一、使用Docker安装ES和Kibana
docker run -d --name es -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:7.6.0
docker run -d --name kibana -p 5601:5601 kibana:7.6.0
二、OpenLDAP环境信息测试
yum install openldap-clients.x86_64 -y
# 例:搜索LDAP中某个用户
ldapsearch -x -H ldap://192.168.1.10:389 -b uid=zhangsan,ou=users,dc=test,dc=com -D "cn=root,dc=test,dc=com" -w $PASSWD
三、关于ES XPack
LDAP认证功能,需要以下步骤进行修改:
1、将以下两个源码文件在容器内编译并替换
LicenseVerifier.java
package org.elasticsearch.license;
import java.nio.*;
import org.elasticsearch.common.bytes.*;
import java.security.*;
import java.util.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.core.internal.io.*;
import java.io.*;
public class LicenseVerifier
{
public static boolean verifyLicense(final License license, final byte[] publicKeyData) {
return true;
}
public static boolean verifyLicense(final License license) {
return true;
}
}
XPackBuild.java
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild
{
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(reason = "looks up path of xpack.jar directly")
static Path getElasticsearchCodebase() {
final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try {
return PathUtils.get(url.toURI());
}
catch (URISyntaxException bogus) {
throw new RuntimeException(bogus);
}
}
XPackBuild(final String shortHash, final String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date() {
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0109: {
shortHash = "Unknown";
date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
2、编译并替换jar包
# 将附件在容器中编译
/usr/share/elasticsearch/jdk/bin/javac -cp "/usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/modules/x-pack-core/*" /tmp/LicenseVerifier.java
/usr/share/elasticsearch/jdk/bin/javac -cp "/usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/modules/x-pack-core/*" /tmp/XPackBuild.java
cd /usr/share/elasticsearch/modules/x-pack-core/
cp x-pack-core-7.6.0.jar x-pack-core-7.6.0.jar.bk
# 解压出需要修改的文件
jar xf x-pack-core-7.6.0.jar org/elasticsearch/license/LicenseVerifier.class
jar xf x-pack-core-7.6.0.jar org/elasticsearch/xpack/core/XPackBuild.class
# 替换
mv /tmp/LicenseVerifier.class org/elasticsearch/license/LicenseVerifier.class
mv /tmp/XPackBuild.class org/elasticsearch/xpack/core/XPackBuild.class
# 更新jar包
jar uf x-pack-core-7.6.0.jar org/elasticsearch/license/LicenseVerifier.class
jar uf x-pack-core-7.6.0.jar org/elasticsearch/xpack/core/XPackBuild.class
3、申请License并加载
elastic官网申请一个license, License申请地址,申请完成后,下载下来的License格式为json格式。并将该License的type、expiry_date_in_millis、max_nodes分别修改成platinum、4544447920099、9999。如下:
{"license":
{
"uid":"537c5c48-c1dd-43ea-ab69-68d209d80c32",
"type":"platinum",
"issue_date_in_millis":1558051200000,
"expiry_date_in_millis":4544447920099,
"max_nodes":9999,
"issued_to":"work",
"issuer":"Web Form", "signature":"AAAAAwAAAA3fIq7NLN3Blk2olVjbAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQCjNd8mwy8B1sm9rGrgTmN2Gjm/lxqfnTEpTc+HOEmAgwQ7Q1Ye/FSGVNIU/enZ5cqSzWS2mY8oZ7FM/7UPKVQ4hkarWn2qye964MW+cux54h7dqxlSB19fG0ZJOJZxxwVxxi8iyJPUSQBa+QN8m7TFkK2kVmP+HnhU7mGUrqXt3zTk5d3pZw3QBQ/Rr3wmSYC5pxV6/o2UHFgu1OPDcX+kEb+UZtMrVNneR+cEwyx7o5Bg3rbKC014T+lMtt69Y080JDI5KfHa7e9Ul0c3rozIL975fP45dU175D4PKZy98cvHJgtsCJF3K8XUZKo2lOcbsWzhK2mZ5kFp0BMXF3Hs",
"start_date_in_millis":1558051200000
}
}
完成以上所有操作在启动elasticsearch前,我们需要配置elasticsearch的SSL/TLS安全协议,如果不配置的话,需要禁止security才能配置License。当License配置完成后我们需要再开启security,并开启SSL\TLS。
cd /usr/share/elasticsearch/config
echo "xpack.security.enabled: false" >> elasticsearch.yml
echo "node.name: node-1" >> elasticsearch.yml
echo 'cluster.initial_master_nodes: ["node-1"]' >> elasticsearch.yml
echo "vm.max_map_count = 262144" >> /etc/sysctl.conf; sysctl -p
# 加载License到elasticsearch
curl -XPUT -u elastic 'http://127.0.0.1:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
Enter host password for user 'elastic': # 提示输入elastic用户密码,当前无密码,所以直接回车
{"acknowledged":true,"license_status":"valid"} # license写入成功
# 加载License到elasticsearch之后操作
echo "xpack.security.transport.ssl.enabled: true" >> elasticsearch.yml
sed -i 's/xpack.security.enabled: false/xpack.security.enabled: true/g' elasticsearch.yml
# 重启elasticsearch
docker restart es
查看License
$ curl -XGET -u elastic:tWbWZc7NE3wYqS6DvSu4 http://127.0.0.1:9200/_license
{"license":
{
"uid":"537c5c48-c1dd-43ea-ab69-68d209d80c32",
"type":"platinum",
"issue_date_in_millis":1558051200000,
"expiry_date_in_millis":4544447920099,
"max_nodes":9999,
"issued_to":"work",
"issuer":"Web Form",
"start_date_in_millis":1558051200000
}
}
四、ES与LDAP的认证
1、编辑elasticsearch.yml
[root@7fd26185d286 config]# cat elasticsearch.yml
cluster.name: "docker-cluster"
network.host: 0.0.0.0
node.name: node1
cluster.initial_master_nodes: ["node1"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: "ldap://ip:389"
bind_dn: "cn=root,dc=test,dc=com"
user_search:
base_dn: "dc=test,dc=com"
filter: "(cn={0})"
group_search:
base_dn: "dc=test,dc=com"
files:
role_mapping: "/usr/share/elasticsearch/config/role_mapping.yml"
unmapped_groups_as_roles: false
[root@7fd26185d286 config]#
2、给用户授权
docker exec -it es bash
# 生成ca和证书
bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# 配置本地初始密码
bin/elasticsearch-setup-passwords interactive
# 在容器中使用,添加LDAP的密码
bin/elasticsearch-keystore add \
xpack.security.authc.realms.ldap.ldap1.secure_bind_password
# 映射ldap用户组权限
curl -X PUT -u elastic:密码 "localhost:9200/_security/role_mapping/admins?pretty" -H 'Content-Type: application/json' -d'
{
"roles" : [ "kibana_admin", "superuser" ],
"rules" : { "field" : {
"groups" : "*,ou=rbac,dc=test,dc=com"
} },
"enabled": true
}
'
五、修改Kibana的配置
截止到目前Elasticsearch的部分已经修改完毕,下面修改kibana配置以便于让其和Elasticsearch完成连接。
修改配置文件
修改kibana的配置文件config/kibana.yml在配置文件中添加下面内容,并重启kibana。
elasticsearch.username: "elastic"
elasticsearch.password: "密码"
此时访问kibana(http://ip:5601)会提示需要输入账号密码。此时输入LDAP的用户密码即可登陆。
如果需要对LDAP用户组映射权限修改,可在Kibana界面中 Management - Role Mappings 进行配置。