elasticsearch6.0安裝xpack並配置ldap認證
elasticsearch概念解釋參考: https://segmentfault.com/a/11...
elasticsearch安裝可參考: https://segmentfault.com/a/11...
安裝xpack擴展
下載xpack插件包: https://artifacts.elastic.co/...html
經過elasticsearch-plugin命令安裝xpack;
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ ./bin/elasticsearch-plugin install file:///home/elasticsearch/software/x-pack-6.0.0.zip --batch -> Downloading file:///home/elasticsearch/software/x-pack-6.0.0.zip [=================================================] 100% @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: plugin requires additional permissions @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ * java.io.FilePermission \\.\pipe\* read,write * java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries * java.lang.RuntimePermission getClassLoader * java.lang.RuntimePermission setContextClassLoader * java.lang.RuntimePermission setFactory * java.net.SocketPermission * connect,accept,resolve * java.security.SecurityPermission createPolicy.JavaPolicy * java.security.SecurityPermission getPolicy * java.security.SecurityPermission putProviderProperty.BC * java.security.SecurityPermission setPolicy * java.util.PropertyPermission * read,write * java.util.PropertyPermission sun.nio.ch.bugLevel write See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html for descriptions of what these permissions allow and the associated risks. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: plugin forks a native controller @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ This plugin launches a native controller that is not subject to the Java security manager nor to system call filters. Elasticsearch keystore is required by plugin [x-pack], creating... -> Installed x-pack [elasticsearch@elasticsearch elasticsearch-6.0.0]$
配置java相關權限上述操做提示即爲需添加下述配置
添加下述配置至$JAVA_HOME/jre/lib/security/java.policy文件
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.activation.registries"; permission
java.lang.RuntimePermission "getClassLoader"; permission
java.lang.RuntimePermission "setContextClassLoader"; permission
java.lang.RuntimePermission "setFactory"; permission
java.security.SecurityPermission "createPolicy.JavaPolicy"; permission
java.security.SecurityPermission "getPolicy"; permission
java.security.SecurityPermission "putProviderProperty.BC"; permission
java.security.SecurityPermission "setPolicy"; permission
java.util.PropertyPermission "*","read,write"; permission
java.util.PropertyPermission "sun.nio.ch.bugLevel","write"; permission
javax.net.ssl.SSLPermission "setHostnameVerifier";
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ vim ~/software/jdk1.8.0_121/jre/lib/security/java.policy
經過ES_HOME/bin/x-pack/certgen生成ssl證書
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ ./bin/x-pack/certgen
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL in the Elastic stack. Depending on the command
line option specified, you may be prompted for the following:
* The path to the output file
* The output file is a zip file containing the signed certificates and
private keys for each instance. If a Certificate Authority was generated,
the certificate and private key will also be included in the output file.
* Information about each instance
* An instance is any piece of the Elastic Stack that requires a SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* Certificate Authority private key password
* The password may be left empty if desired.
Let's get started...
Please enter the desired output file [certificate-bundle.zip]:
Enter instance name: elasticsearch
Enter name for directories and files [elasticsearch]:
Enter IP Addresses for instance (comma-separated if more than one) []: 127.0.0.1,10.59.30.96,10.59.30.97
Enter DNS names for instance (comma-separated if more than one) []: elasticsearch,elasticsearch-1,elasticsearch-2
Would you like to specify another instance? Press 'y' to continue entering instance information:
Certificates written to /home/elasticsearch/software/elasticsearch-6.0.0/certificate-bundle.zip
This file should be properly secured as it contains the private keys for all
instances and the certificate authority.
