ElasticSearch单节点安装Search Guard插件
版本介绍:
ElasticSearch:6.6.2
Logstash:6.6.2
Kibana:6.6.2
Search Guard:6.6.2-24.2
- Search Guard(安全认证)插件安装
切换到ElasticSearch安装目录,通过使用elasticsearch plugin命令安装Search Guard插件
./bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:<version>
<version>参数参考: https://github.com/floragunncom/search-guard/wiki
例:./bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.6.2-24.2
- 基于在线方式生成TLS证(官方提供多中方式生成)
在线生成地址:https://search-guard.com/tls-certificate-generator/
image.png
服务器hosts配置
image.png
- 配置证书
证书文件会发送到邮箱中,目录结构如下。详细描述参考证书目录下README.txt
search-guard-certificates-<UUID>.tar.gz
│
└─── client-certificates
│ Contains two client certificates named 'admin' and 'demouser'
│ The 'admin' certificate can be used with sgadmin and the REST API.
│ The CN of this certificate is 'sgadmin'. The demouser certificate can be used
│ for HTTPS client authentication. The CN of this certificate is 'demouser'
└─── node-certificates
│ Contains the certificates in jks, p12 and pem format to be used
│ on your Elasticsearch nodes. You will find certificates for all
│ hostnames you specified when submitting the form.
└─── root-ca
│ Contains the root CA certificate and private key in PEM format.
└─── config
│ Same as above, but for the signing CA
└─── truststore.jks
│ The truststore containing the certificate chain
│ of the root and signing CA, and the root certificate and private key in PEM format.
│ Can be used on all nodes.
└─── root-ca.pem
│ The root CA in PEM format.
│ Can be used on all nodes.
└─── chain-ca.pem
│ The certificate chain containg the root and signing CA in PEM format.
参考README.txt 复制证书及修改ES_HOME/config/elasticsearch.yml配置,配置如下:
/**
复制证书
node-certificates:证书目录
ES_HOME:elasticsearch安装目录
SG_HOME:ES_HOME/plugins/search-guard-6(插件安装目录)
**/
cp node-certificates/CN=[hostname].crtfull.pem ES_HOME/config/
cp node-certificates/CN=[hostname].key.pem ES_HOME/config/
cp node-certificates/chain-ca.pem ES_HOME/config/
cp node-certificates/truststore.jks SG_HOME/tools/
cp node-certificates/client-certificates/CN=sgadmin-keystore.jks SG_HOME/tools/
修改es配置文件
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: CN=node-01.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: CN=node-01.key.pem
searchguard.ssl.transport.pemkey_password: 密码查看看README.txt
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: CN=node-01.crtfull.pem
searchguard.ssl.http.pemkey_filepath: CN=node-01.key.pem
searchguard.ssl.http.pemkey_password: 密码查看看README.txt
searchguard.ssl.http.pemtrustedcas_filepath: chain-ca.pem
searchguard.authcz.admin_dn:
- CN=sgadmin
# - CN=demouser
至此配置告一段落,切换用户启动es,执行以下命令,注意密码查看README.txt
cd ES_HOME/plugins/search-guard-<version>/tools
chmod 755 ./sgadmin.sh
./sgadmin.sh -ts truststore.jks -tspass 286a7b7a8970af4e8467 -ks CN=sgadmin-keystore.jks -kspass 449e1fcd3cba8bb7d491 -nhnv -icl -cd ../sgconfig/
命令输出如下
image.png
- 见证奇迹时刻!!!
打开浏览器输入http://IP:9200/_searchguard/authinfo,成功弹出登录提示框!输入admin:admin登录成功
image.png
-
权限配置
创建一个用户:
--用户名:colin
--密码:colin,
--权限:kibana服务权限、只有索引【colin】crud权限,没有logstash权限)
内部数据库目录结构(ES_HOME/plugins/search-guard-<version>/sgconfig/)
--sg_internal_users.yml 用户信息
--sg_roles.yml 权限设置
--sg_roles_mapping.yml 映射权限和用户关系
#创建用户
vim sg_internal_users.yml #添加用户信息
#password is: colin
colin:
readonly: true
hash: $2y$12$8YYO/iYi1k31G5avwHonfOGfv5F/NTIMzPxtziVBg8FIf3q979iiO
roles:
- sg_role_colin
- kibanauser
#添加权限
vim sg_roles.yml #添加权限
sg_role_colin:
cluster:
- UNLIMITED
indices:
'colin':
'*':
- INDICES_ALL
# _dls_: '<dls query>'
# _fls_:
# - '<field>'
# - '<field>'
#使配置立即生效
cd ES_HOME/plugins/search-guard-<version>/tools
./sgadmin.sh -ts truststore.jks -tspass 286a7b7a8970af4e8467 -ks CN=sgadmin-keystore.jks -kspass 449e1fcd3cba8bb7d491 -nhnv -icl -cd ../sgconfig/
权限配置完成通过kibana查看效果,如下
-
查询colin索引,结果正常
image.png
-
查询wl_travel索引,提示无权操作
image.png
网友评论