search-guard笔记
2017-12-17 10:00
127 查看
官网:https://github.com/floragunncom/search-guard/wiki
安装search-guard (版本:elasticsearch2.4.5 )
在线安装:
进入elasticsearch的bin目录,执行命令安装search-guard
#./plugin install -b com.floragunn/search-guard-2/2.4.5.14安装 search-guard-ssl
./plugin install -b com.floragunn/search-guard-ssl/2.4.5.21
离线安装:
下载search-guard:
https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-2/2.4.5.14/search-guard-2-2.4.5.14.zip
https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-ssl/2.4.5.21/search-guard-ssl-2.4.5.21.zip
安装:
./bin/plugin install -b file:///location/of/search-guard-ssl-2.4.5.21.zip ./plugin install -b file:///path/to/search-guard-2-2.4.5.14.zip
生成证书文件
search-guard证书分为3类:
https://github.com/werowe/search-guard-docs/blob/master/tls_overview.md
客户端证书(Client certificates)
管理员证书(Admin certificates)
节点证书(Node certificates)
客户端证书是TLS证书,用在es 客户端,支持rest client和transport client ;
管理员证书也是客户端证书。客户端证书如果在es配置文件elasticsearch.yml中增加了如下配置,就变成了管理员证书,可以配置多个:
searchguard.authcz.admin_dn: - CN=test, OU=client, O=client, L=Test, C=DE - CN=basedata, OU=client, O=client, L=Test, C=DE
写入search-guard配置到es时需要提供管理员证书,search-guard配置包括用户,角色,权限等。search-guard提供了sgadmin脚本工具,来往es写入search-guard配置信息。
节点证书用在es节点。保证es节点之间通信安全。节点证书没有权限限制,即每个操作都是允许的。也不能针对节点证书配置权限。
证书生成工具
下载工具和工具说明:
#git clone https://github.com/floragunncom/search-guard-ssl.git #cd search-guard-ssl/example-pki-scripts
example-pki-scripts目录下有这几个脚本文件:
gen_client_node_cert.sh 创建客户端证书
gen_node_cert.sh 创建节点证书
gen_root_ca.sh 创建根证书
etc/root-ca.conf 根证书配置
etc/signing-ca.conf 签名证书配置
其中自定义的信息如下:
etc/root-ca.conf 和 etc/signing-ca.conf
0.domainComponent = "www.test.com” 域名 1.domainComponent = "www.test.com" 域名 organizationName = "Test" 组织名称 organizationalUnitName = "Test Root CA" 组织单位名称 commonName = "Test Root CA" 通用名称
以上信息随便填写,但需要保证根证书配置和签名证书配置一致。
gen_client_node_cert.sh
1.修改证书发行者信息
if [ -z "$DN" ]; then DN="CN=$CLIENT_NAME, OU=client, O=client, L=Test, C=DE" fi
其中:CN=名字与姓氏,OU=组织单位名称,O=组织名称,L=城市或区域名 称,ST=州或省份名称,C=单位的两字母国家代码,
如:CN=basedata,OU=xxx.com,O=xxx,L=CS,C=CN
2、修改证书有效期:
"$BIN_PATH" -genkey \ -alias $CLIENT_NAME \ -keystore $CLIENT_NAME-keystore.jks \ -keyalg RSA \ -keysize 2048 \ -sigalg SHA256withRSA \ -validity 712 \ -keypass $KS_PASS \ -storepass $KS_PASS \ -dname "$DN"
其中$BIN_PATH 为keytool,validity为有效期,单位是天。keytool为jdk自带工具,不懂请百度。
gen_node_cert.sh
1.修改证书发行者信息 ,同上gen_client_node_cert.sh文件
2、修改证书有效期 ,同上gen_client_node_cert.sh文件
生成证书
修改example.sh文件:
#!/bin/bash set -e ./clean.sh ./gen_root_ca.sh abc pwd123 ./gen_node_cert.sh 0 12345678 abc && ./gen_node_cert.sh 1 12345678 abc && ./gen_node_cert.sh 2 12345678 abc ./gen_client_node_cert.sh basedata 12345678 abc ./gen_client_node_cert.sh wlxx 12345678 abc
参数说明:
./gen_root_ca.sh abc pwd123
第一个参数为CA_PASS,即CA密码(根证书密码)
第二个参数为TS_PASS,即TS密码(truststore,信任证书密码)
./gen_node_cert.sh 0 12345678 abc
第一个参数为node编号,生成证书后的文件名为node-0*,对应证书发行者信息的CN
第二个参数为KS_PASS(keystore文件密码)
第三个参数为CA_PASS
./gen_client_node_cert.sh basedata 12345678 abc
第一个参数为客户端节点名称,生成证书后的文件名为basedata *,对应证书发行者信息的CN
第二个参数为KS_PASS
第三个参数为CA_PASS
运行example.sh
sh example.sh
生成的证书说明:
truststore.jks:根证书
basedata-keystore.jks:客户端证书,该证书将会配置到es配置文件,做为管理员证书
wlxx-keystore.jks:客户端证书
node-0-keystore.jks,node-1-keystore.jks,node-2-keystore.jks:节点证书
ElasticSearch服务端配置
es安装目录为:/usr/local/es-1
将example-pki-scripts文件夹中的node-0-keystore.jks和truststore.jks复制到elasticsearch的config目录