After unzipping the file, there will be a directory for each instance containing
the certificate and private key. Copy the certificate, key, and CA certificate
to the configuration directory of the Elastic product that they will be used for
and follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ ls bin certificate-bundle.zip config data lib LICENSE.txt logs modules NOTICE.txt plugins README.textile [elasticsearch@elasticsearch elasticsearch-6.0.0]$ unzip certificate-bundle.zip -d config Archive: certificate-bundle.zip creating: config/ca/ inflating: config/ca/ca.crt inflating: config/ca/ca.key creating: config/elasticsearch/ inflating: config/elasticsearch/elasticsearch.crt inflating: config/elasticsearch/elasticsearch.key [elasticsearch@elasticsearch elasticsearch-6.0.0]$
配置下述參數至ES_HOME/config/elasticsearch.yml開啓ssl支持
xpack.ssl.key: elasticsearch/elasticsearch.key
xpack.ssl.certificate: elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: ca/ca.crt
xpack.security.transport.ssl.enabled: true
自定義內置帳戶(elastic、kibana、logstash_system)密碼
帳戶elastic爲elasticsearch超級管理員,擁有全部權限
帳戶kibana用於kibana組件獲取相關信息用於web展現
帳戶logstash_system用於logstash服務獲取elasticsearch的監控數據
注意:此步驟需先啓動elasticsearch服務
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ ./bin/x-pack/setup-passwords interactive Initiating the setup of reserved user elastic,kibana,logstash_system passwords. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [elastic] [elasticsearch@elasticsearch elasticsearch-6.0.0]$
驗證內置帳戶訪問
若不提供用戶名密碼則返回401java
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/indices?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
}
],
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/indices?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
},
"status" : 401
}
提供相應用戶信息後可訪問,若用戶權限不足則返回403
使用logstash_system用戶訪問node
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty' -u logstash_system:logstash_system
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [indices:monitor/stats] is unauthorized for user [logstash_system]"
}
],
"type" : "security_exception",
"reason" : "action [indices:monitor/stats] is unauthorized for user [logstash_system]"
},
"status" : 403
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
使用kibana用戶訪問linux
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty' -u kibana:kibana yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1 yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1 green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0 yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1 yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1 yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1 [elasticsearch@elasticsearch elasticsearch-6.0.0]$
添加自定義角色
添加角色接口爲 POST /_xpack/security/role/<rolename>
下述示例爲添加超級管理員角色的方法
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role/admin?pretty' -d '{
> "run_as": [ "elastic" ],
> "cluster": [ "all" ],
> "indices": [
> {
> "names": [ "*" ],
> "privileges": [ "all" ]
> }
> ]
> }'
{
"role" : {
"created" : true
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role/admin?pretty'
{
"admin" : {
"cluster" : [
"all"
],
"indices" : [
{
"names" : [
"*"
],
"privileges" : [
"all"
]
}
],
"run_as" : [
"elastic"
],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
添加自定義帳戶
添加用戶接口爲 POST /_xpack/security/user/<username>
下述爲添加rocshen帳戶並添加至admin角色操做方法
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/user/rocshen?pretty' -d '{
> "password" : "123456",
> "full_name" : "Roc Shen",
> "roles" : ["admin"],
> "email" : "rocshen@rocshen.com"
> }'
{
"user" : {
"created" : true
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/user/rocshen?pretty'
{
"rocshen" : {
"username" : "rocshen",
"roles" : [
"admin"
],
"full_name" : "Roc Shen",
"email" : "rocshen@rocshen.com",
"metadata" : { },
"enabled" : true
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u rocshen:123456 'http://10.59.30.96:9200/_cat/indices?pretty'
yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1 4883 88 2.5mb 2.5mb
yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1 0 0 24.2kb 24.2kb
green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0
yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1 630 0 703.3kb 703.3kb
yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1 5 0 33.3kb 33.3kb
yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1 1 0 6.5kb 6.5kb
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
修改帳戶密碼
修改密碼需使用超級管理員權限即elastic帳戶,接口爲 POST _xpack/security/user/<username>/_password
curl參數含義以下
-XPOST 使用post方法傳遞參數
-H 指定http協議的header信息
-u 指定用於認證的用戶信息用戶名與密碼使用冒號分隔
-d 指定具體要傳遞的參數信息
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/user/kibana/_password?pretty' -d '{"password": "123456"}'
{ }
密碼修改後使用老密碼訪問則返回401,使用更新後的密碼則正常
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty' -u kibana:kibana
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "failed to authenticate user [kibana]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
}
],
"type" : "security_exception",
"reason" : "failed to authenticate user [kibana]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
},
"status" : 401
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty' -u kibana:123456
yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1
yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1
green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0
yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1
yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1
yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
配置ldap賬號認證
ldap服務安裝可參考: https://segmentfault.com/a/11...
添加下述ldap相關述配置 bind_dn爲ldap的管理DN bind_password爲管理dn的密碼
user_search.base_dn爲linux系統帳戶信息導入ldap的信息
user_search.attribute爲帳戶在ldap中的標識信息
group_search.base_dn爲linux系統組信息導入ldap的信息
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ vim config/elasticsearch.yml
......
