在使用elasticsearch暴露的节点的ip和端口后就可以对整个集群进行各种操作,删索引,改数据等,如何对访问控制限制呢?
本文使用离线下载的方式安装search-guard,也可以使用在线安装,具体参照官网说明
0、基础环境
elasticsearch6.2.3
search-guard-6-6.2.3-23.0
1、search-guard官网下载es对应版本的search-guard
去官网下载对应版本的search-guard,本文编者使用es6.2.3,离线下载地址如下:
https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/search-guard-6/6.2.3-23.0/search-guard-6-6.2.3-23.0.zip
2、安装插件
./bin/elasticsearch-plugin install -b file:///path/search-guard-6-6.2.3-23.0.zip;
3、下载证书地址
https://downloads.search-guard.com/resources/certificates/certificates.zip
4、解压
certificates.zip解压到elasticsearch-6.2.3\config\certificates
5、修改elasticsearch.yml
在yml最后追加以下内容
searchguard.ssl.transport.pemcert_filepath: certificates/esnode.pem
searchguard.ssl.transport.pemkey_filepath: certificates/esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: certificates/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certificates/esnode.pem
searchguard.ssl.http.pemkey_filepath: certificates/esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: certificates/root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test,C=de
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
6、访问
https://localhost:9200/_searchguard/authinfo(username:admin,pwd:admin)
7、如何修改admin默认密码
7.1、首先使用默认hash工具,生成hash串
elasticsearch-6.2.3\plugins\search-guard-6\tools
.\hash.bat -p newpwd
7.2、新密码生效
sgadmin.bat -cd ..\sgconfig -key ..\..\..\config\certificates\kirk-key.pem -cert ..\..\..\config\certificates\kirk.pem -cacert ..\..\..\config\certificates\root-ca.pem -nhnv -icl
8、使用searchbox获取jestclient的方式(basic的方式连接es)
JestClientFactory factory= new JestClientFactory();
factory.setHttpClientConfig(new HttpClientCofig.Builder("https://ip:9200").defaultCredentials(username,pwd).sslSockedFactory(getSslSockedFactory()));
private static SSLConnectionSockedFactory getSslSockedFactory() throws Exception{
SSLContextBuilder builder= SSLContexts.custom();
builder.loadTrustMaterial(new Trustrategy(){
@Override
public boolean isTrusted(X509Certificate[] chain,String authType){
return true;
}
});
SSLContext sslcontext=builder.build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,new String[]{"TLSv1","TLSv1.1","TLSv1.2"},null,new HostnameVerifier(){
@Override
public boolean verify(String arg0,String arg1){
return true;
}
});
return sslsf ;
}
9、使用nodejs如何连接
nodejs 使用用户名密码(basic-auth)连接es
参考地址:https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/auth-reference.html
实践:host: https://username:pwd@ip:9200
网友评论