AWS ElasticSearch访问策略显式拒绝

rqqzpn5f 于 2022-11-02 发布在 ElasticSearch

关注(0)|答案(1)|浏览(98)

下面我有一个基于IP的访问策略，它允许6个IP地址的所有内容，然后只允许删除其中一个IP地址。人们认为它会明确拒绝删除所有其他IP地址，然后明确拒绝将胜过对其他5个IP地址的完全访问。这似乎不是事实。有人能帮助我理解什么是访问策略的优先权吗？Identity and Access Management documentation中的小表对我理解Elasticsearch是如何看待事情的没有什么帮助。请帮助我解释一下。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:region:id:domain/domainname/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "120.450.780.230",
            "120.450.780.231",
            "120.450.780.232",
            "120.450.780.233",
            "120.450.780.234",
            "120.450.780.235"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:ESHttpDelete",
      "Resource": "arn:region:id:domain/domainname*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "120.450.780.235"
          ]
        }
      }
    }
  ]
}

elasticsearch

来源：https://stackoverflow.com/questions/73886857/aws-elasticsearch-access-policy-explicit-deny