# cd example-pki-scripts # cp node-0-keystore.jks /usr/local/es-1/config/ # cp truststore.jks /usr/local/es-1/config/将example-pki-scripts文件夹中的basedata-keystore.jks和truststore.jks复制到elasticsearch程序目录下的plugins/search-guard-2/sgconfig下
# cp basedata-keystore.jks /usr/local/es-1/plugins/search-guard-2/sgconfig # cp truststore.jks /usr/local/es-1/plugins/search-guard-2/sgconfig修改es配置文件elasticsearch.yml:
# search-guard配置 # 配置ssl searchguard.ssl.transport.enabled: true #必须要设置为true,否则es启动不了 searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks searchguard.ssl.transport.keystore_password: 12345678 searchguard.ssl.transport.truststore_filepath: truststore.jks searchguard.ssl.transport.truststore_password: pwd123 searchguard.ssl.transport.enforce_hostname_verification: false searchguard.ssl.transport.resolve_hostname: false # 配置http # http配置 #searchguard.ssl.http.enabled 配置为true时 es http不能访问 searchguard.ssl.http.enabled: false searchguard.ssl.http.keystore_filepath: node-0-keystore.jks searchguard.ssl.http.keystore_password: 12345678 searchguard.ssl.http.truststore_filepath: truststore.jks searchguard.ssl.http.truststore_password: pwd123 searchguard.allow_all_from_loopback: true #配置管理员证书,这里注意,下面的配置一定要和客户端证书一致,否则不能写入search-guard配置 searchguard.authcz.admin_dn: - CN=basedata,OU=talkweb.com,O=talkweb,L=CS,C=CN
将search-guard配置写入到ES
#chmod -R 777 plugins/search-guard-2/tools/sgadmin.sh #./plugins/search-guard-2/tools/sgadmin.sh -cn test -h 0.0.0.0 -p 9500 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/basedata-keystore.jks -kspass 12345678 -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass pwd123 -nhnv
参数数目:
-p 9500 对应elasticsearch transport连接的端口号
-cn test 为elasticsearch 集群名称 cluster.name
-h 0.0.0.0 对应elasticsearch配置:network.host
!注意:
1 以后每次调整searchguard 用户,角色和权限都需要执行一次写入search-guard配置操作;
2 写入search-guard配置不需要重启Elasticsearch;
search-guard配置文件
searchguard 主要有5个配置文件在plugins/search-guard-2/sgconfig 下:
1、sg_config.yml:主配置文件不需要做改动。
2、sg_internal_users.yml:本地用户文件,定义用户密码以及对应的权限。
3、sg_roles.yml:角色权限配置文件
4、sg_roles_mapping.yml:定义用户角色的映射关系
5、sg_action_groups.yml:定义权限组:
工具脚本:
plugins/search-guard-2/tools/hash.sh:生成hash字符串,生成密码
#plugins/search-guard-2/tools/hash.sh -p 123456
Elasticsearch 客户端配置
http rest访问
http rest client 采用http basic认证,浏览器访问时,会提示输入用户名密码。
transport client访问
transport client访问使用的是SSL认证,需要配置根证书和客户端证书,以springBoot1.5.7 + spring-data-elasticsearch2.1.7为例
pom.xml增加es依赖
<dependency> <groupId>org.springframework.data</groupId> <artifactId>spring-data-elasticsearch</artifactId> <!-- <version>3.0.2.RELEASE</version> --> <version>2.1.7.RELEASE</version> </dependency> <dependency> <groupId>org.elasticsearch</groupId> <artifactId>elasticsearch</artifactId> <!-- <version>5.5.0</version> --> <version>2.4.6</version> </dependency>application.properties
elasticsearch.host:139.159.229.157 elasticsearch.port:9500 elasticsearch.client.transport.sniff=true; elasticsearch.cluster-name=test elasticsearch.cluster-nodes=${elasticsearch.host}:${elasticsearch.port} #节点证书 elasticsearch.searchGuard.keystore-jks=wlxx-keystore.jks elasticsearch.searchGuard.keystore-password=12345678 #根证书 elasticsearch.searchGuard.truststore-jks=truststore.jks elasticsearch.searchGuard.truststore-password=pwd123 elasticsearch.searchGuard.hostname-verification=false ##证书位置 elasticsearch.searchGuard.path-conf=src/main/resources/ssl
ElasticsearchTemplate 注入配置类:
