ElasticSearch 使用 SearchGuard 安全控件

1553 查看

这里使用的是 elasticsearch-2.3.5

大神的Github地址:https://github.com/floragunncom

功能:可以按组,按用户,按index,按type,按field,进行精细的权限控制。非常强大!媲美Shield

安装ES插件

bin/plugin install -b com.floragunn/search-guard-ssl/2.3.5.15
bin/plugin install -b com.floragunn/search-guard-2/2.3.5.5

安装成功后,目录如下:

/usr/local/elk/elasticsearch-2.3.5

.
├── bin
├── config
│   └── scripts
├── data
│   └── elasticsearch
├── lib
├── logs
├── modules
│   ├── lang-expression
│   ├── lang-groovy
│   └── reindex
└── plugins
    ├── head
    ├── ik
    ├── kopf
    ├── search-guard-2
    └── search-guard-ssl

下载 searchguard-ssl 的包,里面包含自动创建证书的脚本:

wget https://github.com/floragunncom/search-guard-ssl/archive/v2.3.5.15.zip
unzip v2.3.5.15.zip
cd search-guard-ssl-2.3.5.15/example-pki-scripts/

有三个脚本

gen_client_node_cert.sh 创建客户端证书
gen_node_cert.sh        创建节点证书
gen_root_ca.sh          创建根证书

修改脚本:

vim gen_client_node_cert.sh
找到这行:-dname "CN=$CLIENT_NAME, OU=client, O=client, L=Test, C=DE"
修改为:-dname "CN=$CLIENT_NAME"

vim gen_node_cert.sh
找到这行:-dname "CN=$NODE_NAME.example.com, OU=SSL, O=Test, L=Test, C=DE" \
修改为:-dname "CN=$NODE_NAME" \

编辑脚本 vim example.sh

#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh password password 
./gen_node_cert.sh node-0 password  password 
./gen_node_cert.sh node-1 password  password 
./gen_client_node_cert.sh admin password password 
cp truststore.jks node-0-keystore.jks /usr/local/elk/elasticsearch-2.3.5/config/
cp truststore.jks admin-keystore.jks /usr/local/elk/elasticsearch-2.3.5/plugins/search-guard-2/sgconfig/

此时在当前目录下,会生成这么几个文件

node-0-keystore.jks
node-1-keystore.jks
admin-keystore.jks
truststore.jks

上面只列出了node-0节点,需要拷贝哪些文件,node-1节点,需要和上面类似处理。

接下来配置 ESconfig/elasticsearch.yml

#############################################################################################
#                                     SEARCH GUARD                                          #
#                                     Configuration                                         #
#############################################################################################
 searchguard.enable: true
 searchguard.authcz.admin_dn:
  - CN=admin

#############################################################################################
#                                     SEARCH GUARD SSL                                      #
#                                       Configuration                                       #
#############################################################################################


#############################################################################################
# Transport layer SSL                                                                       #
#                                                                                           #
#############################################################################################
# Enable or disable node-to-node ssl encryption (default: true)
 searchguard.ssl.transport.enabled: true
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.keystore_type: PKCS12
# Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir
 searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.keystore_alias: my_alias
# Keystore password (default: changeit)
 searchguard.ssl.transport.keystore_password: password
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.truststore_type: PKCS12
# Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir
 searchguard.ssl.transport.truststore_filepath: truststore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.truststore_alias: my_alias
# Truststore password (default: changeit)
 searchguard.ssl.transport.truststore_password: password
# Enforce hostname verification (default: true)
 searchguard.ssl.transport.enforce_hostname_verification: false
# If hostname verification specify if hostname should be resolved (default: true)
 searchguard.ssl.transport.resolve_hostname: false
# Use native Open SSL instead of JDK SSL if available (default: true)
 searchguard.ssl.transport.enable_openssl_if_available: false
 

启动 ES 集群

./plugins/search-guard-2/tools/sgadmin.sh -cn 集群名称 -h hostname -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass password -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass password -nhnv

hostname:指的是 network.host 设置的值

执行脚本的结果如下:

Will connect to YourIP:9300 ... done
Contacting elasticsearch cluster 'YourCluster' and wait for YELLOW clusterstate ...
Clustername: YourCluster
Clusterstate: GREEN
Number of nodes: 4
Number of data nodes: 4
Search Guard index already exists, so we do not need to create one.
Populate config from /usr/local/elk/elasticsearch-2.3.5/plugins/search-guard-2/sgconfig
Will update 'config' with plugins/search-guard-2/sgconfig/sg_config.yml
   SUCC: Configuration for 'config' created or updated
Will update 'roles' with plugins/search-guard-2/sgconfig/sg_roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update 'rolesmapping' with plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'internalusers' with plugins/search-guard-2/sgconfig/sg_internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update 'actiongroups' with plugins/search-guard-2/sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

然后访问 ES 时,就输入用户名和密码就可以了。