ElasticSearch&Search-guard 5 權(quán)限配置

ElasricSearch &Search_guard5配置

郵箱:1405733736@qq.com

saber-sky@hotmail.com

-- elasticSearch版本5.6.3

-- search-guard版本5.6.3

一.? ElasticSearch安裝Search-guard

cd 至elasticsearch 的bin目錄:cd? /data/elasticsearch-5.6.3/bin

安裝search-guard : ./elasticsearch-plugin install -bcom.floragunn:search-guard-5:5.6.3-18

Search-guard 版本要和elasticsearch一致,查詢網(wǎng)址:https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-5/

安裝成功如下圖

二.快速啟動(dòng):

切換至elasticsearch/plugins 目錄看到search-guard已經(jīng)安裝成功

運(yùn)行:./search-guard-5/tools/install_demo_configuration.sh

運(yùn)行開(kāi)發(fā)這已經(jīng)配置好的權(quán)限安裝至elasticsearch

(這一步已經(jīng)幫你配置好elasticsearch,http訪問(wèn)已經(jīng)不可用,要是有https訪問(wèn))

啟動(dòng)elasticSearch :? 切換至elasticseach/bin運(yùn)行./ elasticseach

瀏覽器訪問(wèn) https://admin:admin@localhost:9200/_searchguard/authinfo?pretty

成功則顯示


三、權(quán)限配置

下載search-guard-ssl這里提供官方下載地址:https://github.com/floragunncom/search-guard-ssl.git



etc目錄下的兩個(gè)文件,就只是修改公司信息,兩個(gè)一直即可

兩個(gè)文件要一樣,公司信息

下面修改證書(shū)生成信息

example.sh


運(yùn)行后會(huì)生成證書(shū)

把? 服務(wù)端證書(shū).jks+truststore.jks復(fù)制到elasticsearch/config目錄下

把?客戶端證書(shū).jks+ truststore.jks 復(fù)制到elasticsearch/ plugins/search-guard-5/sgconfig目錄下

修改elasticsearch配置文件

修改用戶權(quán)限

(1)sg_config.yml

Configure

authenticators and authorization backends。主配置文件不需要做改動(dòng)。

(2)sg_internal_users.yml

本地用戶文件,定義用戶密碼以及對(duì)應(yīng)的權(quán)限。例如:對(duì)于 我們需要一個(gè) kibana 登錄用戶和一個(gè) logstash 用戶:

kibana4:

? hash:$2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO

? #password is: kirk

? roles:

??? - kibana4

logstash:

? hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO

? #password is: kirk

? roles:

??? - logstash

密碼可用plugins/search-guard-5/tools/hash.sh生成。

(3)sg_roles.yml

權(quán)限配置文件,這里提供 kibana4 和 logstash 的權(quán)限樣例。

sg_kibana4:

? cluster:

????? - cluster:monitor/nodes/info

????? - cluster:monitor/health

? indices:

??? '*':

????? '*':

??????? - indices:admin/mappings/fields/get

??????? - indices:admin/validate/query

??????? - indices:data/read/search

??????? - indices:data/read/msearch

??????? - indices:admin/get

??????? - indices:data/read/field_stats

??? '?kibana':

????? '*':

??????? - indices:admin/exists

??????? - indices:admin/mapping/put

??????? - indices:admin/mappings/fields/get

??????? - indices:admin/refresh

??????? - indices:admin/validate/query

??????? - indices:data/read/get

sg_logstash:

? cluster:

??? - indices:admin/template/get

??? - indices:admin/template/put

? indices:

??? 'logstash-*':

????? '*':

??????? - WRITE

??????? - indices:data/write/bulk

??????? - indices:data/write/delete

??????? - indices:data/write/update

??????? - indices:data/read/search

??????? - indices:data/read/scroll

??????? - CREATE_INDEX

(4)sg_roles_mapping.yml

定義用戶的映射關(guān)系,添加 kibana 及 logstash 用戶對(duì)應(yīng)的映射:


sg_logstash:

? users:

??? - logstash

sg_kibana4:

? backendroles:

??? - kibana

? users:

??? - kibana4

(5)sg_action_groups.yml

定義權(quán)限


3、啟動(dòng)

(1)到Elasticsearch的bin目錄下,重啟Elasticsearch。

(2)通過(guò)下面命令啟動(dòng)search-guard。

新增用戶配置成功顯示

四.Java SSL連接

public static void main(String[] args) throws UnknownHostException{

??? Settings settings = Settings.builder()

??????????? .put("searchguard.ssl.transport.enabled", true)

??????????? .put("searchguard.ssl.transport.keystore_filepath", "D:\\William\\Projects\\searchGuardTest\\src\\main\\resources\\test-keystore.jks")

??????????? .put("searchguard.ssl.transport.truststore_filepath",

"D:\\William\\Projects\\searchGuardTest\\src\\main\\resources\\truststore.jks")

??????????? .put("searchguard.ssl.transport.keystore_password", "12345678")

??????????? .put("searchguard.ssl.transport.truststore_password", "12345678")

??????????? .put("searchguard.ssl.transport.enforce_hostname_verification", false)

??????????? .put("client.transport.ignore_cluster_name", true)

? ? ? ? ? ?.build();

TransportClient client =new PreBuiltTransportClient(settings,SearchGuardSSLPlugin.class)

??????????? .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("127.0.0.1"),9300));

client.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet();

//搜索數(shù)據(jù)

??? GetResponse response = client.prepareGet("agin", "log_bet_rcd_agin_live", "171212226218993").execute().actionGet();

//輸出結(jié)果

??? System.out.println(response.getSourceAsString());

//關(guān)閉client

client.close();

}

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

友情鏈接更多精彩內(nèi)容