Install the Search Guard Plugin for your Elasticsearch version

Disable shard allocation

curl -XPUT 'http://es1:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
{"persistent": {"cluster.routing.allocation.enable": "none"}
}
'

检查设置是否生效，运行如下命令

curl -XGET 'http://es1:9200/_cluster/settings?pretty'

若输出如下结果，则说明配置成功

{"persistent" : {"cluster" : {"routing" : {"allocation" : {"enable" : "none"}}}},"transient" : { }
}

Stop all nodes

采用如下命令查询出ES服务的进程号（占用9200端口和9300端口的进程）

netstat -tnlp
kill -9 进程号

Download

关于Search Guard Plugin版本和Elasticsearch版本之间的对应关系，请参考：https://docs.search-guard.com/latest/search-guard-versions

这里以elasticsearch-6.6.1为例进行说明，因为生产服务器不能联网，这里采用离线方式安装，下载Search Guard Plugin

下载地址：https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/search-guard-6/6.6.1-24.3/search-guard-6-6.6.1-24.3.zip

Install

将search-guard-6-6.6.1-24.3.zip拷贝到es所在服务器节点，进入<ES_HOME>/bin目录，执行如下命令进行安装

./elasticsearch-plugin install -b file:///usr/local/hadoop/elasticsearch/search-guard-6-6.6.1-24.3.zip

具体的安装步骤可参考官网：https://docs.search-guard.com/6.x-24/search-guard-installation#adding-the-tls-configuration

Generate all required TLS certificates

参考：https://docs.search-guard.com/6.x-24/offline-tls-tool

下载offline TLS tool

下载地址：https://search.maven.org/#search|ga|1|a%3A"search-guard-tlstool"

这里下载的是search-guard-tlstool-1.7.tar.gz

tar -zxvf search-guard-tlstool-1.7.tar.gz -C search-guard-tlstool //解压

Config node- and certificate configuration settings

进入/config目录

cp example.yml tlsconfig.yml
vi  tlsconfig.yml

Generate Root and Intermediate CA

修改后的Self-generated certificate authority部分配置如下

ca:root:# The distinguished name of this CA. You must specify a distinguished name.   dn: CN=root.ca.tomas.com,OU=CA,O=tomas,DC=tomas,DC=com# The size of the generated key in bitskeysize: 2048# The validity of the generated certificate in days from nowvalidityDays: 3650# Password for private key#   Possible values: #   - auto: automatically generated password, returned in config output; #   - none: unencrypted private key; #   - other values: other values are used directly as password   pkPassword: root-ca-password# The name of the generated files can be changed herefile: root-ca.pem# If you want to use an intermediate certificate as signing certificate,# please specify its parameters here. This is optional. If you remove this section,# the root certificate will be used for signing.         intermediate:# The distinguished name of this CA. You must specify a distinguished name.dn: CN=signing.ca.tomas.com,OU=CA,O=tomas,DC=tomas,DC=com# The size of the generated key in bits   keysize: 2048# The validity of the generated certificate in days from now      validityDays: 3650pkPassword: intermediate-ca-passwordfile: intermediate-ca.pem# If you have a certificate revocation list, you can specify its distribution points here      # crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

进入/tools目录，运行如下命令生成Root和Intermediate证书

./sgtlstool.sh -c ../config/tlsconfig.yml -ca

若提示如下信息，表示生成Root和intermediate证书成功

Root certificate and signing certificate have been sucessfully created.

生成的证书默认存放在/tools/out目录下

Generate Node and Client CA

修改后的Default values and global settings部分配置如下

defaults:# The validity of the generated certificate in days from nowvalidityDays: 3650 # Password for private key#   Possible values: #   - auto: automatically generated password, returned in config output; #   - none: unencrypted private key; #   - other values: other values are used directly as password   pkPassword: auto      # Specifies to recognize legitimate nodes by the distinguished names# of the certificates. This can be a list of DNs, which can contain wildcards.# Furthermore, it is possible to specify regular expressions by# enclosing the DN in //. # Specification of this is optional. The tool will always include# the DNs of the nodes specified in the nodes section.            nodesDn:- "CN=*.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com"# - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'# - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'# - 'CN=elk-devcluster*'# - '/CN=.*regex/' # If you want to use OIDs to mark legitimate node certificates, # the OID can be included in the certificates by specifying the following# attributenodeOid: "1.2.3.4.5.5"# The length of auto generated passwords            generatedPasswordLength: 12# Set this to true in order to generate config and certificates for # the HTTP interface of nodeshttpsEnabled: true# Set this to true in order to re-use the node transport certificates# for the HTTP interfaces. Only recognized if httpsEnabled is truereuseTransportCertificatesForHttp: false# Set this to true to enable hostname verification#verifyHostnames: false# Set this to true to resolve hostnames#resolveHostnames: false

