在之前的一篇文章中介绍了Shield在Elk Stack中的权限保护,但由于Shield是收费的,所以就有人给出了免费的解决方案——Search-guard
search-guard是elastcisearch的一款插件,提供加密,身份验证和授权,基于search guard SSL,另外提供可插入的身份验证/授权模块,search-guard是shield的替代品,可免费提供所有的基本安全功能,其功能特性:
Ubuntu 16.04
Elasticsearch 2.4.1
Logstash 2.4.0
Kibana 4.6.1
进入elasticsearch的根目录
bin/plugin install -b com.floragunn/search-guard-ssl/2.4.1.16
这里我们需要配置密钥和证书
依旧是在es 的根目录
git clone https://github.com/floragunncom/search-guard-ssl.git
cd searchguard_ssl/example-pki-scripts
执行
./example.sh
会默认生成证书
当然这里我们可以执行clean.sh删除安装的东西
拷贝相应的文件到指定目录,后续会有需要
cp node-0-keystore.jks ../../config
cp truststore.jks ../../config
编辑ec根目录下的config/elasticsearch.yml,加入
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false
web访问:http://192.168.1.193:9200/ 会看到如下信息
{
"name" : "M-Twins",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "X6U0RRiaQ4ucBXokFj30Yw",
"version" : {
"number" : "2.4.1",
"build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16",
"build_timestamp" : "2016-09-27T18:57:55Z",
"build_snapshot" : false,
"lucene_version" : "5.5.2"
},
"tagline" : "You Know, for Search"
}
web访问 http://192.168.1.193:9200/_searchguard/sslinfo?pretty
{
"principal" : null,
"peer_certificates" : "0",
"ssl_protocol" : null,
"ssl_cipher" : null,
"ssl_openssl_available" : false,
"ssl_openssl_version" : -1,
"ssl_openssl_version_string" : null,
"ssl_openssl_non_available_cause" : "java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL",
"ssl_provider_http" : null,
"ssl_provider_transport_server" : "JDK",
"ssl_provider_transport_client" : "JDK"
}
在config/elasticsearch.yml配置文件中加入
#configure https
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: changeit
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeit
https://192.168.1.193:9200/ (会提示证书错误)
{
"name" : "Zero",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "X6U0RRiaQ4ucBXokFj30Yw",
"version" : {
"number" : "2.4.1",
"build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16",
"build_timestamp" : "2016-09-27T18:57:55Z",
"build_snapshot" : false,
"lucene_version" : "5.5.2"
},
"tagline" : "You Know, for Search"
}
https://192.168.1.193:9200/_searchguard/sslinfo?pretty (会提示证书错误)
{
"principal" : null,
"peer_certificates" : "0",
"ssl_protocol" : "TLSv1.2",
"ssl_cipher" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"ssl_openssl_available" : false,
"ssl_openssl_version" : -1,
"ssl_openssl_version_string" : null,
"ssl_openssl_non_available_cause" : "java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL",
"ssl_provider_http" : "JDK",
"ssl_provider_transport_server" : "JDK",
"ssl_provider_transport_client" : "JDK"
}
配置客户认证
searchguard.ssl.http.clientauth_mode: REQUIRE
出现web不能访问的情况,由于该配置是可选的,所以暂时不配置
这里需要解释一下:
默认执行的./example.sh 是以kiri为用户名的,这个我们可以通过vim example.sh可以看的出来,在elasticsearch.yml中的**.passwordd可以自己设置
bin/plugin install -b com.floragunn/search-guard-2/2.4.1.7
安装之后不做任何设置再次重启elasticsearch,web访问会出现以下状况:
Search Guard not initialized (SG11)
这是提示我们没有进行初始化
编辑config/elasticsearch.yml,加入以下两行
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=DE #由于我们是采用的默认的example.sh进行密钥生成的
- cn=admin,ou=Test,ou=ou,dc=company,dc=com
此时需要重新启动elasticsearch,因为需要把我们新更改的elasticsearch.yml加载进来,否则在初始化的时候会报错
复制 kirk-keystore.jks和truststore.jks到 plugins/search-guard-2/tools目录下,然后执行初始化命令
./sgadmin.sh -ts truststore.jks -ks kirk-keystore.jks -cd ../sgconfig -icl
然后重启启动elasticsearch,web访问会提示你输入账号和密码
依旧采用rsyslog的例子,机器配置rsyslog.conf,最后两行加入
*.* @@localhost:5000
*.* @localhost:5000
重启rsyslog服务
在logstash目录下编辑一个新文件rsyslog.conf,内容如下:
input {
tcp{
port => 5000
type => syslog
}
udp{
port => 5000
type => syslog
}
}
output {
stdout {
codec=> rubydebug
}
elasticsearch {
hosts => ["localhost:9200"]
ssl => true
ssl_certificate_verification => true
truststore => "/opt/elk/elasticsearch-2.4.1/config/truststore.jks"
truststore_password => changeit
user => logstash
password => logstash
}
}
这里的logstash用户在 elasticsearch安装目录下的plugin/seach-guard-2/sgconfig/sg_roles.yml中
这里我们说一下sgconfig这几个文件:
Search-guard的动态配置
接着我们设置logstash用户的权限,我们可以在sg_roles.yml中方看到logstash用户具有的权限
sg_logstash:
cluster:
- indices:admin/template/get
- indices:admin/template/put
indices:
'logstash-*':
'*':
- CRUD
- CREATE_INDEX
'*beat*':
'*':
- CRUD
- CREATE_INDEX
启动配置文件,测试登录,elasticsearch便可以接收到rsyslog发送过来的日志
编辑kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "https://localhost:9200"
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.ca: /opt/elk/elasticsearch-2.4.1/search-guard-ssl/example-pki-scripts/kirk-signed.pem
elasticsearch.ssl.verify: false
启动kibana服务,web访问,便会提示你输入密码
验证器配置:
验证器配置:
Vim plugins/search-guard-2/sgconfig/sg_config.yml
searchguard:
dynamic:
http:
...
authc:
kibana_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
authz:
...
其他的自定义角色和角色对应的权限请参考官网资料对sgconfig文件夹的几个文件进行配置即可