elasticsearch5.x使用插件Search Guard增加权限认证

1
2
3
[root@ecs3 elasticsearch-5.3.2]# pwd
/data/search/elasticsearch-5.3.2
[root@ecs3 elasticsearch-5.3.2]#

https://github.com/floragunncom/search-guard/wiki查看当前es版本对应的sg版本

我的es版本是5.3.2所以选择的sg版本是5.3.2-12

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[root@ecs3 elasticsearch-5.3.2]# bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.3.2-12
-> Downloading com.floragunn:search-guard-5:5.3.2-12 from maven central
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.io.FilePermission /proc/sys/net/core/somaxconn read
* java.lang.RuntimePermission accessClassInPackage.sun.misc
* java.lang.RuntimePermission accessClassInPackage.sun.nio.ch
* java.lang.RuntimePermission accessClassInPackage.sun.security.x509
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission loadLibrary.*
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission shutdownHooks
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.security.SecurityPermission getProperty.ssl.KeyManagerFactory.algorithm
* java.util.PropertyPermission java.security.debug write
* java.util.PropertyPermission java.security.krb5.conf write
* java.util.PropertyPermission javax.security.auth.useSubjectCredsOnly write
* java.util.PropertyPermission sun.nio.ch.bugLevel write
* java.util.PropertyPermission sun.security.krb5.debug write
* java.util.PropertyPermission sun.security.spnego.debug write
* javax.security.auth.AuthPermission doAs
* javax.security.auth.AuthPermission modifyPrivateCredentials
* javax.security.auth.kerberos.ServicePermission * accept
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
-> Installed search-guard-5
[root@ecs3 elasticsearch-5.3.2]#

然后下载 search-guard-ssl,对应的版本信息在查找

1
2
3
4
5
6
7
[root@ecs3 site_plugins]# git clone https://github.com/floragunncom/search-guard-ssl.git
Cloning into 'search-guard-ssl'...
remote: Counting objects: 6117, done.
remote: Compressing objects: 100% (102/102), done.
remote: Total 6117 (delta 32), reused 0 (delta 0), pack-reused 6003
Receiving objects: 100% (6117/6117), 1.31 MiB | 204.00 KiB/s, done.
Resolving deltas: 100% (2928/2928), done.
1
2
3
4
5
6
7
8
9
10
[root@ecs3 search-guard-ssl]# cd example-pki-scripts/
[root@ecs3 example-pki-scripts]# ll
total 28
-rwxr-xr-x 1 root root 141 May 12 15:55 clean.sh
drwxr-xr-x 2 root root 4096 May 12 15:55 etc
-rwxr-xr-x 1 root root 411 May 12 15:55 example.sh
-rwxr-xr-x 1 root root 2286 May 12 15:55 gen_client_node_cert.sh
-rwxr-xr-x 1 root root 1764 May 12 15:55 gen_node_cert_openssl.sh
-rwxr-xr-x 1 root root 2746 May 12 15:55 gen_node_cert.sh
-rwxr-xr-x 1 root root 1993 May 12 15:55 gen_root_ca.sh

example.sh中的一些说明

./gen_root_ca.sh capass changeit

第一个参数capass为CA_PASS,即CA密码(根证书密码),第二个参数changeit为TS_PASS,即TS密码(truststore,信任证书密码)

./gen_node_cert.sh 1 changeit capass && ./gen_node_cert.sh 2 changeit capass && ./gen_node_cert.sh 3 changeit capass

这条命令表示给三个节点生成三个节点证书,拿第一个说明:第一个参数1为node编号,生成证书后的文件名为node-1*,第二个参数changeit为KS_PASS(keystore文件密码),第三个参数capass为CA_PASS,和之前设置的CA密码保持一致

./gen_client_node_cert.sh kirk changeit capass

第一个参数kirk为客户端节点名称,生成证书后的文件名为kirk*,第二个参数changeit为KS_PASS,第三个参数capass为CA_PASS,和之前设置的CA密码保持一致

1
2
3
4
5
6
7
8
[root@ecs3 example-pki-scripts]# cat example.sh
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh capass changeit
./gen_node_cert.sh 0 changeit capass && ./gen_node_cert.sh 1 changeit capass && ./gen_node_cert.sh 2 changeit capass
./gen_client_node_cert.sh kirk changeit capass
rm -f ./*tmp*[root@ecs3 example-pki-scripts]#

修改example.sh中的节点数, 同时也可以修改根密钥,节点密钥,客户端密钥的密码

1
2
3
4
5
6
7
8
9
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh capass changeit
./gen_node_cert.sh 1 changeit capass
#./gen_node_cert_openssl.sh "/node-4.example.com/OU=SSL/O=Test/L=Test/C=DE" "node-4.example.com" "node-4" changeit capass
./gen_client_node_cert.sh spock changeit capass
./gen_client_node_cert.sh kirk changeit capass
rm -f ./*tmp*

