ElasricSearch &Search_guard5配置
saber-sky@hotmail.com
-- elasticSearch版本5.6.3
-- search-guard版本5.6.3
一. ElasticSearch安装Search-guard
cd 至elasticsearch 的bin目录:cd /data/elasticsearch-5.6.3/bin
安装search-guard : ./elasticsearch-plugin install -bcom.floragunn:search-guard-5:5.6.3-18
Search-guard 版本要和elasticsearch一致,查询网址:https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-5/
安装成功如下图
二.快速启动:
切换至elasticsearch/plugins 目录看到search-guard已经安装成功
运行:./search-guard-5/tools/install_demo_configuration.sh
运行开发这已经配置好的权限安装至elasticsearch
(这一步已经帮你配置好elasticsearch,http访问已经不可用,要是有https访问)
启动elasticSearch : 切换至elasticseach/bin运行./ elasticseach
浏览器访问 https://admin:admin@localhost:9200/_searchguard/authinfo?pretty
成功则显示
三、权限配置
下载search-guard-ssl这里提供官方下载地址:https://github.com/floragunncom/search-guard-ssl.git
etc目录下的两个文件,就只是修改公司信息,两个一直即可
两个文件要一样,公司信息
下面修改证书生成信息
example.sh
运行后会生成证书
把 服务端证书.jks+truststore.jks复制到elasticsearch/config目录下
把 客户端证书.jks+ truststore.jks 复制到elasticsearch/ plugins/search-guard-5/sgconfig目录下
修改elasticsearch配置文件
修改用户权限
(1)sg_config.yml
Configure
authenticators and authorization backends。主配置文件不需要做改动。
(2)sg_internal_users.yml
本地用户文件,定义用户密码以及对应的权限。例如:对于 我们需要一个 kibana 登录用户和一个 logstash 用户:
kibana4:
hash:$2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO
#password is: kirk
roles:
- kibana4
logstash:
hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO
#password is: kirk
roles:
- logstash
密码可用plugins/search-guard-5/tools/hash.sh生成。
(3)sg_roles.yml
权限配置文件,这里提供 kibana4 和 logstash 的权限样例。
sg_kibana4:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*':
'*':
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:admin/get
- indices:data/read/field_stats
'?kibana':
'*':
- indices:admin/exists
- indices:admin/mapping/put
- indices:admin/mappings/fields/get
- indices:admin/refresh
- indices:admin/validate/query
- indices:data/read/get
sg_logstash:
cluster:
- indices:admin/template/get
- indices:admin/template/put
indices:
'logstash-*':
'*':
- WRITE
- indices:data/write/bulk
- indices:data/write/delete
- indices:data/write/update
- indices:data/read/search
- indices:data/read/scroll
- CREATE_INDEX
(4)sg_roles_mapping.yml
定义用户的映射关系,添加 kibana 及 logstash 用户对应的映射:
sg_logstash:
users:
- logstash
sg_kibana4:
backendroles:
- kibana
users:
- kibana4
(5)sg_action_groups.yml
定义权限
3、启动
(1)到Elasticsearch的bin目录下,重启Elasticsearch。
(2)通过下面命令启动search-guard。
新增用户配置成功显示
四.Java SSL连接
public static void main(String[] args) throws UnknownHostException{
Settings settings = Settings.builder()
.put("searchguard.ssl.transport.enabled", true)
.put("searchguard.ssl.transport.keystore_filepath", "D:\\William\\Projects\\searchGuardTest\\src\\main\\resources\\test-keystore.jks")
.put("searchguard.ssl.transport.truststore_filepath",
"D:\\William\\Projects\\searchGuardTest\\src\\main\\resources\\truststore.jks")
.put("searchguard.ssl.transport.keystore_password", "12345678")
.put("searchguard.ssl.transport.truststore_password", "12345678")
.put("searchguard.ssl.transport.enforce_hostname_verification", false)
.put("client.transport.ignore_cluster_name", true)
.build();
TransportClient client =new PreBuiltTransportClient(settings,SearchGuardSSLPlugin.class)
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("127.0.0.1"),9300));
client.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet();
//搜索数据
GetResponse response = client.prepareGet("agin", "log_bet_rcd_agin_live", "171212226218993").execute().actionGet();
//输出结果
System.out.println(response.getSourceAsString());
//关闭client
client.close();
}
网友评论