network.host: 10.59.30.96
bootstrap.system_call_filter: false
xpack.ssl.key: elasticsearch/elasticsearch.key
xpack.ssl.certificate: elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: ca/ca.crt
xpack.security.transport.ssl.enabled: true
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://10.59.30.95"
bind_dn: "cn=Manager, dc=rocshen, dc=com"
bind_password: 123456
user_search:
base_dn: "ou=People,dc=rocshen,dc=com"
attribute: uid
group_search:
base_dn: "ou=Group,dc=rocshen,dc=com"
unmapped_groups_as_roles: false
配置AD域賬號認證
添加下ldap相關述配置至elasticsearch.yml,此處爲接着上述LDAP配置添加,若是隻需配置AD認證請將ldap相關配置刪除便可;
domain_name爲AD域的域名
url爲AD域的地址
bind_dnw爲隨意的域帳戶名稱(格式爲user@domain)
bind_password爲上述帳戶的密碼
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://10.59.30.94"
bind_dn: "cn=Manager, dc=rocshen, dc=com"
bind_password: 123456
user_search:
base_dn: "ou=People,dc=rocshen,dc=com"
attribute: uid
group_search:
base_dn: "ou=Group,dc=rocshen,dc=com"
unmapped_groups_as_roles: false
active_directory:
type: active_directory
order: 1
domain_name: rocshen.com
url: ldap://ad.rocshen.com
bind_dn: rocshen@rocshen.com
bind_password: AD.123456
重啓elasticsearch服務並使用ldap域帳戶user01登陸
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ killall java
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ ./bin/elasticsearch -d
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -u user01:user01 'http://10.59.30.96:9200/_cat?pretty'
=^.^=
/_cat/allocation
/_cat/shards
/_cat/shards/{index}
/_cat/master
/_cat/nodes
/_cat/tasks
/_cat/indices
/_cat/indices/{index}
/_cat/segments
/_cat/segments/{index}
/_cat/count
/_cat/count/{index}
/_cat/recovery
/_cat/recovery/{index}
/_cat/health
/_cat/pending_tasks
/_cat/aliases
/_cat/aliases/{alias}
/_cat/thread_pool
/_cat/thread_pool/{thread_pools}
/_cat/plugins
/_cat/fielddata
/_cat/fielddata/{fields}
/_cat/nodeattrs
/_cat/repositories
/_cat/snapshots/{repository}
/_cat/templates
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
使用AD域帳戶rocshen登陸
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl http://10.59.30.96:9200/_cat?pretty -u rocshen:AD.123456
=^.^=
/_cat/allocation
/_cat/shards
/_cat/shards/{index}
/_cat/master
/_cat/nodes
/_cat/tasks
/_cat/indices
/_cat/indices/{index}
/_cat/segments
/_cat/segments/{index}
/_cat/count
/_cat/count/{index}
/_cat/recovery
/_cat/recovery/{index}
/_cat/health
/_cat/pending_tasks
/_cat/aliases
/_cat/aliases/{alias}
/_cat/thread_pool
/_cat/thread_pool/{thread_pools}
/_cat/plugins
/_cat/fielddata
/_cat/fielddata/{fields}
/_cat/nodeattrs
/_cat/repositories
/_cat/snapshots/{repository}
/_cat/templates
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
爲域帳戶信息映射角色
接口爲: POST /_xpack/security/role_mapping/<name>
下述爲映射user1*帳戶爲管理員角色的操做步驟
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role_mapping/ldap_user_admin?pretty' -d '{
> "roles": [ "admin" ],
> "enabled": true,
> "rules": {
> "any": [
> {
> "field": {
> "username": "/user1*/"
> }
> }
> ]
> }
> }'
{
"role_mapping" : {
"created" : true
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role_mapping/ldap_user_admin?pretty'
{
"ldap_user_admin" : {
"enabled" : true,
"roles" : [
"admin"
],
"rules" : {
"any" : [
{
"field" : {
"username" : "/user1*/"
}
}
]
},
"metadata" : { }
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
驗證域帳戶權限,使用user01無權訪問indices接口,使用user11能夠訪問;
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -u user01:user01 'http://10.59.30.96:9200/_cat/indices?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [cluster:monitor/state] is unauthorized for user [user01]"
}
],
"type" : "security_exception",
"reason" : "action [cluster:monitor/state] is unauthorized for user [user01]"
},
"status" : 403
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -u user11:user11 'http://10.59.30.96:9200/_cat/indices?pretty'
yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1 6178 44 5.9mb 5.9mb
yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1 0 0 11.7kb 11.7kb
green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0
yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1 777 0 1.1mb 1.1mb
yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1 5 0 40.2kb 40.2kb
yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1 1 0 12.8kb 12.8kb
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
常見報錯
No subject alternative names matching IP address
[2018-01-10T19:19:35,483][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [fzP4t-4] exception caught on transport layer [[id: 0x5d97fe48, L:/0:0:0:0:0:0:0:1:49121 ! R:/0:0:0:0:0:0:0:1:9300]], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
......
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 0:0:0:0:0:0:0:1 found
解決方案爲一種是關閉IPv6地址,另外一種是修改ES_HOME/config/elasticsearch.yml中的network.host值爲本機eth0的IPweb
參考文檔
官方安裝步驟: https://www.elastic.co/guide/...
配置內置帳戶密碼:
https://www.elastic.co/guide/...
修改帳戶密碼:
https://www.elastic.co/guide/...
用戶相關操做:
https://www.elastic.co/guide/...
使用LDAP認證: https://www.elastic.co/guide/...
用戶角色映射: https://www.elastic.co/guide/...
相關文章
- 1. openshift 配置ldap認證
- 2. zabbix配置ldap認證
- 3. Trafodion 配置LDAP安全認證
- 4. es配置xpack認證,生成ca證書
- 5. jumpserver配置ldap集成windows AD認證
- 6. centos 6.4配置samba+ldap認證
- 7. 配置Gitlab使用LDAP認證
- 8. Siebel系統中配置LDAP認證
- 9. 配置ZABBIX支持LDAP認證
- 10. Grafana之ldap認證設置
- 更多相關文章...
- • Git 安裝配置 - Git 教程
- • MySQL免安裝版配置教程 - MySQL教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
