环境介绍
Jdk 1.7.0_79
Elasticsearch 2.4.1
SearchGuard 2
下载Elasticsearch
wget https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.4.1/elasticsearch-2.4.1.tar.gz
or
curl -L -O wget https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.4.1/elasticsearch-2.4.1.tar.gzps:通过tar包的方式安装,在某些情况下使用yum安装可能会有一些问题,比如通过yum安装时,开启分词组件jcseg的自动更新词库功能会失效。
解压
tar -zxvf elasticsearch-2.4.1.tar.gz
mv elasticsearch-2.4.1 /usr/local/elasticsearch配置
elasticsearch默认是禁止使用root用户启动的,需要创建其他用户
useradd elasticsearch 创建elasticsearch的相关目录
mkdir -p /data/elasticsearch/data
mkdir -p /data/elasticsearch/logs
mkdir -p /data/elasticsearch/scripts
##指定elasticsearch为以上目录的拥有者
chown -R elasticsearch.elasticsearch /data/elasticsearch
##创建elasticsearch插件存放目录
mkdir -p /usr/local/elasticsearch/plugins配置elasticsearch.yml
#集群名称
cluster.name: searchEngineTest
#节点名称
node.name: seachEngine162
#数据存放目录
path.data: /data/elasticsearch/data
#日志存放目录
path.log: /data/elasticsearch/logs
#脚本存放目录
path.script: /data/elasticsearch/scripts
#指定host
network.host: 0.0.0.0
#端口号
http.port: 9200
#指定节点自动发现,1.x版本貌似会自动发现
discovery.zen.ping.unicast.hosts: ["192.168.1.162", "192.168.1.163"]其他节点也做相应配置
启动elasticsearch
/usr/local/elasticsearch/bin/elasticsearch
or
/usr/local/elasticsearch/bin/elasticsearch -d安装searchguard2
因为elasticsearch提供的安全插件shield只能免费试用一个月,所以使用开源免费的三方插件searchguard2
安装search-guard-ssl、search-guard-2插件
/usr/local/elasticsearch/bin/plugin install -b com.floragunn/search-guard-ssl/2.4.1.16
/usr/local/elasticsearch/bin/plugin install -b com.floragunn/search-guard-2/2.4.1.7下载 searchguard-ssl 的包,里面包含自动创建证书的脚本:
git clone https://github.com/floragunncom/search-guard-ssl.git进入searchguard-sslexample-pki-scripts,修改以下shell脚本:
gen_client_node_cert.sh //创建客户端证书
gen_node_cert.sh // 创建节点证书
gen_root_ca.sh // 创建根证书修改脚本:
vim gen_client_node_cert.sh
找到:-dname "CN=$CLIENT_NAME, OU=client, O=client, L=Test, C=DE"
修改为:-dname "CN=$CLIENT_NAME"
vim gen_node_cert.sh
找到:-dname "CN=$NODE_NAME.example.com, OU=SSL, O=Test, L=Test, C=DE" \
修改为:-dname "CN=$NODE_NAME" \编辑脚本example.sh
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh password password
./gen_node_cert.sh node-0 password password
./gen_node_cert.sh node-1 password password
./gen_client_node_cert.sh admin password password
cp truststore.jks node-0-keystore.jks /usr/local/elasticsearch/config/ #ps:根据节点名称拷贝相应文件
cp truststore.jks admin-keystore.jks /usr/local/elasticsearch/plugins/search-guard-2/sgconfig/将 example.sh 里的 kspass, tspass, capass 改为自己的密码,并且对应的配置项 searchguard.ssl.transport.node.keystore_password 和 searchguard.ssl.transport.node.truststore_password 的值改为对应的密码
配置elasticsearch:在elasticsearch.yml中添加以下内容:
#############################################################################################
# SEARCH GUARD #
# Configuration #
#############################################################################################
searchguard.enable: true
searchguard.authcz.admin_dn:
- CN=admin
#############################################################################################
# SEARCH GUARD SSL #
# Configuration #
#############################################################################################
#############################################################################################
# Transport layer SSL #
# #
#############################################################################################
# Enable or disable node-to-node ssl encryption (default: true)
searchguard.ssl.transport.enabled: true
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.keystore_type: PKCS12
# Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.keystore_alias: my_alias
# Keystore password (default: changeit)
searchguard.ssl.transport.keystore_password: password
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.truststore_type: PKCS12
# Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir
searchguard.ssl.transport.truststore_filepath: truststore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.truststore_alias: my_alias
# Truststore password (default: changeit)
searchguard.ssl.transport.truststore_password: password
# Enforce hostname verification (default: true)
searchguard.ssl.transport.enforce_hostname_verification: false
# If hostname verification specify if hostname should be resolved (default: true)
searchguard.ssl.transport.resolve_hostname: false
# Use native Open SSL instead of JDK SSL if available (default: true)
searchguard.ssl.transport.enable_openssl_if_available: false将其中的password修改为searchguard中创建的密码
所有elasticsearch节点做相同配置
启动elasticsearch集群并使相应的search_guard配置生效:
1、启动elasticsearch集群
2、使用search_guard自带的工具使配置信息生效,将用户等信息写入elasticsearch
./plugins/search-guard-2/tools/sgadmin.sh -cn 集群名称 -h hostname -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass password -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass password -nhnvps:hostname:指的是 network.host 设置的值,password为example.sh重创建的密码
执行完后再访问http//IP:9200/会提示需要相应的用户名密码,超级管理员用户名:admin 密码:admin
修改超级管理员admin密码:
1、使用search_guard自带的hash密码生成脚本生成加密密码
/usr/local/elasticsearch/plugins/search-guard-2/tools/hash.sh -p newpassword编辑/usr/local/elasticsearch/plugins/search-guard-2/sgconfig下的sg_internal_users.yml文件,将生成的hash密码覆盖需要修改的用户名下
使search_guard配置生效,每修改search_guard的配置文件都需自行以下命令使其生效
./plugins/search-guard-2/tools/sgadmin.sh -cn 集群名称 -h hostname -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass password -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass password -nhnvps:转载请注明文章出处http://blog.csdn.net/dxyblog/article/details/53033553
717
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