修改后的Nodes部分配置如下

nodes:- name: es1dn: CN=es1.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=comdns: es1- name: es2dn: CN=es2.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=comdns: es2- name: es3dn: CN=es3.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=comdns: es3- name: es4dn: CN=es4.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=comdns: es4

修改后的Clients部分配置如下

clients:- name: spockdn: CN=spock.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com- name: kirkdn: CN=kirk.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=comadmin: true

进入/tools目录，运行如下命令生成node和client证书

./sgtlstool.sh -c ../config/tlsconfig.yml -crt

若看到如下提示信息，证明生成node和client证书成功

Using signing certificate: /usr/local/hadoop/elasticsearch/search-guard-tlstool/tools/out/intermediate-ca.pem
Created 4 node certificates.
Passwords for the private keys of the node certificates have been auto-generated. The passwords are stored in the config snippet files.
Created 2 client certificates.
Passwords for the private keys of the client certificates have been auto-generated. The passwords are stored in the file "client-certificates.readme"

Config SSL

由于ElasticSearch节点之间通讯默值非加密，造成数据不安全，Search Guard强制ElasticSearch节点之间通讯为加密方式。

distribute cetificates

将上述生成的相关证书拷贝到相应ES节点的<ES_HOME>/config目录
例如将如下文件拷贝到hostname为es1的节点

root-ca.pem
root-ca.key
intermediate-ca.pem
intermediate-ca.key
es1.pem
es1.key
es1_http.pem
es1_http.key
es1_elasticsearch_config_snippet.yml
kirk.pem
kirk.key
spock.pem
spock.key

并采用如下命令将上述文件的权限更改为0600

chmod 600 root* intermediate* kirk* spock* es1*

将如下文件拷贝到hostname为es2的节点

root-ca.pem
root-ca.key
intermediate-ca.pem
intermediate-ca.key
es2.pem
es2.key
es2_http.pem
es2_http.key
es2_elasticsearch_config_snippet.yml
kirk.pem
kirk.key
spock.pem
spock.key

并采用如下命令将上述文件的权限更改为0600，同上,其他节点操作同上。

chmod 600 root-ca.* intermediate-ca.* es1* spock.* kirk.*

Change the permission on directory of <ES_HOME>/config

采用如下命令将ES集群各节点的<ES_HOME>/config目录的权限改为0700

chmod 700 <ES_HOME>/config

Disable X-Pack security

从6.3.0版本开始，Elasticsearch 和 Kibana绑定了X-Pack和OSS，如果Elasticsearch使用的是6.3.0以上的版本，需要关闭X-Pack security，即在ES集群各节点的<ES_HOME>/config/elasticsearch.yml文件中新增如下配置

xpack.security.enabled: false

Adding the TLS configuration

将es1_elasticsearch_config_snippet.yml文件中内容新增配置到hostname为es1的节点<ES_HOME>/config/elasticsearch.yml文件中

# This is a configuration snippet for the node es1
# This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.
# If the config file already contains SearchGuard configuration, this needs to be replaced.
# Furthermore, you need to copy the files referenced below into the same directory.
# Please refer to http://docs.search-guard.com/latest/configuring-tls for further configuration of your installation.searchguard.ssl.transport.pemcert_filepath: es1.pem
searchguard.ssl.transport.pemkey_filepath: es1.key
searchguard.ssl.transport.pemkey_password: lZoD27XLoBry
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: falsesearchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: es1_http.pem
searchguard.ssl.http.pemkey_filepath: es1_http.key
searchguard.ssl.http.pemkey_password: sualxs42muY1
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pemsearchguard.authcz.admin_dn:
- CN=kirk.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=comsearchguard.cert.oid: 1.2.3.4.5.5

