X-pack結合LDAP進行權限認證

一、生成ssl 證書

經過ES_HOME/bin/x-pack/certgen生成ssl證書
IP:

10.17.90.20,10.17.90.21,10.17.90.22,10.17.90.24,10.17.90.25,10.17.90.26,10.17.90.27,10.17.90.28

hostname:

d1705027.grid.com,d1705028.grid.com,d1705029.grid.com,d1806001.grid.com,d1806002.grid.com,d1806003.grid.com,d1809002.grid.com,d1809003.grid.com

修改salt配置加載ssl配置（完成）
修改配置elasticsearch.yml文件，開啓ssl transport

xpack.ssl.key: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.key
xpack.ssl.certificate: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: /data1/elasticsearch9201/config/ca/ca.crt
xpack.security.transport.ssl.enabled: true

二、修改es集羣內置帳戶的密碼

./bin/x-pack/setup-passwords interactive
自定義內置帳戶(elastic、kibana、logstash_system)密碼
帳戶elastic爲elasticsearch超級管理員，擁有全部權限
帳戶kibana用於kibana組件獲取相關信息用於web展現
帳戶logstash_system用於logstash服務獲取elasticsearch的監控數據
注意：此步驟需先啓動elasticsearch服務，並開啓x-pack security
./bin/x-pack/setup-passwords interactive
elastic:
kibana:
logstash_system:

三、es開啓ldap驗證

修改elasticsearch.yml配置開啓
注意：
es集羣修改elasticsearch.yml配置添加
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

四、kibana修改啓動腳本

未修改

五、kibana修改配置文件

須要安裝 x-pack插件 plugin
修改連接es集羣的帳戶和密碼

六、logstash修改配置文件

output elasticsearh
添加
user => elastic
password => password

七、重啓集羣

curl -XPUT -H  'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{ 
"transient" : { 
"cluster.routing.allocation.enable":"none"
} 
}'
curl -XPUT -u elastic: -H  'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{ 
"transient" : { 
"cluster.routing.allocation.enable":"all"
} 
}'

八、elasticsearch-head 認證登陸

?auth_user=elastic&auth_password=

九、角色添加

index_name=cron_term_log
role_name=${index_name}_all
echo "{\"cluster\":[],\"indices\":[{\"names\":[\"${index_name}*\"],\"privileges\":[\"all\"]}],\"run_as\":[],\"transient_metadata\":{\"enabled\":true}}" >${index_name}

    curl -XPOST -H "Content-Type: application/json"  -u elastic:  "http://localhost:9201/_xpack/security/role/$role_name" -d@${index_name}

十、用戶綁定角色

十一、配置信息以下

cat elasticsearch.yml

cluster.name: elk_cluster
node.master: true
node.data: true
node.attr.box_type: hot
node.name: 10.20.90.36
path.data: /data1/data/elasticsearch
path.logs: /data1/logs/elasticsearch
network.host: 0.0.0.0
http.port: 9200
transport.tcp.compress: true
http.max_content_length: 200mb
discovery.zen.ping.unicast.hosts: ['10.22.90.36', '10.20.90.37']
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping_timeout: 120s
index.store.type: mmapfs
bootstrap.system_call_filter: false
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

# thread_pool config
thread_pool.index.queue_size: 3000
thread_pool.search.min_queue_size: 400
thread_pool.search.max_queue_size: 3000
thread_pool.get.queue_size: 3000
thread_pool.bulk.queue_size: 3000
xpack.ssl.key: /data1/elasticsearch/config/elk_crt/elk.key
xpack.ssl.certificate: /data1/elasticsearch/config/elk_crt/elk.crt
xpack.ssl.certificate_authorities: /data1/elasticsearch/config/elk_crt/ca/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.enabled: true
xpack.monitoring.enabled: true
xpack.graph.enabled: true
xpack.watcher.enabled: true
xpack.monitoring.exporters:
  id1:
    type: http
    host: ["http://10.20.90.36:9200"]
    auth.username: elastic
    auth.password: RHjv
action.auto_create_index: true
xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldap://111.151.118.122:389"
          bind_dn: 
          bind_password: admin
          user_search:
            base_dn: ""
            attribute: data
          group_search:
            base_dn: ""
          files:
            role_mapping: "/data1/elasticsearch/config/x-pack/role_mapping.yml"
          unmapped_groups_as_roles: true