打开微信扫一扫,关注微信公众号【数据与算法联盟】
转载请注明出处: http://blog.csdn.net/gamer_gyt
博主微博: http://weibo.com/234654758
Github: https://github.com/thinkgamer
写在前边的话
在之前的一篇文章中介绍了Shield在Elk Stack中的权限保护,但由于Shield是收费的,所以就有人给出了免费的解决方案——Search-guard
简单说明
search-guard是elastcisearch的一款插件,提供加密,身份验证和授权,基于search guard SSL,另外提供可插入的身份验证/授权模块,search-guard是shield的替代品,可免费提供所有的基本安全功能,其功能特性:
- 基于用户和角色的权限控制
- 支持SSL和TLS方式安全认证
- 支持LDAP认证
环境说明
Ubuntu 16.04
Elasticsearch 2.4.1
Logstash 2.4.0
Kibana 4.6.1
部署
Elasticsearch配置search-guard
进入elasticsearch的根目录
安装search-guard-ssl
bin/plugin install -b com.floragunn/search-guard-ssl/2.4.1.16
这里我们需要配置密钥和证书
依旧是在es 的根目录
git clone https://github.com/floragunncom/search-guard-ssl.git
cd searchguard_ssl/example-pki-scripts执行
./example.sh
会默认生成证书
当然这里我们可以执行clean.sh删除安装的东西
拷贝相应的文件到指定目录,后续会有需要
cp node-0-keystore.jks ../../config
cp truststore.jks ../../config编辑ec根目录下的config/elasticsearch.yml,加入
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: falseweb访问:http://192.168.1.193:9200/ 会看到如下信息
{
"name" : "M-Twins",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "X6U0RRiaQ4ucBXokFj30Yw",
"version" : {
"number" : "2.4.1",
"build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16",
"build_timestamp" : "2016-09-27T18:57:55Z",
"build_snapshot" : false,
"lucene_version" : "5.5.2"
},
"tagline" : "You Know, for Search"
}web访问 http://192.168.1.193:9200/_searchguard/sslinfo?pretty
{
"principal" : null,
"peer_certificates" : "0",
"ssl_protocol" : null,
"ssl_cipher" : null,
"ssl_openssl_available" : false,
"ssl_openssl_version" : -1,
"ssl_openssl_version_string" : null,
"ssl_openssl_non_available_cause" : "java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL",
"ssl_provider_http" : null,
"ssl_provider_transport_server" : "JDK",
"ssl_provider_transport_client" : "JDK"
}在config/elasticsearch.yml配置文件中加入
#configure https
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: changeit
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeithttps://192.168.1.193:9200/ (会提示证书错误)
{
"name" : "Zero",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "X6U0RRiaQ4ucBXokFj30Yw",
"version" : {
"number" : "2.4.1",
"build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16",
"build_timestamp" : "2016-09-27T18:57:55Z",
"build_snapshot" : false,
"lucene_version" : "5.5.2"
},
"tagline" : "You Know, for Search"
}https://192.168.1.193:9200/_searchguard/sslinfo?pretty (会提示证书错误)
{
"principal" : null,
"peer_certificates" : "0",
"ssl_protocol" : "TLSv1.2",
"ssl_cipher" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"ssl_openssl_available" : false,
"ssl_openssl_version" : -1,
"ssl_openssl_version_string" : null,
"ssl_openssl_non_available_cause" : "java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL",
"ssl_provider_http" : "JDK",
"ssl_provider_transport_server" : "JDK",
"ssl_provider_transport_client" : "JDK"
}配置客户认证
searchguard.ssl.http.clientauth_mode: REQUIRE
出现web不能访问的情况,由于该配置是可选的,所以暂时不配置
这里需要解释一下:
默认执行的./example.sh 是以kiri为用户名的,这个我们可以通过vim example.sh可以看的出来,在elasticsearch.yml中的**.passwordd可以自己设置
安装search-guard
bin/plugin install -b com.floragunn/search-guard-2/2.4.1.7
安装之后不做任何设置再次重启elasticsearch,web访问会出现以下状况:
Search Guard not initialized (SG11)
这是提示我们没有进行初始化
编辑config/elasticsearch.yml,加入以下两行
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=DE #由于我们是采用的默认的example.sh进行密钥生成的
- cn=admin,ou=Test,ou=ou,dc=company,dc=com此时需要重新启动elasticsearch,因为需要把我们新更改的elasticsearch.yml加载进来,否则在初始化的时候会报错
复制 kirk-keystore.jks和truststore.jks到 plugins/search-guard-2/tools目录下,然后执行初始化命令
./sgadmin.sh -ts truststore.jks -ks kirk-keystore.jks -cd ../sgconfig -icl
然后重启启动elasticsearch,web访问会提示你输入账号和密码
Logstash配置search-guard
依旧采用rsyslog的例子,机器配置rsyslog.conf,最后两行加入
*.* @@localhost:5000
*.* @localhost:5000重启rsyslog服务
在logstash目录下编辑一个新文件rsyslog.conf,内容如下:
input {
tcp{
port => 5000
type => syslog
}
udp{
port => 5000
type => syslog
}
}
output {
stdout {
codec=> rubydebug
}
elasticsearch {
hosts => ["localhost:9200"]
ssl => true
ssl_certificate_verification => true
truststore => "/opt/elk/elasticsearch-2.4.1/config/truststore.jks"
truststore_password => changeit
user => logstash
password => logstash
}
}这里的logstash用户在 elasticsearch安装目录下的plugin/seach-guard-2/sgconfig/sg_roles.yml中
这里我们说一下sgconfig这几个文件:
Search-guard的动态配置
- sg_config.yml:配置验证器和授权后端
- sg_roles.yml:定义角色和相关的权限
- sg_roles_mapping.yml:将后端角色,主机和用户映射到角色
- sg_internal_users.yml:用户和散列密码(使用hasher.sh哈希)
- sg_action_groups.yml:组权限在一起
接着我们设置logstash用户的权限,我们可以在sg_roles.yml中方看到logstash用户具有的权限
sg_logstash:
cluster:
- indices:admin/template/get
- indices:admin/template/put
indices:
'logstash-*':
'*':
- CRUD
- CREATE_INDEX
'*beat*':
'*':
- CRUD
- CREATE_INDEX启动配置文件,测试登录,elasticsearch便可以接收到rsyslog发送过来的日志
Kibana配置
编辑kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "https://localhost:9200"
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.ca: /opt/elk/elasticsearch-2.4.1/search-guard-ssl/example-pki-scripts/kirk-signed.pem
elasticsearch.ssl.verify: false启动kibana服务,web访问,便会提示你输入密码
验证器配置:
验证器配置:
Vim plugins/search-guard-2/sgconfig/sg_config.yml
searchguard:
dynamic:
http:
...
authc:
kibana_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
authz:
...其他的自定义角色和角色对应的权限请参考官网资料对sgconfig文件夹的几个文件进行配置即可
