基于Search Guard的Elasticsearch安全认证和授权配置

最新推荐文章于 2024-05-23 16:38:24 发布
最新推荐文章于 2024-05-23 16:38:24 发布
阅读量1.1w 收藏 20
点赞数 2
分类专栏: elastic 文章标签: Elasticsearch search guard TLS SSL ES
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wangkai_123456/article/details/95938714
版权

文章目录

Install the Search Guard Plugin for your Elasticsearch version

Disable shard allocation

curl -XPUT 'http://es1:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "none"
  }
}
'

检查设置是否生效,运行如下命令

curl -XGET 'http://es1:9200/_cluster/settings?pretty'

若输出如下结果,则说明配置成功

{
  "persistent" : {
    "cluster" : {
      "routing" : {
        "allocation" : {
          "enable" : "none"
        }
      }
    }
  },
  "transient" : { }
}

Stop all nodes

采用如下命令查询出ES服务的进程号(占用9200端口和9300端口的进程)

netstat -tnlp
kill -9 进程号

Download

关于Search Guard Plugin版本和Elasticsearch版本之间的对应关系,请参考:https://docs.search-guard.com/latest/search-guard-versions

这里以elasticsearch-6.6.1为例进行说明,因为生产服务器不能联网,这里采用离线方式安装,下载Search Guard Plugin

下载地址:https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/search-guard-6/6.6.1-24.3/search-guard-6-6.6.1-24.3.zip

Install

将search-guard-6-6.6.1-24.3.zip拷贝到es所在服务器节点,进入<ES_HOME>/bin目录,执行如下命令进行安装

./elasticsearch-plugin install -b file:///usr/local/hadoop/elasticsearch/search-guard-6-6.6.1-24.3.zip

具体的安装步骤可参考官网:https://docs.search-guard.com/6.x-24/search-guard-installation#adding-the-tls-configuration

Generate all required TLS certificates

参考:https://docs.search-guard.com/6.x-24/offline-tls-tool

下载offline TLS tool

下载地址:https://search.maven.org/#search|ga|1|a%3A"search-guard-tlstool"

这里下载的是search-guard-tlstool-1.7.tar.gz

tar -zxvf search-guard-tlstool-1.7.tar.gz -C search-guard-tlstool //解压

Config node- and certificate configuration settings

进入/config目录

cp example.yml tlsconfig.yml
vi  tlsconfig.yml

Generate Root and Intermediate CA

修改后的Self-generated certificate authority部分配置如下

ca:
   root:
      # The distinguished name of this CA. You must specify a distinguished name.   
      dn: CN=root.ca.tomas.com,OU=CA,O=tomas,DC=tomas,DC=com

      # The size of the generated key in bits
      keysize: 2048

      # The validity of the generated certificate in days from now
      validityDays: 3650
      
      # Password for private key
      #   Possible values: 
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
      pkPassword: root-ca-password
      
      # The name of the generated files can be changed here
      file: root-ca.pem
      
   # If you want to use an intermediate certificate as signing certificate,
   # please specify its parameters here. This is optional. If you remove this section,
   # the root certificate will be used for signing.         
   intermediate:
      # The distinguished name of this CA. You must specify a distinguished name.
      dn: CN=signing.ca.tomas.com,OU=CA,O=tomas,DC=tomas,DC=com
   
      # The size of the generated key in bits   
      keysize: 2048
      
      # The validity of the generated certificate in days from now      
      validityDays: 3650
  
      pkPassword: intermediate-ca-password

      file: intermediate-ca.pem

      # If you have a certificate revocation list, you can specify its distribution points here      
      # crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

进入/tools目录,运行如下命令生成Root和Intermediate证书

./sgtlstool.sh -c ../config/tlsconfig.yml -ca

若提示如下信息,表示生成Root和intermediate证书成功

Root certificate and signing certificate have been sucessfully created.

