search-guard笔记
官网:https://github.com/floragunncom/search-guard/wiki
安装search-guard (版本:elasticsearch2.4.5 )
在线安装:
进入elasticsearch的bin目录,执行命令安装search-guard
#./plugin install -b com.floragunn/search-guard-2/2.4.5.14./plugin install -b com.floragunn/search-guard-ssl/2.4.5.21
离线安装:
下载search-guard:
https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-2/2.4.5.14/search-guard-2-2.4.5.14.zip
https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-ssl/2.4.5.21/search-guard-ssl-2.4.5.21.zip
安装:
./bin/plugin install -b file:///location/of/search-guard-ssl-2.4.5.21.zip
./plugin install -b file:///path/to/search-guard-2-2.4.5.14.zip
生成证书文件
search-guard证书分为3类:
https://github.com/werowe/search-guard-docs/blob/master/tls_overview.md
客户端证书(Client certificates)
管理员证书(Admin certificates)
节点证书(Node certificates)
客户端证书是TLS证书,用在es 客户端,支持rest client和transport client ;
管理员证书也是客户端证书。
客户端证书如果在es配置文件elasticsearch.yml中增加了如下配置,就变成了管理员证书,可以配置多个:
searchguard.authcz.admin_dn:
- CN=test, OU=client, O=client, L=Test, C=DE
- CN=basedata, OU=client, O=client, L=Test, C=DE
写入search-guard配置到es时需要提供管理员证书,
search-guard配置
包括用户,角色,权限等。search-guard提供了sgadmin脚本工具,来往es写入search-guard配置信息。
节点证书用在es节点。保证es节点之间通信安全。节点证书没有权限限制,即每个操作都是允许的。也不能针对节点证书配置权限。
证书生成工具
下载工具和工具说明:
#git clone https://github.com/floragunncom/search-guard-ssl.git
#cd search-guard-ssl/example-pki-scripts
example-pki-scripts目录下有这几个脚本文件:
gen_client_node_cert.sh 创建客户端证书
gen_node_cert.sh 创建节点证书
gen_root_ca.sh 创建根证书
etc/root-ca.conf 根证书配置
etc/signing-ca.conf 签名证书配置
其中自定义的信息如下:
etc/root-ca.conf 和 etc/signing-ca.conf
0.domainComponent = "www.test.com” 域名
1.domainComponent = "www.test.com" 域名
organizationName = "Test" 组织名称
organizationalUnitName = "Test Root CA" 组织单位名称
commonName = "Test Root CA" 通用名称
以上信息随便填写,但需要保证根证书配置和签名证书配置一致。
gen_client_node_cert.sh
1.修改证书发行者信息
if [ -z "$DN" ]; then
DN="CN=$CLIENT_NAME, OU=client, O=client, L=Test, C=DE"
fi
其中:CN=名字与姓氏,OU=组织单位名称,O=组织名称,L=城市或区域名 称,ST=州或省份名称,C=单位的两字母国家代码,
如:CN=basedata,OU=xxx.com,O=xxx,L=CS,C=CN
2、修改证书有效期:
"$BIN_PATH" -genkey \
-alias $CLIENT_NAME \
-keystore $CLIENT_NAME-keystore.jks \
-keyalg RSA \
-keysize 2048 \
-sigalg SHA256withRSA \
-validity 712 \
-keypass $KS_PASS \
-storepass $KS_PASS \
-dname "$DN"
其中$BIN_PATH 为keytool,validity为有效期,单位是天。keytool为jdk自带工具,不懂请百度。
gen_node_cert.sh
1.修改证书发行者信息 ,
同上gen_client_node_cert.sh文件
2、修改证书有效期 ,同上
gen_client_node_cert.sh文件
生成证书
修改example.sh文件:
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh abc pwd123
./gen_node_cert.sh 0 12345678 abc && ./gen_node_cert.sh 1 12345678 abc && ./gen_node_cert.sh 2 12345678 abc
./gen_client_node_cert.sh basedata 12345678 abc
./gen_client_node_cert.sh wlxx 12345678 abc
参数说明:
./gen_root_ca.sh abc pwd123
第一个参数为CA_PASS,即CA密码(根证书密码)
第二个参数为TS_PASS,即TS密码(truststore,信任证书密码)
./gen_node_cert.sh 0 12345678 abc
第一个参数为node编号,生成证书后的文件名为node-0*,对应
证书发行者信息的CN
第二个参数为KS_PASS(keystore文件密码)
第三个参数为CA_PASS
./gen_client_node_cert.sh basedata 12345678 abc
