Elasticsearch 利用search-guard添加权限控制
1、添加权限认证步骤,安装对应版本的插件:
(1)Install latest version of search-guard-ssl plugin
sudo bin/plugin install -b com.floragunn/search-guard-ssl/2.3.4.14
2、(2)Install search-guard-2 plugin
sudo bin/plugin install -b com.floragunn/search-guard-2/2.3.4.3
3、(3)elasticsearch.yml 添加配置
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator
searchguard.actionrequestfilter.names: ["none"]
searchguard.actionrequestfilter.none.allowed_actions: []
searchguard.transport_auth.enabled: true
marvel.agent.exporter.es.hosts: [ "http://用户名:密码@192.168.8.107:9200"]
searchguard.authentication.authorization.settingsdb.roles.admin: ["root"]
searchguard.authentication.settingsdb.user.admin: 密码
security.manager.enabled: false
searchguard.audit.type: internal_elasticsearch
#############################################################################################
# SEARCH GUARD #
# Configuration #
#############################################################################################
searchguard.enable: true
searchguard.authcz.admin_dn:
- CN=admin
#############################################################################################
# SEARCH GUARD SSL #
# Configuration #
#############################################################################################
#############################################################################################
# Transport layer SSL #
# #
#############################################################################################
# Enable or disable node-to-node ssl encryption (default: true)
searchguard.ssl.transport.enabled: true
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.keystore_type: PKCS12
# Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.keystore_alias: my_alias
# Keystore password (default: changeit)
searchguard.ssl.transport.keystore_password: 密码
# JKS or PKCS12 (default: JKS)
searchguard.ssl.transport.keystore_type: JKS
#searchguard.ssl.transport.truststore_type: PKCS12
# Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir
searchguard.ssl.transport.truststore_filepath: truststore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.truststore_alias: my_alias
# Truststore password (default: changeit)
searchguard.ssl.transport.truststore_password: 密码
# Enforce hostname verification (default: true)
searchguard.ssl.transport.enforce_hostname_verification: false
# If hostname verification specify if hostname should be resolved (default: true)
searchguard.ssl.transport.resolve_hostname: false
# Use native Open SSL instead of JDK SSL if available (default: true)
searchguard.ssl.transport.enable_openssl_if_available: false
4、(4)下载search-guard-ssl-2.3.4源码
利用/home/elasticsearch/search-guard-ssl-2.3.4/example-pki-scripts 生成根证书,节点密码,客户端密码,文件名称node-0-keystore.jks,truststore.jks
复制到:
/home/elasticsearch/elasticsearch-2.3.4/config/node-0-keystore.jks
/home/elasticsearch/elasticsearch-2.3.4/config/truststore.jks
/home/elasticsearch/elasticsearch-2.3.4/plugins/search-guard-2/sgconfig/truststore.jks
/home/elasticsearch/elasticsearch-2.3.4/plugins/search-guard-2/sgconfig/admin-keystore.jks
5、(5)启动elasticsearch
(6)执行以下代码完成插件初始化
./plugins/search-guard-2/tools/sgadmin.sh -cn 密码 -h 192.168.8.107 –p 9982 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass 密码 -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass 密码 –nhnv