生成的证书默认存放在/tools/out目录下

Generate Node and Client CA

修改后的Default values and global settings部分配置如下

defaults:

      # The validity of the generated certificate in days from now
      validityDays: 3650 
      
      # Password for private key
      #   Possible values: 
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
      pkPassword: auto      
      
      # Specifies to recognize legitimate nodes by the distinguished names
      # of the certificates. This can be a list of DNs, which can contain wildcards.
      # Furthermore, it is possible to specify regular expressions by
      # enclosing the DN in //. 
      # Specification of this is optional. The tool will always include
      # the DNs of the nodes specified in the nodes section.            
      nodesDn:
       - "CN=*.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com"
      # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=elk-devcluster*'
      # - '/CN=.*regex/' 

      # If you want to use OIDs to mark legitimate node certificates, 
      # the OID can be included in the certificates by specifying the following
      # attribute
      
      nodeOid: "1.2.3.4.5.5"

      # The length of auto generated passwords            
      generatedPasswordLength: 12
      
      # Set this to true in order to generate config and certificates for 
      # the HTTP interface of nodes
      httpsEnabled: true
      
      # Set this to true in order to re-use the node transport certificates
      # for the HTTP interfaces. Only recognized if httpsEnabled is true
      
      reuseTransportCertificatesForHttp: false
      
      # Set this to true to enable hostname verification
      #verifyHostnames: false
      
      # Set this to true to resolve hostnames
      #resolveHostnames: false

修改后的Nodes部分配置如下

nodes:
  - name: es1
    dn: CN=es1.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com
    dns: es1
  - name: es2
    dn: CN=es2.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com
    dns: es2
  - name: es3
    dn: CN=es3.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com
    dns: es3
  - name: es4
    dn: CN=es4.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com
    dns: es4

修改后的Clients部分配置如下

clients:
  - name: spock
    dn: CN=spock.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com
  - name: kirk
    dn: CN=kirk.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com
    admin: true

进入/tools目录,运行如下命令生成node和client证书

./sgtlstool.sh -c ../config/tlsconfig.yml -crt

若看到如下提示信息,证明生成node和client证书成功

Using signing certificate: /usr/local/hadoop/elasticsearch/search-guard-tlstool/tools/out/intermediate-ca.pem
Created 4 node certificates.
Passwords for the private keys of the node certificates have been auto-generated. The passwords are stored in the config snippet files.
Created 2 client certificates.
Passwords for the private keys of the client certificates have been auto-generated. The passwords are stored in the file "client-certificates.readme"

Config SSL

由于ElasticSearch节点之间通讯默值非加密,造成数据不安全,Search Guard强制ElasticSearch节点之间通讯为加密方式。

distribute cetificates

将上述生成的相关证书拷贝到相应ES节点的<ES_HOME>/config目录
例如将如下文件拷贝到hostname为es1的节点

root-ca.pem
root-ca.key
intermediate-ca.pem
intermediate-ca.key
es1.pem
es1.key
es1_http.pem
es1_http.key
es1_elasticsearch_config_snippet.yml
kirk.pem
kirk.key
spock.pem
spock.key

并采用如下命令将上述文件的权限更改为0600

chmod 600 root* intermediate* kirk* spock* es1*

将如下文件拷贝到hostname为es2的节点

root-ca.pem
root-ca.key
intermediate-ca.pem
intermediate-ca.key
es2.pem
es2.key
es2_http.pem
es2_http.key
es2_elasticsearch_config_snippet.yml
kirk.pem
kirk.key
spock.pem
spock.key

并采用如下命令将上述文件的权限更改为0600,同上,其他节点操作同上。

chmod 600 root-ca.* intermediate-ca.* es1* spock.* kirk.*

Change the permission on directory of <ES_HOME>/config

采用如下命令将ES集群各节点的<ES_HOME>/config目录的权限改为0700

chmod 700 <ES_HOME>/config

Disable X-Pack security

从6.3.0版本开始,Elasticsearch 和 Kibana绑定了X-Pack和OSS,如果Elasticsearch使用的是6.3.0以上的版本,需要关闭X-Pack security,即在ES集群各节点的<ES_HOME>/config/elasticsearch.yml文件中新增如下配置

xpack.security.enabled: false

Adding the TLS configuration

将es1_elasticsearch_config_snippet.yml文件中内容新增配置到hostname为es1的节点<ES_HOME>/config/elasticsearch.yml文件中

# This is a configuration snippet for the node es1
# This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.
# If the config file already contains SearchGuard configuration, this needs to be replaced.
# Furthermore, you need to copy the files referenced below into the same directory.
# Please refer to http://docs.search-guard.com/latest/configuring-tls for further configuration of your installation.

