官方文档
https://docs.search-guard.com/v5/index
其实安装插件和sql,ik类似,将解压后目录考到plugins中即可,之前一直不成功主要时因为证书生产有问题,导致节点之间不嫩通信或者guard索引不能创建
官网TLS Setup章节有在线生产、离线生产、PKI脚本生产。目前使用在线生产可以成功,但是缺点是最多只能有10个node证书。
在线生产
不同node使用相同证书时可以的
选择对应的版本
https://github.com/floragunncom/search-guard/wiki
在线安装
bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.4.0-15
离线安装
下载环境包
wget https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-5/5.4.0-15/search-guard-5-5.4.0-15.zip
1.安装(file后面要跟绝对路径)
bin/elasticsearch-plugin install -b file:///home/acer/文档/search-guard-5-5.4.0-15.zip
2.安装
如ik分词器,将环境包解压后移动到plugins目录并改名
在线生产证书
我用的这种方式,非常简单,输入邮箱和公司名,选择所在国家后证书会发送到邮箱中,拿来直接用就可以
离线生产证书
https://docs.search-guard.com/v5/offline-tls-tool
truststore.jks 到config
truststore.jks 到plugins/search-guard-5/tools
client-certificates/CN=sgadmin-keystore.jks
配置elasticsearch.yml
searchguard.ssl.transport.keystore_filepath: CN=esnode1-keystore.jks
searchguard.ssl.transport.keystore_password: 5ce632ba362ee2a5ac3b
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: 15dcc23ef5dd7480af83
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: CN=esnode1-keystore.jks
searchguard.ssl.http.keystore_password: 5ce632ba362ee2a5ac3b
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: 15dcc23ef5dd7480af83
searchguard.authcz.admin_dn:
- CN=sgadmin
初始化
重启集群
任意节点执行初始化操作
cd plugins/search-guard-5/tools/
./sgadmin.sh -ts truststore.jks -tspass 15dcc23ef5dd7480af83 -ks CN=sgadmin-keystore.jks -kspass 0b32aeaedda173bc9870 -cn es-cluster -nhnv -cd ../sgconfig/ -h esnode1 -cn clustername
验证
https:ip:9200
用户名:admin 密码:admin
head调整
配置elasticsearch.yml
http.cors.allow-headers:Authorization,X-Requested-With,Content-Length,Content-Type
请求方式
ip:12316/?auth_user=admin&auth_password=admin
https://ip:9200
客户端调整
下载jar包
https://search-guard.com/searchguard-elasicsearch-transport-clients/
public static void main(String[] args) throws UnknownHostException {
Settings settings = Settings.builder()
.put("path.home", ".")
.put("path.conf", "E:\\workspace_idea\\es_test\\src\\main\\resources")
.put("cluster.name", "es-cluster")
.put("searchguard.ssl.transport.enabled", true)
.put("searchguard.ssl.transport.keystore_filepath", "sgadmin-keystore.jks")
.put("searchguard.ssl.transport.truststore_filepath", "truststore.jks")
.put("searchguard.ssl.http.keystore_password", "password")
.put("searchguard.ssl.http.truststore_password", "password")
.put("searchguard.ssl.transport.keystore_password", "password")
.put("searchguard.ssl.transport.truststore_password", "password")
.put("searchguard.ssl.transport.enforce_hostname_verification", false)
.build();
TransportClient client = new PreBuiltTransportClient(settings, SearchGuardSSLPlugin.class)
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("esnode1"), 9300))
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("esnode2"), 9300))
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("esnode3"), 9300));
client.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet();
//搜索数据
GetResponse response = client.prepareGet("test", "name", "1").execute().actionGet();
//输出结果
System.out.println(response.getSourceAsString());
//关闭client
client.close();
}
keytool -printcert -file spock.crt.pem