第一个参数为客户端节点名称,生成证书后的文件名为basedata *,
对应
证书发行者信息的CN
第二个参数为KS_PASS
第三个参数为CA_PASS
运行example.sh
sh example.sh
生成的证书说明:
truststore.jks:根证书
basedata-keystore.jks:客户端证书,该证书将会配置到es配置文件,做为管理员证书
wlxx-keystore.jks:客户端证书
node-0
-keystore.jks,node-1-keystore.jks,node-2-keystore.jks:节点证书
ElasticSearch服务端配置
es安装目录为:/usr/local/es-1
将example-pki-scripts文件夹中的node-0-keystore.jks和truststore.jks复制到elasticsearch的config目录
# cd example-pki-scripts
# cp node-0-keystore.jks /usr/local/es-1/config/
# cp truststore.jks /usr/local/es-1/config/# cp basedata-keystore.jks /usr/local/es-1/plugins/search-guard-2/sgconfig
# cp truststore.jks /usr/local/es-1/plugins/search-guard-2/sgconfig# search-guard配置
# 配置ssl
searchguard.ssl.transport.enabled: true #必须要设置为true,否则es启动不了
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: 12345678
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: pwd123
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
# 配置http
# http配置
#searchguard.ssl.http.enabled 配置为true时 es http不能访问
searchguard.ssl.http.enabled: false
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: 12345678
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: pwd123
searchguard.allow_all_from_loopback: true
#配置管理员证书,这里注意,下面的配置一定要和客户端证书一致,否则不能写入search-guard配置
searchguard.authcz.admin_dn:
- CN=basedata,OU=talkweb.com,O=talkweb,L=CS,C=CN将search-guard配置写入到ES
#chmod -R 777 plugins/search-guard-2/tools/sgadmin.sh
#./plugins/search-guard-2/tools/sgadmin.sh -cn test -h 0.0.0.0 -p 9500 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/basedata-keystore.jks -kspass 12345678 -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass pwd123 -nhnv
参数数目:
-p 9500 对应elasticsearch transport连接的端口号
-cn test 为elasticsearch 集群名称 cluster.name
-h 0.0.0.0 对应elasticsearch配置:network.host
!注意:
1 以后每次调整searchguard 用户,角色和权限都需要执行一次写入search-guard配置操作;
2 写入
search-guard配置不需要重启Elasticsearch;
search-guard配置文件
searchguard 主要有5个配置文件在plugins/search-guard-2/sgconfig 下:
1、sg_config.yml:主配置文件不需要做改动。
2、sg_internal_users.yml:本地用户文件,定义用户密码以及对应的权限。
3、sg_roles.yml:角色权限配置文件
4、sg_roles_mapping.yml:定义用户角色的映射关系
5、sg_action_groups.yml:定义权限组
:
工具脚本:
plugins/search-guard-2/tools/hash.sh:生成hash字符串,生成密码
#plugins/search-guard-2/tools/hash.sh -p 123456
Elasticsearch 客户端配置
http rest访问
http rest client 采用http basic认证,浏览器访问时,会提示输入用户名密码。
transport client访问
transport client访问使用的是SSL认证,需要配置根证书和客户端证书,以springBoot1.5.7 + spring-data-elasticsearch2.1.7为例
pom.xml增加es依赖
org.springframework.data
spring-data-elasticsearch
2.1.7.RELEASE
org.elasticsearch
elasticsearch
2.4.6
elasticsearch.host:139.159.229.157
elasticsearch.port:9500
elasticsearch.client.transport.sniff=true;
elasticsearch.cluster-name=test
elasticsearch.cluster-nodes=${elasticsearch.host}:${elasticsearch.port}
#节点证书
elasticsearch.searchGuard.keystore-jks=wlxx-keystore.jks
elasticsearch.searchGuard.keystore-password=12345678
#根证书
elasticsearch.searchGuard.truststore-jks=truststore.jks
elasticsearch.searchGuard.truststore-password=pwd123