searchguard.ssl.transport.pemcert_filepath: es1.pem
searchguard.ssl.transport.pemkey_filepath: es1.key
searchguard.ssl.transport.pemkey_password: lZoD27XLoBry
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: es1_http.pem
searchguard.ssl.http.pemkey_filepath: es1_http.key
searchguard.ssl.http.pemkey_password: sualxs42muY1
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.authcz.admin_dn:
- CN=kirk.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com

searchguard.cert.oid: 1.2.3.4.5.5

将es2_elasticsearch_config_snippet.yml文件中内容新增配置到hostname为es2的节点<ES_HOME>/config/elasticsearch.yml文件中

# This is a configuration snippet for the node es2
# This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.
# If the config file already contains SearchGuard configuration, this needs to be replaced.
# Furthermore, you need to copy the files referenced below into the same directory.
# Please refer to http://docs.search-guard.com/latest/configuring-tls for further configuration of your installation.

searchguard.ssl.transport.pemcert_filepath: es2.pem
searchguard.ssl.transport.pemkey_filepath: es2.key
searchguard.ssl.transport.pemkey_password: d0aVkFO9ZW0W
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: es2_http.pem
searchguard.ssl.http.pemkey_filepath: es2_http.key
searchguard.ssl.http.pemkey_password: 153IQlKc2bul
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.authcz.admin_dn:
- CN=kirk.tomas.com,OU=Ops,O=tomas,DC=tomas,DC=com

searchguard.cert.oid: 1.2.3.4.5.5

Enable the REST management API

在ES集群各节点的<ES_HOME>/config/elasticsearch.yml文件中新增如下配置

searchguard.restapi.roles_enabled: ["sg_all_access"]

ES集群所有节点都配置好后,重启ES集群

Restart Elasticsearch

采用如下命令启动ES集群所有节点

cd /usr/local/hadoop/elasticsearch/
./bin/elasticsearch -d

Re-enable shard allocation by using sgadmin

使用admin证书、root证书,并结合sgadmin工具或curl来使能shard allocation,这里使用sgadmin,具体命令如下

cd /usr/local/hadoop/elasticsearch/plugins/search-guard-6/tools
chmod u+x sgadmin.sh //使sgadmin.sh有可执行权限
./sgadmin.sh -icl -nhnv -h es1 --enable-shard-allocation -cacert ../../../config/root-ca.pem -cert ../../../config/kirk.pem -key ../../../config/kirk.key -keypass zNbkgrtwctow

其中,zNbkgrtwctow为admin证书的私钥的密码,可以在client-certificates.readme文件中找到

Initializing Search Guard

具体参考:https://docs.search-guard.com/latest/sgadmin

Search Guard的配置(包括users、roles和permissions)都是存储在ES集群里的一个index中,这样就可以实现修改配置后立即生效,不用重启集群。Search Guard的配置信息需要通过sgadmin工具来加载到ES的一个index中(默认这个index是不存在的),所以sgadmin主要用来初始化index和配置认证和授权方式。

Change the permissions on that script and give it execution rights

chmod +x plugins/search-guard-7/tools/sgadmin.sh

提示,可以通过运行如下命令查看sgadmin.sh工具所有的命令行选项

./sgadmin.sh

Using sgadmin with PEM certificates

在ES集群的任一节点(以es1节点为例)执行如下命令

./sgadmin.sh -h es1 -cd ../sgconfig/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/kirk.pem -key ../../../config/kirk.key -keypass zNbkgrtwctow

若看到如下提示信息,证明初始化集群成功

Search Guard Admin v6
Will connect to hadoopSvr3:9300 ... done
Elasticsearch Version: 6.6.1
Search Guard Version: 6.6.1-24.3
Connected as CN=kirk.wxtomas.com,OU=Ops,O=wxtomas Com\, Inc.,DC=wxtomas,DC=com
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: ES-cluster
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
searchguard index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/local/elasticsearch-6.6.1/plugins/search-guard-6/sgconfig
Will update 'sg/config' with ../sgconfig/sg_config.yml 
   SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with ../sgconfig/sg_roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with ../sgconfig/sg_internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with ../sgconfig/sg_action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