将es2_elasticsearch_config_snippet.yml文件中内容新增配置到hostname为es2的节点<ES_HOME>/config/elasticsearch.yml文件中

# This is a configuration snippet for the node es2
# This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.
# If the config file already contains SearchGuard configuration, this needs to be replaced.
# Furthermore, you need to copy the files referenced below into the same directory.
# Please refer to http://docs.search-guard.com/latest/configuring-tls for further configuration of your installation.searchguard.ssl.transport.pemcert_filepath: es2.pem
searchguard.ssl.transport.pemkey_filepath: es2.key
searchguard.ssl.transport.pemkey_password: d0aVkFO9ZW0W
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: falsesearchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: es2_http.pem
searchguard.ssl.http.pemkey_filepath: es2_http.key
searchguard.ssl.http.pemkey_password: 153IQlKc2bul
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pemsearchguard.authcz.admin_dn:
- CN=kirk.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=comsearchguard.cert.oid: 1.2.3.4.5.5

Enable the REST management API

在ES集群各节点的<ES_HOME>/config/elasticsearch.yml文件中新增如下配置

searchguard.restapi.roles_enabled: ["sg_all_access"]

ES集群所有节点都配置好后，重启ES集群

Restart Elasticsearch

采用如下命令启动ES集群所有节点

cd /usr/local/hadoop/elasticsearch/
./bin/elasticsearch -d

Re-enable shard allocation by using sgadmin

使用admin证书、root证书，并结合sgadmin工具或curl来使能shard allocation，这里使用sgadmin，具体命令如下

cd /usr/local/hadoop/elasticsearch/plugins/search-guard-6/tools
chmod u+x sgadmin.sh //使sgadmin.sh有可执行权限
./sgadmin.sh -icl -nhnv -h es1 --enable-shard-allocation -cacert ../../../config/root-ca.pem -cert ../../../config/kirk.pem -key ../../../config/kirk.key -keypass zNbkgrtwctow

其中，zNbkgrtwctow为admin证书的私钥的密码，可以在client-certificates.readme文件中找到

Initializing Search Guard

具体参考：https://docs.search-guard.com/latest/sgadmin

Search Guard的配置（包括users、roles和permissions）都是存储在ES集群里的一个index中，这样就可以实现修改配置后立即生效，不用重启集群。Search Guard的配置信息需要通过sgadmin工具来加载到ES的一个index中（默认这个index是不存在的），所以sgadmin主要用来初始化index和配置认证和授权方式。

Change the permissions on that script and give it execution rights

chmod +x plugins/search-guard-7/tools/sgadmin.sh

提示，可以通过运行如下命令查看sgadmin.sh工具所有的命令行选项

./sgadmin.sh

Using sgadmin with PEM certificates

在ES集群的任一节点（以es1节点为例）执行如下命令

./sgadmin.sh -h es1 -cd ../sgconfig/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/kirk.pem -key ../../../config/kirk.key -keypass zNbkgrtwctow

若看到如下提示信息，证明初始化集群成功

Search Guard Admin v6
Will connect to hadoopSvr3:9300 ... done
Elasticsearch Version: 6.6.1
Search Guard Version: 6.6.1-24.3
Connected as CN=kirk.wxtomas.com,OU=Ops,O=wxtomas Com\, Inc.,DC=wxtomas,DC=com
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: ES-cluster
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
searchguard index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/local/elasticsearch-6.6.1/plugins/search-guard-6/sgconfig
Will update 'sg/config' with ../sgconfig/sg_config.yml SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with ../sgconfig/sg_roles.yml SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with ../sgconfig/sg_internal_users.yml SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with ../sgconfig/sg_action_groups.yml SUCC: Configuration for 'actiongroups' created or updated
Done with success

Test the installation

visiting https://es1:9200

如果提示需要输入用户名和密码，输入admin/admin

Display information about the currently logged in user

visiting https://es1:9200/_searchguard/authinfo?pretty

Search Guard Health Check

为了检查Search Guard是否已经正确安装，并且已经在正常运行，检查Search Guard的健康状态，在浏览器地址栏输入如下地址
https://:9200/_searchguard/health
若输出结果如下

