离线安装部署ES权限控制search-guard

安装部署:

Elasticsearch 2.x和 Elasticsearch 5.x安装方式有所不同,以下以Elasticsearch 2.4.1版本

 

1、将从maven上面下载的ssl和guard的zip文件:https://bit.ly/2tNA8vY,并将下载的两个zip包放到别的目录下,千万不能放到es下plugins下

2、安装ssl和guard:

./bin/plugin install -b file:///etl_home/search-guard-ssl-2.4.1.18.zip 

 

 

[root@webSvr elasticsearch-2.4.1]# ./bin/plugin install -b file:///etl_home/search-guard-ssl-2.4.1.18.zip 

-> Installing from file:/etl_home/search-guard-ssl-2.4.1.18.zip...

Trying file:/etl_home/search-guard-ssl-2.4.1.18.zip ...

Downloading ...............DONE

Verifying file:/etl_home/search-guard-ssl-2.4.1.18.zip checksums if available ...

NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@     WARNING: plugin requires additional permissions     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

* java.lang.RuntimePermission accessClassInPackage.sun.misc

* java.lang.RuntimePermission getClassLoader

* java.lang.RuntimePermission loadLibrary.*

* java.lang.reflect.ReflectPermission suppressAccessChecks

* java.security.SecurityPermission getProperty.ssl.KeyManagerFactory.algorithm

See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html

for descriptions of what these permissions allow and the associated risks.

Installed search-guard-ssl into /etl_home/elasticsearch-2.4.1/plugins/search-guard-ssl

 

 

 

[root@webSvr elasticsearch-2.4.1]# ./bin/plugin install -b file:///etl_home/search-guard-2-2.4.1.12.zip

-> Installing from file:/etl_home/search-guard-2-2.4.1.12.zip...

Trying file:/etl_home/search-guard-2-2.4.1.12.zip ...

Downloading ..DONE

Verifying file:/etl_home/search-guard-2-2.4.1.12.zip checksums if available ...

NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@     WARNING: plugin requires additional permissions     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

* java.lang.RuntimePermission accessDeclaredMembers

* java.lang.RuntimePermission getClassLoader

* java.lang.RuntimePermission setContextClassLoader

* java.lang.RuntimePermission shutdownHooks

* java.lang.reflect.ReflectPermission suppressAccessChecks

* javax.security.auth.AuthPermission doAs

* javax.security.auth.AuthPermission modifyPrivateCredentials

* javax.security.auth.kerberos.ServicePermission * accept

See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html

for descriptions of what these permissions allow and the associated risks.

Installed search-guard-2 into /etl_home/elasticsearch-2.4.1/plugins/search-guard-2

 

 

安装成功ssl和guard,会在es的plugins下看到2个目录:

drwxr-xr-x. 4 root root 4096 10月 11 10:53 search-guard-2

drwxr-xr-x. 2 root root 4096 10月 11 10:52 search-guard-ssl

 

3.下载ssl对应的源码包,里面包含自动创建证书的脚本,解压进入目录

https://github.com/floragunncom/search-guard-ssl/tree/es-2.4.1

 

[root@webSvr etl_home]# unzip  search-guard-ssl-es-2.4.1.zip

[root@webSvr etl_home]# cd search-guard-ssl-es-2.4.1

[root@webSvr search-guard-ssl-es-2.4.1]# cd example-pki-scripts

 

4、 编辑脚本 vim example.sh

原始内容

离线安装部署ES权限控制search-guard_第1张图片

 

修改为:

 

#!/bin/bash

set -e

./clean.sh

./gen_root_ca.sh 12345678 12345678

./gen_node_cert.sh 116 12345678 12345678 && ./gen_node_cert.sh 119 12345678 12345678 &&  ./gen_node_cert.sh 2 12345678 12345678

./gen_client_node_cert.sh admin 12345678 12345678

rm -f ./*tmp*

 

 

(其中clean.sh是清除生成的证书文件)

 

5、执行example.sh生成密钥库和信任库

 

MAC verified OK

MAC verified OK

MAC verified OK

All done for admin

 

