线上es集群,版本6.2.4,尽管其在内网,但安全扫描之后发现其存在Elasticseach未授权访问问题,需要进行http basic认证
elasticsearch-http-basic plugin仅支持es 1.x版本,且近3年未更新。目前我们线上使用的是6.x版本,此插件不能支持。
方案1是使用search guard插件,使用其社区版本,使用其提供的基础http basic认证功能,其本质就是es cluster前置search guard filter。
方案2是es cluster前置nginx,通过nginx认证来提供基础http basic认证功能
方案3: X-Pack ElasticSearch Security,收费License
选择了方案1
search-guard-6-6.2.4-23.0
search-guard-kibana-plugin-6-6.4.0-19.0
https://docs.search-guard.com/6.x-23/search-guard-installation
https://docs.search-guard.com/6.x-23/kibana-plugin-installation
es安装目录/elasticsearch/plugins/search-guard-6/sgconfig
这就是一个RBAC数据权限
sg_internal_users.yml -- 用户
sg_roles.yml -- 角色
sg_roles_mapping.yml -- 用户-角色对应关系
sg_action_groups.yml -- 权限(角色和权限对应关系也在其中)
sg_config.yml -- 模块化配置,可以选择激活哪一个配置
es安装目录/elasticsearch/plugins/search-guard-6/tools
其中
hash.sh用来生成密码
install_demo_configuration.sh 用来
参考:https://docs.search-guard.com/6.x-23/tls-certificates-installer
也可以选择不使用执行脚本,手动把相关的文件准备好
之后在elasticsearch.yml中配置
参考:https://docs.search-guard.com/6.x-23/tls-download-certificates
由于我们不使用ssl,所以将ssl.http.enable: false
sgadmin.demo脚本
This will update the Search Guard configuration with the contents of the files located in:
在elasticsearch.yml中,设置
searchguard.enterprise_modules_enabled: false
访问:http://kibana地址:9200/_searchguard/license来查看配置的licence
原本只想使用其http basic认证功能,并不想使用其TLS功能,结果发现,
参考:https://docs.search-guard.com/6.x-23/configuring-tls
There are two main configuration sections, one for the transport layer, and one for the REST layer. For the REST layer, TLS is optional, while it is mandatory for the transport layer.
参考:https://docs.search-guard.com/6.x-23/elasticsearch-transport-clients-search-guard
For a Transport Client to talk to a Search Guard secured Elasticsearch cluster, the following requirements must be met:
The Transport Client needs to authenticate itself against the cluster by sending a trusted TLS certificate
A role with appropriate permissions has to be configured in Search Guard, either based on the hostname of the client, or the DN of the certificate
需要两方面进行配置
1. elasticsearch.yml中配置了
searchguard.authcz.admin_dn:
- "CN=kirk,OU=client,O=client,L=test,C=de"
官方参考:
https://search-guard.com/elasticsearch-tls-certificates/
AN INTRODUCTION TO TLS CERTIFICATES
The first thing You can check is an issuer of the certificate. The issuer is identified by a DN (distinguished name). DN can contain following fields:
参考:https://blog.csdn.net/lianjunzongsiling/article/details/80558757
LDAP中CN-OU-O-L-S-C意义解释
CN=commonName
OU=organizationUnit
O=organizationName
L=localityName
S=stateName
C=country
这说明,其允许transport client以admin certification,以damin dn of the certificate来访问
2. java程序中进行修改
添加依赖
compileOnly group: 'com.floragunn', name: 'search-guard-5', version: '5.6.8-19'
这里有一个注意点:使用的是spring boot 2.0的starter
compile('org.springframework.boot:spring-boot-starter-data-elasticsearch')
其使用的elasticsearch相关包版本为5.6.8
当使用search-guard-6版本依赖时,发现不兼容,改为search-guard-5,OK
修改TransportClient
注意,其路径需要为绝对路径,并且是kirk.pem及kerk-key.pem
如果使用esnode.pem及esnode-key.pem,访问会报错No user found for [indices:data/read/search]
参考:Transport client not working with sarchguard.
这里我们使用的是第一种认证方式,使用certificate authentication方式
并没有使用username和password方式
参考:https://docs.search-guard.com/6.x-23/elasticsearch-transport-clients-search-guard
重启es后,search guard会创建一个searchguard的index
最后的效果是,加入search gurad后
transport client不受影响
http 请求会进行http basic authentication
集群中每台机器都要执行解压,执行对应脚本