{"message":null,"mode":"strict","status":"UP"}

则说明Search Guard运行正常。

Accessing data Check

curl -u admin:admin -k -XGET 'https://<hostname>:9200/_cat?pretty'

至此，Search Guard 认证基本已经完成了,接下来关于账号权限的创建与管理，可以在 Kibana 直接操作。

Config Kibana

具体参考：https://docs.search-guard.com/6.x-24/kibana-plugin-installation

Installing the Search Guard Plugin

1、下载与Kibana版本匹配的Search Guard Kibana Plugin
具体下载地址：https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/search-guard-kibana-plugin/6.6.1-18.4/search-guard-kibana-plugin-6.6.1-18.4.zip

2、关闭Kibana

3、将下载的插件search-guard-kibana-plugin-6.6.1-18.4.zip上传到Kibana的安装目录，并执行如下命令安装插件

bin/kibana-plugin install file:usr/local/kibana-6.6.1-linux-x86_64/search-guard-kibana-plugin-6.6.1-18.4.zip

若提示如下信息，则表示安装成功

Attempting to transfer from file:usr/local/kibana-6.6.1-linux-x86_64/search-guard-kibana-plugin-6.6.1-18.4.zip
Transferring 1046761 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
Plugin installation complete

Disable X-Pack Security

在kibana安装目录下的config/kibana.yml文件中修改配置如下

xpack.security.enabled: false

Configuring the Kibana server user

在kibana安装目录下的config/kibana.yml文件中修改配置如下

elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

Setting up SSL/TLS

因为在Elasticsearch REST layer开启了TLS，所以kibana访问Elasticsearch的协议需要从http改为https，在config/kibana.yml文件中修改配置如下

elasticsearch.hosts: ["https://ip:9200"]

Configuring the Root CA

有两种配置：
一是关闭 证书验证，在config/kibana.yml文件中修改配置如下

elasticsearch.ssl.verificationMode: none

二是提供root CA，在config/kibana.yml文件中修改配置如下

elasticsearch.ssl.certificateAuthorities: "/path/to/your/root-ca.pem"
elasticsearch.ssl.verificationMode: certificate

然后启动kibana。

Config logstash

具体参考：https://docs.search-guard.com/6.x-24/elasticsearch-logstash-search-guard

Check permissions for the logstash user

在Search Guard secured cluster中默认配置一个logstash user，因为Search Guard中已经包含了一个logstash用户，此处不再单独配置，在<ES_HOME>/plugins/search-guard-6/sgconfig/sg_roles.yml文件中查看sg_logstash用户的权限如下

# For logstash and beats
sg_logstash:  cluster:- CLUSTER_MONITOR- CLUSTER_COMPOSITE_OPS- indices:admin/template/get- indices:admin/template/putindices:'logstash-*':'*':- CRUD- CREATE_INDEX'*beat*':'*':- CRUD- CREATE_INDEX

也可以在用admin账号登录kibana，进入Search Guard菜单，在Permissions and Roles部分的Search Guard Roles查看。

set up a logstash user

将logstash用户配置到logstash的配置文件logstash.conf中elasticsearch输出部分，具体如下

output {elasticsearch {user => logstashpassword => logstash...}
}

Setting up TLS/SSL

因为前面在ES中配置启动了REST层的TLS，所以需要配置logstash使用https来与elasticsearch通信，将root证书拷贝到logstash-6.4.2/config目录下，并在logstash的配置文件logstash.conf中elasticsearch输出部分配置如下

    ssl => truessl_certificate_verification => falsecacert => "/usr/local/logstash-6.4.2/config/root-ca.pem"index => "logstash-rs1_26_mongodlog"

注意：如果是自定义索引名，索引名必须匹配’logstash-*‘开头或’beat’，否则logstash用户无权限。
然后重启logstash。

基于Search Guard的Elasticsearch安全认证和授权配置相关推荐

1. DRF_APIView之认证、授权配置

   认证:获取权限的方式 授权:认证通过之后,可以获取那些特权 在全局配置文件setting.py中设置认证类和权限类 1.认证类和权限类放到REST_FRAMEWORK中 2.常用的权限类: Allow ...

2. 基于IdentityServer4 实现.NET Core的认证授权

   IdentityServer4是什么? IdentityServer4是基于ASP.NET Core实现的认证和授权框架,是对OpenID Connect和OAuth 2.0协议的实现.OpenID ...

