一、安装shield
1、安装好ElasticSearch集群,比如10个节点;
2、安装es的license插件,shield是商业软件,需要用它,不然没法启用: bin/plugin install license
3、安装shield插件:bin/plugin install shield
4、离线安装,就是下载插件,然后:bin/plugin install file:///path/to/file/license-2.3.4.zip
软件安装完毕,很简单。
二、配置文件和本地认证方式,统一集群支持shield
1、使用bin/shield/syskeygen 生成Systemkey文件在默认路径:CONFIG_DIR/shield/system_key
2、拷贝system_key文件到其它所有节点的以上路径下,如果修改该路径,需要在elasticsearch.yml里面指定路径:shield.system_key.file:/path/system_key
3、配置认证类型为本地和文件方式: 配置文件elasticsearch.yml 增加配置:
shield:
authc:
realms:
native1:
type: native
order: 0
shield:
authc:
realms:
file1:
type: file
order: 0
shield还支持LDAP,ActiveDirectory,PKI等方式,详细参考手册,作者不建议这些方式,因为认证会降低性能,认证方式越复杂,降低的越多,大数据嘛,性能第一。
4、增加认证日志:可以记录所有用户的操作记录,比较实用,但是当然也会降低性能,谨慎选择该功能。
shield.audit.enabled: true
shield.audit.outputs: [index, logfile]
输出方式:index表示在集群建立.shield_audit_log-2016.07.12 类似的库,每天一个,好恶心 :sweat:
logfile: 在es的logs目录建立access log 文件,还可以自定义日志格式,自己参考手册了,一般默认就足够了。
5、重新启动elasticsearch,shield安装完毕了,下面设置他的用户和角色,权限等。
三、增加用户,角色等
1、增加本地用户:
系统默认有3个用户角色可用:
(1)admin
Can perform any cluster or index action.
(2)power_user
Can monitor the cluster and perform any index action.
(3)user
Can perform read actions on any index.
bin/shield/esusers useradd es_admin -r admin
然后用改用户访问:
curl -u es_admin -XGET ‘http://localhost:9200/’
每个节点都增加本地用户用于basic认证。
2、增加集群用户和角色:
增加用户:
POST /_shield/user/ironman
{
"password" : "j@rV1s",
"roles" : [ "admin", "other_role1" ],
"full_name" : "Tony Stark",
"email" : "tony@starkcorp.co",
"metadata" : {
"intelligence" : 7
}
}
查看用户:
get /_shield/user/ironman
GET _shield/authenticate
删除用户:
delete /_shield/user/ironman
增加角色:
POST /_shield/role/my_admin_role
{
"cluster": ["all"],
"indices": [
{
"names": [ "index1", "index2" ],
"privileges": ["all"],
"fields": [ "title", "body" ], // optional
"query": "{\"match\": {\"title\": \"foo\"}}" // optional
}
],
"run_as": [ "other_user" ] // optional
}
查看角色:
GET /_shield/role
删除角色:
DELETE /_shield/role/my_admin_role
四、权限说明
Cluster Privileges
all
All cluster operations, like snapshotting, node shutdown/restart, settings update, rerouting, or managing security
monitor
All cluster read-ony operations, like cluster health & state, hot threads, node info, node & cluster stats, snapshot/restore status, pending cluster tasks
manage
Builds on monitor and adds cluster operations that change values in the cluster. This includes snapshotting, updating settings, and rerouting. This privilege does not include the ability to manage security.
manage_security
All security related operations such as CRUD operations on users and roles and cache clearing
manage_index_templates
All operations on index templates
transport_client
All privileges necessary for a transport client to connect
Indices Privileges
all
Any action on an index
manage
All monitor privileges plus index administration (aliases, analyze, cache clear, close, delete, exists, flush, mapping, open, force merge, refresh, settings, search shards, templates, validate, warmers)
monitor
All actions, that are required for monitoring and read-only (recovery, segments info, index stats & status)
read
Read only access to actions (count, explain, get, mget, get indexed scripts, more like this, multi percolate/search/termvector), percolate, scroll, clear_scroll, search, suggest, tv)
index
Privilege to index and update documents
create
Privilege to index documents
delete
Privilege to delete documents
write
Privilege to perform all write operations on documents, including the ability to index, update, and delete documents as well as perform bulk operations. If write is granted on the .scripts index, it includes the ability to put and delete indexed scripts.
delete_index
Privilege to delete an index
create_index
Privilege to create an index. A create index request may contain aliases to be added to the index once created. In that case the request requires the manage privilege as well, on both the index and the aliases names.
五、破解license限制
**shield是商业版本,据说1600美刀/集群/每年.好贵啊,对于土豪来说无所谓。
**
如果license过期,只会 Cluster health, cluster stats and indices stats \noperations are blocked on shield license expiration.
还好,代码简单也没有混淆编译,看了下代码,去掉过期验证,不仅破解,还大大提高性能。
具体修改类 :org.elasticsearch.shield.action.ShieldActionFilter
修改方法:
public void apply(Task task, String action, ActionRequest request, ActionListener listener,
ActionFilterChain chain)
// if ((!(this.licenseState.statsAndHealthEnabled())) && (LICENSE_EXPIRATION_ACTION_MATCHER.apply(action))) {
// this.logger.error(
// "blocking [{}] operation due to expired license. Cluster health, cluster stats and indices stats \noperations are blocked on shield license expiration. All data operations (read and write) continue to work. \nIf you have a new license, please update it. Otherwise, please reach out to your support contact.",
// new Object[] { action });
//
// throw LicenseUtils.newComplianceException("shield");
// }
注释以上代码
如果感觉还不够快,希望在bulk的时候不要验证,还可以增加如下语句,跳过bulk请求的时候跳过验证以提高性能:
try {
if (this.licenseState.securityEnabled()) {
if (action.indexOf("bulk")>=0){
chain.proceed(task, action, request, new SigningListener(this, listener));
return;
}