[etl@webSvr example-pki-scripts]$ ll

总用量 164

-rw-rw-r--. 1 etl etl 7081 10月 11 17:29 admin.all.pem

-rw-rw-r--. 1 etl etl 4565 10月 11 17:29 admin.crtfull.pem

-rw-rw-r--. 1 etl etl 1665 10月 11 17:29 admin.crt.pem

-rw-rw-r--. 1 etl etl 1039 10月 11 17:29 admin.csr

-rw-rw-r--. 1 etl etl 1846 10月 11 17:29 admin.key.pem

-rw-rw-r--. 1 etl etl 4426 10月 11 17:29 admin-keystore.jks

-rw-rw-r--. 1 etl etl 5258 10月 11 17:29 admin-keystore.p12

-rw-rw-r--. 1 etl etl 1399 10月 11 17:29 admin-signed.pem

drwxrwxr-x. 4 etl etl 4096 10月 11 17:28 ca

drwxrwxr-x. 2 etl etl 4096 10月 11 17:28 certs

-rwxr-xr-x. 1 etl etl  141 4月  16 01:23 clean.sh

drwxrwxr-x. 2 etl etl 4096 10月 11 17:28 crl

drwxr-xr-x. 2 etl etl 4096 4月  16 01:23 etc

-rwxr-xr-x. 1 etl etl  214 10月 11 17:28 example.sh

-rwxr-xr-x. 1 etl etl 2286 4月  16 01:23 gen_client_node_cert.sh

-rwxr-xr-x. 1 etl etl 1764 4月  16 01:23 gen_node_cert_openssl.sh

-rwxr-xr-x. 1 etl etl 2746 4月  16 01:23 gen_node_cert.sh

-rwxr-xr-x. 1 etl etl 1993 4月  16 01:23 gen_root_ca.sh

-rw-rw-r--. 1 etl etl 5342 10月 11 17:28 node-116.crt.pem

-rw-rw-r--. 1 etl etl 1132 10月 11 17:28 node-116.csr

-rw-rw-r--. 1 etl etl 1849 10月 11 17:28 node-116.key.pem

-rw-rw-r--. 1 etl etl 4498 10月 11 17:28 node-116-keystore.jks

-rw-rw-r--. 1 etl etl 5336 10月 11 17:28 node-116-keystore.p12

-rw-rw-r--. 1 etl etl 1493 10月 11 17:28 node-116-signed.pem

-rw-rw-r--. 1 etl etl 5342 10月 11 17:28 node-119.crt.pem

-rw-rw-r--. 1 etl etl 1132 10月 11 17:28 node-119.csr

-rw-rw-r--. 1 etl etl 1849 10月 11 17:28 node-119.key.pem

-rw-rw-r--. 1 etl etl 4496 10月 11 17:28 node-119-keystore.jks

-rw-rw-r--. 1 etl etl 5336 10月 11 17:28 node-119-keystore.p12

-rw-rw-r--. 1 etl etl 1493 10月 11 17:28 node-119-signed.pem

-rw-rw-r--. 1 etl etl 1096 10月 11 17:28 truststore.jks

 

 

6、复制密钥库和信任库文件

在每个节点上,将keystore.jks和truststore.jks文件放在了Elasticsearch的配置文件目录中。

并且给予Elasticsearch用户读取文件权限。keystore.jks在每个节点上是特定的

 

[etl@webSvr example-pki-scripts]$ cp node-116-keystore.jks truststore.jks /etl_home/elasticsearch-2.4.1/config/

[etl@webSvr example-pki-scripts]$ cp admin-keystore.jks  truststore.jks /etl_home/elasticsearch-2.4.1/plugins/search-guard-2/sgconfig/

 

7、修改节点的elasticsearch.yml配置文件,比如119节点机器

# -------------------search guard config--------------------------

 searchguard.authcz.admin_dn:

 - "CN=admin, OU=client, O=client, L=Test, C=DE"

# 上面的CN的值是要和example.sh中的对应上

 

# -------------------search guard ssl-----------------------------

 searchguard.ssl.transport.enabled: true

 searchguard.ssl.transport.keystore_type: JKS

 searchguard.ssl.transport.keystore_filepath: node-119-keystore.jks

 searchguard.ssl.transport.keystore_password: 12345678

 searchguard.ssl.transport.truststore_filepath: truststore.jks

 searchguard.ssl.transport.truststore_password: 12345678

 searchguard.ssl.transport.enforce_hostname_verification: false

 searchguard.ssl.transport.resolve_hostname: false

 searchguard.ssl.transport.enable_openssl_if_available: false

 searchguard.ssl.transport.enabled_protocols:

 - "TLSv1"

 - "TLSv1.1"

 - "TLSv1.2"

 

# http配置,这里我只是为了测试方便,配置完,应该设置为true

 searchguard.ssl.http.enabled: false

 searchguard.ssl.http.keystore_filepath: node-119-keystore.jks

 searchguard.ssl.http.keystore_password: 12345678

 searchguard.ssl.http.truststore_filepath: truststore.jks

 searchguard.ssl.http.truststore_password: 12345678

 searchguard.allow_all_from_loopback: true

 

8、执行脚本

./plugins/search-guard-2/tools/sgadmin.sh -cn dic_etl -h 192.168.129.116 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass 12345678 -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass 12345678 -nhnv

 


 

验证权限

 

 

 

 

1、 生成密码,添加用户

[root@webSvr tools]# ./hash.sh -p zyl

$2a$12$RuFlJX31YeaLehfz.LGTDuBwKNSaAblM5hddGlYmZWgnK8KA/.KGG

 

[root@webSvr sgconfig]# vi sg_internal_users.yml

 

离线安装部署ES权限控制search-guard_第2张图片

 

2、 添加用户权限映射关系权限 

vim sg_roles_mapping.yml

 

 

3、重新写入配置文件(无需启动ES)

./plugins/search-guard-2/tools/sgadmin.sh -cn dic_etl -h 192.168.129.116 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass 12345678 -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass 12345678 -nhnv

 

 

离线安装部署ES权限控制search-guard_第3张图片

 

登录zyl用户之后拥有了admin的权限,对ES中下的索引都可操作

离线安装部署ES权限控制search-guard_第4张图片

 

现要求zyl用户只对customer索引有权限,对dic_etl无权限操作

 

 

 

 

 


 

问题:

1、启动报错

离线安装部署ES权限控制search-guard_第5张图片

 

解决方法:下载更新版本的ssl,search-guard-ssl-2.4.1.21.zip

http://floragunncom.github.io/search-guard-docs/installation.html

 

 

2、

[2017-10-11 21:07:45,557][INFO ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [node-116] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster

[2017-10-11 21:07:45,995][INFO ][cluster.routing.allocation] [node-116] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[customer][3]] ...]).

[2017-10-11 21:11:48,597][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized (you may need to run sgadmin)

[2017-10-11 21:12:01,601][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized (you may need to run sgadmin)

 

 

解决方法:执行脚本

./plugins/search-guard-2/tools/sgadmin.sh -cn dic_etl -h 192.168.129.116 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass 12345678 -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass 12345678 -nhnv

 

3、启动服务 bin/elasticsearch时报错

离线安装部署ES权限控制search-guard_第6张图片

 

 

解决方法:elasticsearch.yml修改改文件的时候格式有错误,注意保持空格,有且唯一的空格

你可能感兴趣的:(elasticsearch,大数据安全管理)