3. Search Guard 1.3 测试配置

   测试配置 在上面三个小节Search Guard 1.0. 1.1.1.2中,我们配置了用户和角色.现在来测试一下这些配置是否成功. 本文: 检查配置的用户 访问Elasticsearch 在检查之前 ...

4. 5.1基于JWT的认证和授权「深入浅出ASP.NET Core系列」

   原文:5.1基于JWT的认证和授权「深入浅出ASP.NET Core系列」 希望给你3-5分钟的碎片化学习,可能是坐地铁.等公交,积少成多,水滴石穿,码字辛苦,如果你吃了蛋觉得味道不错,希望点个赞,谢 ...

5. 谈谈基于OAuth 2.0的第三方认证 [上篇]

   对于目前大部分Web应用来说,用户认证基本上都由应用自身来完成.具体来说,Web应用利用自身存储的用户凭证(基本上是用户名/密码)与用户提供的凭证进行比较进而确认其真实身份.但是这种由Web应用全权负 ...

6. 为ASP.NET MVC配置基于Active Directory的表单认证方式

   为ASP.NET MVC配置基于Active Directory的表单认证方式 最近一直在研究基于Active Directory的表单认证方式,同时也在关注ASP.NET MVC的情况,同时也在应用 ...

7. NA-NP-IE系列实验26: 基于链路的OSPF 简单口令认证

   实验26: 基于链路的OSPF 简单口令认证 1.实验目的 通过本实验可以掌握: (1)OSPF 认证的类型和意义 (2)基于链路的OSPF 简单口令认证的配置和调试 2.实验拓扑 本实验的拓扑结构如 ...

8. Springboot整合shiro基于url身份认证和授权认证

   你还不会shiro吗? 前奏 shiro核心配置文件(rolesFilter可选). 身份认证 多表登录源如何操作? 授权管理 如何解决界面多角色/资源问题 访问效果 权限管理在日常开发中很重要,所以 ...

9. sql server cdc 清理_基于CDC技术的ElasticSearch索引同步机制

   概述 ElasticSearch作为一个基于Lucene的搜索引擎被广泛应用于各种应用系统,比如电商.新闻类.咨询类网站.在使用ElasticSearch开发应用的过程中,一个非常重要的过程是将数据导 ...

最新文章

1. Django model 中的 class Meta 详解
2. OSGi：进入微服务架构的门户
3. java : JSR107缓存规范
4. Postman最被低估的功能，自动化接口测试效率简直无敌！
5. 《网管员必读》系列丛书试读连载
6. Linux wget命令入门
7. 在春天，我用秋来诱惑你
8. 三包围结构的字是什么样的_清桦学书之结构篇——包围结构。
9. Redis 缓存 + Spring 的集成示例
10. 获取父节点下的子节点 --- 递归
11. Android TeaPickerView数据级联选择器
12. plc和变频器通讯接线图详解
13. git 从远程服务器更新本地项目
14. 统计建模：数据分析基础
15. 视频剪辑，大师珍藏的素材都在这里！
16. 哥德巴赫猜想计算机验证进展,哥德巴赫猜想的最新进展，不知道下文证明的是否正确，求验证...
17. 转载-simon：个人总结前端开发规范
18. html把毫秒转换成年月日,如何使用JavaScript将毫秒转换为日期格式？
19. 传智黑马Python人工智能15期视频课程
20. 190个国家和地区111种语言Windows 10今夏正式发布

热门文章

1. 如何设计和生成游戏的激活码
2. 02【前端工程化初探】GitLab本地部署
3. 数据分析入门之python数据处理
4. 五面拿下阿里飞猪offer，kafka生产者参数配置
5. 【学习笔记】| HTML、CSS
6. 锐派出品：LOL新年特辑S4各类细节之下路篇
7. 万豪旗下艾美酒店与度假村进驻马尔代夫；爱彼迎房东学堂全新升级助力房东提升竞争力 | 全球旅报...
8. python github 12306 文贤平_GitHub - itsmartkit/12306-Ticket-Booking: 12306自动抢票系统(2020-01-10)...
9. 查看局域网计算机要输入密码,为什么访问局域网内的计算机总是要求输入密码...
10. Android Studio SQLite数据库应用（一）