@Configuration public class ElasticsearchConfig implements EnvironmentAware { static Settings settings = null; public static TransportClient client; private RelaxedPropertyResolver propertyResolver; @Bean public ElasticsearchTemplate elasticsearchTemplate() { return new ElasticsearchTemplate(initClient()); } @Bean public Client initClient() { settings = Settings .settingsBuilder() .put("path.home", ".") .put("http.enabled", true) .put("cluster.name", propertyResolver.getProperty("cluster-name")) .put("cluster.nodes", propertyResolver.getProperty("cluster-nodes")) .put("path.conf", propertyResolver.getProperty("searchGuard.path-conf")) .put("searchguard.ssl.transport.keystore_filepath", propertyResolver.getProperty("searchGuard.keystore-jks")) .put("searchguard.ssl.transport.keystore_password", propertyResolver.getProperty("searchGuard.keystore-password")) .put("searchguard.ssl.transport.truststore_filepath", propertyResolver.getProperty("searchGuard.truststore-jks")) .put("searchguard.ssl.transport.truststore_password", propertyResolver.getProperty("searchGuard.truststore-password")) .put("searchguard.ssl.transport.enforce_hostname_verification", propertyResolver.getProperty("searchGuard.hostname-verification")) .build(); try { client = TransportClient.builder() .settings(settings) .addPlugin(SearchGuardSSLPlugin.class) .build() .addTransportAddress( new InetSocketTransportAddress( InetAddress.getByName(propertyResolver.getProperty("host")), propertyResolver.getProperty("port", Integer.class))); } catch (UnknownHostException e) { } return client; } @Override public void setEnvironment(Environment env) { this.propertyResolver = new RelaxedPropertyResolver(env, "elasticsearch."); } }测试方法:
@Autowired private ElasticsearchTemplate esTemplate; public void testesTemplate() { SearchQuery query = new NativeSearchQuery(QueryBuilders.termQuery("userId", "42559fce414048709393e998bb40ec55")); List<User> list = esTemplate.queryForList(query, User.class); System.out.println(list); }
Kibana配置
修改kibana.yml 配置文件
# If your Elasticsearch is protected with basic auth, these are the user credentials # used by the Kibana server to perform maintenance on the kibana_index at startup. Your Kibana # users will still need to authenticate with Elasticsearch (which is proxied through # the Kibana server) elasticsearch.username: "admin" elasticsearch.password: "admin"
重启kibana,再次访问kibana会提示输入用户名密码
logstash配置
修改数据同步配置文件*.conf ,增加认证信息:
input { .... } filter { ... } output { stdout { codec => json_lines } elasticsearch { hosts => ["localhost:9200"] index => "user" document_type => "user" document_id => "%{userId}" ssl => true ssl_certificate_verification => true truststore => "/usr/local/es-1/config/truststore.jks" truststore_password => changeit user => logstash password => logstash } }
相关文章推荐
- Elasticsearch.The.Definitive.Guide学习笔记 -- 1. You know, for search
- 【阅读笔记】Mining Concept Sequence from Large-Scale Search Logs for Context-Aware Query Suggestion
- leetcode笔记:Word Search II
- ElasticSearch——安全 Search Guard
- openerp学习笔记 按客户电话、名称模糊查找选择客户(name_search)及客户名称自定义显示(name_get) #同时按手机、电话、名称模糊查找选择客户 def nam
- Java学习笔记(25)Binary Search Trees
- JumpPointSearchPlus with GoalBounding 学习笔记
- ES权威指南[官方文档学习笔记]-50 The empty search
- search-guard插件的使用---logstash的配置
- 全文搜索ElastacSearch笔记(1)-简单增删改查
- 论文笔记之---Faster R-CNN Features for Instance Search
- 22nd Feb: 刷题笔记 Binary Tree & Binary Search Tree 专题
- [IR课程笔记]Hyperlink-Induced Topic Search(HITS)
- 【leetcode刷题笔记】Convert Sorted List to Binary Search Tree
- [笔记] binarySearchTree AVLTree
- python爬虫笔记之re.match匹配,与search、findall区别
- 小白笔记--------------------------leetcode 34. Search for a Range
- 22nd Feb: 刷题笔记 Binary Tree & Binary Search Tree 专题
- RCNN用到的SelectiveSearch的理解笔记
- Learning Deep Structured Semantic Models for Web Search using Clickthrough Data笔记