执行example.sh生成密钥文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[root@ecs3 example-pki-scripts]# ./example.sh
[root@ecs3 example-pki-scripts]# ll
total 176
drwxr-xr-x 4 root root 4096 May 12 16:02 ca
drwxr-xr-x 2 root root 4096 May 12 16:02 certs
-rwxr-xr-x 1 root root 141 May 12 15:55 clean.sh
drwxr-xr-x 2 root root 4096 May 12 16:02 crl
drwxr-xr-x 2 root root 4096 May 12 15:55 etc
-rwxr-xr-x 1 root root 332 May 12 16:00 example.sh
-rwxr-xr-x 1 root root 2286 May 12 15:55 gen_client_node_cert.sh
-rwxr-xr-x 1 root root 1764 May 12 15:55 gen_node_cert_openssl.sh
-rwxr-xr-x 1 root root 2746 May 12 15:55 gen_node_cert.sh
-rwxr-xr-x 1 root root 1993 May 12 15:55 gen_root_ca.sh
-rw-r--r-- 1 root root 7074 May 12 16:03 kirk.all.pem
-rw-r--r-- 1 root root 4559 May 12 16:03 kirk.crtfull.pem
-rw-r--r-- 1 root root 1659 May 12 16:03 kirk.crt.pem
-rw-r--r-- 1 root root 1055 May 12 16:03 kirk.csr
-rw-r--r-- 1 root root 1845 May 12 16:03 kirk.key.pem
-rw-r--r-- 1 root root 4423 May 12 16:03 kirk-keystore.jks
-rw-r--r-- 1 root root 5248 May 12 16:03 kirk-keystore.p12
-rw-r--r-- 1 root root 1395 May 12 16:03 kirk-signed.pem
-rw-r--r-- 1 root root 5329 May 12 16:03 node-1.crt.pem
-rw-r--r-- 1 root root 1143 May 12 16:03 node-1.csr
-rw-r--r-- 1 root root 1847 May 12 16:03 node-1.key.pem
-rw-r--r-- 1 root root 4492 May 12 16:03 node-1-keystore.jks
-rw-r--r-- 1 root root 5324 May 12 16:03 node-1-keystore.p12
-rw-r--r-- 1 root root 1484 May 12 16:03 node-1-signed.pem
-rw-r--r-- 1 root root 1096 May 12 16:02 truststore.jks

将节点密钥node-1-keystore.jks、truststore.jks复制到es服务的config目录下

1
[root@ecs3 example-pki-scripts]# cp node-1-keystore.jks truststore.jks /data/search/elasticsearch-5.3.2/config/

配置es使用ssl密钥,将相关的配置项增加到elasticsearch.yml中

1
vim /data/search/elasticsearch-5.3.2/config/elasticsearch.yml
1
2
3
4
5
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false

将客户端证书复制到sgconfig中,用于将sg配置写入运行中的elasticsearch

1
[root@ecs3 example-pki-scripts]# cp kirk-keystore.jks /data/search/elasticsearch-5.3.2/plugins/search-guard-5/sgconfig/

执行tools/sgadmin.sh,需要注意的是-ks后面的参数是刚刚生成的kirk

1
tools/sgadmin.sh -ts /data/search/elasticsearch-5.3.2/config/truststore.jks -tspass changeit -ks sgconfig/kirk-keystore.jks -kspass changeit -cd sgconfig/ -icl -nhnv -cn jo-es-app

用户配置信息存放在如下目录中,默认的用户名和密码相同

1
2
3
[root@ecs3 sgconfig]# pwd
/data/search/elasticsearch-5.3.2/plugins/search-guard-5/sgconfig
[root@ecs3 sgconfig]# vim sg_internal_users.yml

使用工具生成密码密文 用以替换admin用户的密码
sh ../tools/hash.sh -p 新密码

$2a$12$.Ghprt5q.pbQspOqi6vaQ.Oc91ilACVC9KM1YWoUInGh8F8BsE1wK

可以将新生成的密码替换到sg_internal_users.yml中,替换后需要重新执行tools/sgadmin.sh将配置导入到es中

将sgadmin的配置数据引入到es中,此时的CN=kirk不要写错了,值为刚刚的kirk客户端

1
[root@ecs3 sgconfig]# vim /data/search/elasticsearch-5.3.2/config/elasticsearch.yml
1
2
searchguard.authcz.admin_dn:
- "CN=kirk, OU=client, O=client, L=Test, C=DE"

修改logstash中output时的连接支持sg的用户名和密码, 相关的参数配置参考wiki说明

https://github.com/floragunncom/search-guard-docs/blob/master/logstash.md

1
2
3
[root@ecs3 config]# pwd
/data/search/logstash-5.3.2/config
[root@ecs3 config]# vim import.index1.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
user => logstash
password => logstash
ssl_certificate_verification => true
truststore => "/data/search/elasticsearch-5.3.2/config/truststore.jks"
truststore_password => changeit
index => "index1"
document_type => "%{type}"
document_id => "%{id}"
}
stdout {
codec => json_lines
}
}

elasticsearch-head中连接认证的es服务器时使用的连接方式如下

1
http://amind:admin@110.10.10.10:9200

不要忘记在elasticsearch.yml中开启

1
http.cors.allow-headers: "Authorization"