉴权直接访问
# /api/v1/source3===get 表示 /api/v1/source3===get 可以被任何人访问 无需登录认证鉴权
excludedResource:
- /account/auth/**===*
- /===get
- /i18n/**===get
- /apps/hierarchy===get
# web ui 静态资源
- /console/**===get
- /**/*.html===get
- /**/*.js===get
- /**/*.css===get
- /**/*.ico===get
- /**/*.ttf===get
- /**/*.png===get
- /**/*.gif===get
- /**/*.png===*
# swagger ui 资源
- /swagger-resources/**===get
- /v2/api-docs===get
- /v3/api-docs===get
# 用户账户信息
# 下面有 admin tom lili 三个账户
# eg: admin 拥有[role1,role2]角色,密码为admin
# eg: tom 拥有[role1,role2,role3],密码为tom@123
# eg: lili 拥有[role1,role2],明文密码为lili, 加盐密码为1A676730B0C7F54654B0E09184448289
account:
- appId: admin
credential: xxx
role: [ admin ]
- appId: visitor
credential: xxx
role: [ visitor ]
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@tomsun28 Well, found the documentation, another project of yours: https://github.com/dromara/sureness. By the way, provide my guest configuration
## -- sureness.yml text data source -- ##
# Load the resource that matches the dictionary, that is, the resource that needs to be protected, and the resource that supports the role access is set
# Unconfigured resources are also protected by authentication by default, but not authenticated
# eg: /api/v1/source1===get===[role2] means /api/v2/host===post this resource supports role2 access
# eg: /api/v1/source2===get===[] means /api/v1/source2===get This resource does not support any role access
resourceRole:
- /account/auth/refresh===get,post===[admin,visitor]
- /apps/**===get===[admin,visitor]
- /monitor/**===get===[admin,visitor]
- /monitor/**===post===[admin]
- /monitor/**===put===[admin]
- /monitor/**===delete==[admin]
- /monitors/**===get===[admin,visitor]
- /monitors/**===post===[admin]
- /monitors/**===put===[admin]
- /monitors/**===delete===[admin]
- /notice/**===get===[admin,visitor]
- /notice/**===post===[admin]
- /notice/**===put===[admin]
- /notice/**===delete===[admin]
- /summary/**===get===[admin,visitor]
- /summary/**===post===[admin]
- /summary/**===put===[admin]
- /summary/**===delete===[admin]
# Resource that needs to be protected by filtering, directly access without authentication
# /api/v1/source3===get means /api/v1/source3===get can be accessed by anyone without login authentication
excludedResource:
- /account/auth/**===*
- /===get
- /i18n/**===get
- /apps/hierarchy===get
# web ui static resources
- /console/**===get
- /**/*.html===get
- /**/*.js===get
- /**/*.css===get
- /**/*.ico===get
- /**/*.ttf===get
- /**/*.png===get
- /**/*.gif===get
- /**/*.png===*
# swagger ui resources
- /swagger-resources/**===get
- /v2/api-docs===get
- /v3/api-docs===get
# User account information
# There are three accounts of admin tom lili below
# eg: admin has the role of [role1,role2], the password is admin
# eg: tom has [role1,role2,role3], the password is tom@123
# eg: lili has [role1,role2], the plaintext password is lili, and the salted password is 1A676730B0C7F54654B0E09184448289
account:
- appId: admin
credential: xxx
role: [ admin ]
- appId: visitor
credential: xxx
role: [ visitor ]
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
👍👍👍👍 @gcdd1993