elasticsearch.searchGuard.hostname-verification=false
##证书位置
elasticsearch.searchGuard.path-conf=src/main/resources/sslElasticsearchTemplate 注入配置类:
@Configuration
public class ElasticsearchConfig implements EnvironmentAware {
static Settings settings = null;
public static TransportClient client;
private RelaxedPropertyResolver propertyResolver;
@Bean
public ElasticsearchTemplate elasticsearchTemplate() {
return new ElasticsearchTemplate(initClient());
}
@Bean
public Client initClient() {
settings = Settings
.settingsBuilder()
.put("path.home", ".")
.put("http.enabled", true)
.put("cluster.name", propertyResolver.getProperty("cluster-name"))
.put("cluster.nodes", propertyResolver.getProperty("cluster-nodes"))
.put("path.conf", propertyResolver.getProperty("searchGuard.path-conf"))
.put("searchguard.ssl.transport.keystore_filepath", propertyResolver.getProperty("searchGuard.keystore-jks"))
.put("searchguard.ssl.transport.keystore_password", propertyResolver.getProperty("searchGuard.keystore-password"))
.put("searchguard.ssl.transport.truststore_filepath", propertyResolver.getProperty("searchGuard.truststore-jks"))
.put("searchguard.ssl.transport.truststore_password", propertyResolver.getProperty("searchGuard.truststore-password"))
.put("searchguard.ssl.transport.enforce_hostname_verification", propertyResolver.getProperty("searchGuard.hostname-verification"))
.build();
try {
client = TransportClient.builder()
.settings(settings)
.addPlugin(SearchGuardSSLPlugin.class)
.build()
.addTransportAddress(
new InetSocketTransportAddress(
InetAddress.getByName(propertyResolver.getProperty("host")),
propertyResolver.getProperty("port", Integer.class)));
} catch (UnknownHostException e) {
}
return client;
}
@Override
public void setEnvironment(Environment env) {
this.propertyResolver = new RelaxedPropertyResolver(env, "elasticsearch.");
}
} @Autowired
private ElasticsearchTemplate esTemplate;
public void testesTemplate() {
SearchQuery query = new NativeSearchQuery(QueryBuilders.termQuery("userId", "42559fce414048709393e998bb40ec55"));
List list = esTemplate.queryForList(query, User.class);
System.out.println(list);
}
Kibana配置
修改kibana.yml 配置文件
# If your Elasticsearch is protected with basic auth, these are the user credentials
# used by the Kibana server to perform maintenance on the kibana_index at startup. Your Kibana
# users will still need to authenticate with Elasticsearch (which is proxied through
# the Kibana server)
elasticsearch.username: "admin"
elasticsearch.password: "admin"
重启kibana,再次访问kibana会提示输入用户名密码
logstash配置
修改数据同步配置文件*.conf ,增加认证信息:
input {
....
}
filter {
...
}
output {
stdout {
codec => json_lines
}
elasticsearch {
hosts => ["localhost:9200"]
index => "user"
document_type => "user"
document_id => "%{userId}"
ssl => true
ssl_certificate_verification => true
truststore => "/usr/local/es-1/config/truststore.jks"
truststore_password => changeit
user => logstash
password => logstash
}
}