ElasticSearch 使用 SearchGuard 安全控件
这里使用的是 elasticsearch-2.3.5
大神的Github地址:https://github.com/floragunncom
功能:可以按组,按用户,按index,按type,按field,进行精细的权限控制。非常强大!媲美Shield!
安装ES插件
bin/plugin install -b com.floragunn/search-guard-ssl/2.3.5.15 bin/plugin install -b com.floragunn/search-guard-2/2.3.5.5
安装成功后,目录如下:
/usr/local/elk/elasticsearch-2.3.5
.
├── bin
├── config
│ └── scripts
├── data
│ └── elasticsearch
├── lib
├── logs
├── modules
│ ├── lang-expression
│ ├── lang-groovy
│ └── reindex
└── plugins
├── head
├── ik
├── kopf
├── search-guard-2
└── search-guard-ssl下载 searchguard-ssl 的包,里面包含自动创建证书的脚本:
wget https://github.com/floragunncom/search-guard-ssl/archive/v2.3.5.15.zip unzip v2.3.5.15.zip cd search-guard-ssl-2.3.5.15/example-pki-scripts/
有三个脚本
gen_client_node_cert.sh 创建客户端证书 gen_node_cert.sh 创建节点证书 gen_root_ca.sh 创建根证书
修改脚本:
vim gen_client_node_cert.sh 找到这行:-dname "CN=$CLIENT_NAME, OU=client, O=client, L=Test, C=DE" 修改为:-dname "CN=$CLIENT_NAME" vim gen_node_cert.sh 找到这行:-dname "CN=$NODE_NAME.example.com, OU=SSL, O=Test, L=Test, C=DE" \ 修改为:-dname "CN=$NODE_NAME" \
编辑脚本 vim example.sh
#!/bin/bash set -e ./clean.sh ./gen_root_ca.sh password password ./gen_node_cert.sh node-0 password password ./gen_node_cert.sh node-1 password password ./gen_client_node_cert.sh admin password password cp truststore.jks node-0-keystore.jks /usr/local/elk/elasticsearch-2.3.5/config/ cp truststore.jks admin-keystore.jks /usr/local/elk/elasticsearch-2.3.5/plugins/search-guard-2/sgconfig/
此时在当前目录下,会生成这么几个文件
node-0-keystore.jks node-1-keystore.jks admin-keystore.jks truststore.jks
上面只列出了node-0节点,需要拷贝哪些文件,node-1节点,需要和上面类似处理。
接下来配置 ES 的 config/elasticsearch.yml
############################################################################################# # SEARCH GUARD # # Configuration # ############################################################################################# searchguard.enable: true searchguard.authcz.admin_dn: - CN=admin ############################################################################################# # SEARCH GUARD SSL # # Configuration # ############################################################################################# ############################################################################################# # Transport layer SSL # # # ############################################################################################# # Enable or disable node-to-node ssl encryption (default: true) searchguard.ssl.transport.enabled: true # JKS or PKCS12 (default: JKS) #searchguard.ssl.transport.keystore_type: PKCS12 # Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks # Alias name (default: first alias which could be found) #searchguard.ssl.transport.keystore_alias: my_alias # Keystore password (default: changeit) searchguard.ssl.transport.keystore_password: password # JKS or PKCS12 (default: JKS) #searchguard.ssl.transport.truststore_type: PKCS12 # Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir searchguard.ssl.transport.truststore_filepath: truststore.jks # Alias name (default: first alias which could be found) #searchguard.ssl.transport.truststore_alias: my_alias # Truststore password (default: changeit) searchguard.ssl.transport.truststore_password: password # Enforce hostname verification (default: true) searchguard.ssl.transport.enforce_hostname_verification: false # If hostname verification specify if hostname should be resolved (default: true) searchguard.ssl.transport.resolve_hostname: false # Use native Open SSL instead of JDK SSL if available (default: true) searchguard.ssl.transport.enable_openssl_if_available: false
启动 ES 集群
./plugins/search-guard-2/tools/sgadmin.sh -cn 集群名称 -h hostname -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass password -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass password -nhnv
hostname:指的是 network.host 设置的值
执行脚本的结果如下:
Will connect to YourIP:9300 ... done Contacting elasticsearch cluster 'YourCluster' and wait for YELLOW clusterstate ... Clustername: YourCluster Clusterstate: GREEN Number of nodes: 4 Number of data nodes: 4 Search Guard index already exists, so we do not need to create one. Populate config from /usr/local/elk/elasticsearch-2.3.5/plugins/search-guard-2/sgconfig Will update 'config' with plugins/search-guard-2/sgconfig/sg_config.yml SUCC: Configuration for 'config' created or updated Will update 'roles' with plugins/search-guard-2/sgconfig/sg_roles.yml SUCC: Configuration for 'roles' created or updated Will update 'rolesmapping' with plugins/search-guard-2/sgconfig/sg_roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update 'internalusers' with plugins/search-guard-2/sgconfig/sg_internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update 'actiongroups' with plugins/search-guard-2/sgconfig/sg_action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Done with success
然后访问 ES 时,就输入用户名和密码就可以了。
相关推荐
sifeimeng 2020-06-26
newbornzhao 2020-09-14
做对一件事很重要 2020-09-07
renjinlong 2020-09-03
明瞳 2020-08-19
李玉志 2020-08-19
mengyue 2020-08-07
molong0 2020-08-06
AFei00 2020-08-03
molong0 2020-08-03
wenwentana 2020-08-03
YYDU 2020-08-03
另外一部分,则需要先做聚类、分类处理,将聚合出的分类结果存入ES集群的聚类索引中。数据处理层的聚合结果存入ES中的指定索引,同时将每个聚合主题相关的数据存入每个document下面的某个field下。
sifeimeng 2020-08-03
心丨悦 2020-08-03
liangwenrong 2020-07-31
sifeimeng 2020-08-01
mengyue 2020-07-30
tigercn 2020-07-29