ELK之ElasticSearch 6.X安全认证Search Guard(demo01)

elk 2019/03/27 58
Table of Contents
  1. 结语:有很多地方还没弄明白,稀里糊涂配置完!反正是能用了,对不对就不知道。

ElasticSearch单节点安装Search Guard插件

1
2
3
4
5
版本介绍:
  ElasticSearch:6.6.2
  Logstash:6.6.2
  Kibana:6.6.2
  Search Guard:6.6.2-24.2
  1. Search Guard(安全认证)插件安装

切换到ElasticSearch安装目录,通过使用elasticsearch plugin命令安装Search Guard插件

1
./bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:<version>

参数参考: https://github.com/floragunncom/search-guard/wiki

1
例:./bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.6.2-24.2
  1. 基于在线方式生成TLS证(官方提供多中方式生成
       在线生成地址:https://search-guard.com/tls-certificate-generator/
    image.png
    服务器hosts配置
    image.png
  1. 配置证书
    证书文件会发送到邮箱中,目录结构如下。详细描述参考证书目录下README.txt
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    search-guard-certificates-<UUID>.tar.gz

    └─── client-certificates
    │        Contains two client certificates named 'admin' and 'demouser'
    │        The 'admin' certificate can be used with sgadmin and the REST API.
    │        The CN of this certificate is 'sgadmin'. The demouser certificate can be used
    │        for HTTPS client authentication. The CN of this certificate is 'demouser'
    └─── node-certificates
    │        Contains the certificates in jks, p12 and pem format to be used
    │        on your Elasticsearch nodes. You will find certificates for all
    │        hostnames you specified when submitting the form.
    └─── root-ca
    │        Contains the root CA certificate and private key in PEM format.
    └─── config
    │        Same as above, but for the signing CA
    └─── truststore.jks
    │        The truststore containing the certificate chain
    │        of the root and signing CA, and the root certificate and private key in PEM format.
    │        Can be used on all nodes.
    └─── root-ca.pem
    │        The root CA in PEM format.
    │        Can be used on all nodes.
    └─── chain-ca.pem
    │        The certificate chain containg the root and signing CA in PEM format.

参考README.txt 复制证书及修改ES_HOME/config/elasticsearch.yml配置,配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/**
  复制证书
      node-certificates:证书目录
      ES_HOME:elasticsearch安装目录
      SG_HOME:ES_HOME/plugins/search-guard-6(插件安装目录)
**/
cp node-certificates/CN=[hostname].crtfull.pem ES_HOME/config/
cp node-certificates/CN=[hostname].key.pem ES_HOME/config/
cp node-certificates/chain-ca.pem ES_HOME/config/
cp node-certificates/truststore.jks SG_HOME/tools/
cp node-certificates/client-certificates/CN=sgadmin-keystore.jks SG_HOME/tools/

修改es配置文件

xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: CN=node-01.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: CN=node-01.key.pem
searchguard.ssl.transport.pemkey_password: 密码查看看README.txt
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: CN=node-01.crtfull.pem
searchguard.ssl.http.pemkey_filepath: CN=node-01.key.pem
searchguard.ssl.http.pemkey_password: 密码查看看README.txt
searchguard.ssl.http.pemtrustedcas_filepath: chain-ca.pem

searchguard.authcz.admin_dn:
  - CN=sgadmin
#  - CN=demouser

至此配置告一段落,切换用户启动es,执行以下命令,注意密码查看README.txt

1
2
3
cd ES_HOME/plugins/search-guard-<version>/tools
chmod 755 ./sgadmin.sh
./sgadmin.sh -ts truststore.jks -tspass 286a7b7a8970af4e8467 -ks CN=sgadmin-keystore.jks -kspass 449e1fcd3cba8bb7d491 -nhnv -icl -cd ../sgconfig/

命令输出如下
image.png

  1. 见证奇迹时刻!!!
    打开浏览器输入http://IP:9200/_searchguard/authinfo,成功弹出登录提示框!输入admin:admin登录成功

image.png

  1. 权限配置
        创建一个用户:
         –用户名:colin
         –密码:colin,
         –权限:kibana服务权限、只有索引【colin】crud权限,没有logstash权限)
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    内部数据库目录结构(ES_HOME/plugins/search-guard-<version>/sgconfig/)
      --sg_internal_users.yml     用户信息
      --sg_roles.yml              权限设置
      --sg_roles_mapping.yml      映射权限和用户关系

    #创建用户
    vim sg_internal_users.yml  #添加用户信息
    #password is: colin
    colin:
      readonly: true
      hash: $2y$12$8YYO/iYi1k31G5avwHonfOGfv5F/NTIMzPxtziVBg8FIf3q979iiO
      roles:
        - sg_role_colin
        - kibanauser

    #添加权限
    vim sg_roles.yml  #添加权限
    sg_role_colin:
      cluster:
        - UNLIMITED
      indices:
        'colin':
          '*':
            - INDICES_ALL
    #      _dls_: '<dls query>'
    #      _fls_:
    #        - '<field>'
    #        - '<field>'

    #使配置立即生效
    cd ES_HOME/plugins/search-guard-<version>/tools
    ./sgadmin.sh -ts truststore.jks -tspass 286a7b7a8970af4e8467 -ks CN=sgadmin-keystore.jks -kspass 449e1fcd3cba8bb7d491 -nhnv -icl -cd ../sgconfig/

权限配置完成通过kibana查看效果,如下

  • 查询colin索引,结果正常
    image.png
  • 查询wl_travel索引,提示无权操作
    image.png

下一篇介绍SpringBoot2.X连接ElasticSearch

结语:有很多地方还没弄明白,稀里糊涂配置完!反正是能用了,对不对就不知道。

相关文章

转载声明:本博客由叶壮创作,采用 CC BY 3.0 CN 许可协议。可自由转载、引用,但需署名作者且注明文章出处。如转载至微信公众号,请在文末添加作者公众号二维码。

评论系统未开启,无法评论!

Total: 12919   |   Visitors: 12071   Since 2018-12-26
Copyright © 2017 | Powered by Hexo | Theme by ITMuch