Elasticsearch添加Shield後TransportClient如何鏈接？

Elasticsearch添加Shield後TransportClient如何鏈接？

時間 2015-12-28 10:24:01  旁門左道

原文   http://log.medcl.net/item/2015/12/shieldtransportclient-xia-ru-he-shi-yong/

主題  Elastic Search

Shield是Elasticsearch一個安全防禦插件,提供了權限訪問控制和日誌審計功能,企業能夠很方便的和LDAP或是ActiveDirectory進行集成,重用現有的安全認證體系.

Elasticsearch使用了Shield後,Elasticsearch就須要權限才能訪問了,和默認的調用方式有些不一樣,下面簡單介紹一下HTTP和TCP兩種方式的鏈接.

關於Shield的安裝和配置我這裏不就具體介紹,建立了一個用戶名和密碼都是tribe_user的用戶,權限是admin.

1.HTTP方式如今直接訪問es的http接口就會報錯

curl http://localhost:9200

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}

shield支持HttpBasic驗證,因此正確的訪問姿式是:

curl -u tribe_user:tribe_user http://localhost:9200
{
  "name" : "Melter", "cluster_name" : "elasticsearch", "version" : { "number" : "2.1.1", "build_hash" : "805c528f3167980046f224310f9147fa745e5371", "build_timestamp" : "2015-12-09T20:23:16Z", "build_snapshot" : false, "lucene_version" : "5.3.1" }, "tagline" : "You Know, for Search" }

若是是瀏覽器訪問的話,第一次訪問會彈出驗證窗口,後續只要不關閉這個瀏覽器保持這個session就能一直訪問.注意http basic是不安全的認證方式,僅供開發調試使用,生產環境還須要結合HTTPS的加密通道使用.

2.TransportClient方式的訪問Shield加防的Elasticsearch,稍微麻煩點,須要依賴Shield的包,步驟以下:2.1 若是你是maven管理的項目,在pom.xml文件裏添加Elasticsearch的maven倉庫源,以下:

<repositories> <repository> <id>elasticsearch-releases</id> <url>https://maven.elasticsearch.org/releases</url> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> </repository> </repositories>

2.2 添加依賴的配置

<dependency> <groupId>org.elasticsearch.plugin</groupId> <artifactId>shield</artifactId> <version>2.1.1</version> </dependency

2.3 構建TransportClient的地方增長訪問用戶的配置

import org.elasticsearch.shield.ShieldPlugin;
import org.elasticsearch.shield.authc.support.SecuredString;
import static 
org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;

String clusterName="elasticsearch";
String ip= "127.0.0.1"; Settings settings = Settings.settingsBuilder() .put("cluster.name", clusterName) .put("shield.user", "tribe_user:tribe_user") .build(); try { client = TransportClient.builder() .addPlugin(ShieldPlugin.class) .settings(settings).build() .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(ip),9300)); String token = basicAuthHeaderValue("tribe_user", new SecuredString("tribe_user".toCharArray())); client.prepareSearch().putHeader("Authorization", token).get(); } catch (UnknownHostException e) { logger.error("es",e); }