Test the installation

visiting https://es1:9200

如果提示需要输入用户名和密码,输入admin/admin

Display information about the currently logged in user

visiting https://es1:9200/_searchguard/authinfo?pretty

Search Guard Health Check

为了检查Search Guard是否已经正确安装,并且已经在正常运行,检查Search Guard的健康状态,在浏览器地址栏输入如下地址
https://:9200/_searchguard/health
若输出结果如下

{"message":null,"mode":"strict","status":"UP"}

则说明Search Guard运行正常。

Accessing data Check

curl -u admin:admin -k -XGET 'https://<hostname>:9200/_cat?pretty'

至此,Search Guard 认证基本已经完成了,接下来关于账号权限的创建与管理,可以在 Kibana 直接操作。

Config Kibana

具体参考:https://docs.search-guard.com/6.x-24/kibana-plugin-installation

Installing the Search Guard Plugin

1、下载与Kibana版本匹配的Search Guard Kibana Plugin
具体下载地址:https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/search-guard-kibana-plugin/6.6.1-18.4/search-guard-kibana-plugin-6.6.1-18.4.zip

2、关闭Kibana

3、将下载的插件search-guard-kibana-plugin-6.6.1-18.4.zip上传到Kibana的安装目录,并执行如下命令安装插件

bin/kibana-plugin install file:usr/local/kibana-6.6.1-linux-x86_64/search-guard-kibana-plugin-6.6.1-18.4.zip

若提示如下信息,则表示安装成功

Attempting to transfer from file:usr/local/kibana-6.6.1-linux-x86_64/search-guard-kibana-plugin-6.6.1-18.4.zip
Transferring 1046761 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
Plugin installation complete

Disable X-Pack Security

在kibana安装目录下的config/kibana.yml文件中修改配置如下

xpack.security.enabled: false

Configuring the Kibana server user

在kibana安装目录下的config/kibana.yml文件中修改配置如下

elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

Setting up SSL/TLS

因为在Elasticsearch REST layer开启了TLS,所以kibana访问Elasticsearch的协议需要从http改为https,在config/kibana.yml文件中修改配置如下

elasticsearch.hosts: ["https://ip:9200"]

Configuring the Root CA

有两种配置:
一是关闭 证书验证,在config/kibana.yml文件中修改配置如下

elasticsearch.ssl.verificationMode: none

二是提供root CA,在config/kibana.yml文件中修改配置如下

elasticsearch.ssl.certificateAuthorities: "/path/to/your/root-ca.pem"
elasticsearch.ssl.verificationMode: certificate

然后启动kibana。

Config logstash

具体参考:https://docs.search-guard.com/6.x-24/elasticsearch-logstash-search-guard

Check permissions for the logstash user

在Search Guard secured cluster中默认配置一个logstash user,因为Search Guard中已经包含了一个logstash用户,此处不再单独配置,在<ES_HOME>/plugins/search-guard-6/sgconfig/sg_roles.yml文件中查看sg_logstash用户的权限如下

# For logstash and beats
sg_logstash:  
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - indices:admin/template/get
    - indices:admin/template/put
  indices:
    'logstash-*':
      '*':
        - CRUD
        - CREATE_INDEX
    '*beat*':
      '*':
        - CRUD
        - CREATE_INDEX

也可以在用admin账号登录kibana,进入Search Guard菜单,在Permissions and Roles部分的Search Guard Roles查看。

set up a logstash user

将logstash用户配置到logstash的配置文件logstash.conf中elasticsearch输出部分,具体如下

output {
    elasticsearch {
       user => logstash
       password => logstash
       ...
    }
}

Setting up TLS/SSL

因为前面在ES中配置启动了REST层的TLS,所以需要配置logstash使用https来与elasticsearch通信,将root证书拷贝到logstash-6.4.2/config目录下,并在logstash的配置文件logstash.conf中elasticsearch输出部分配置如下

    ssl => true
    ssl_certificate_verification => false
    cacert => "/usr/local/logstash-6.4.2/config/root-ca.pem"
    index => "logstash-rs1_26_mongodlog"

注意:如果是自定义索引名,索引名必须匹配’logstash-*‘开头或’beat’,否则logstash用户无权限。
然后重启logstash。

逝水-无痕
关注
  • 2
    点赞
  • 20
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
一、安装elasticsearch8.2 集群安装-master-无安全认证
qq_35013224的博客
06-12 758
centos8安装elasticsearch8.2 集群安装-无安全认证
2019年最新版elasticSearch+kibana+logstash+search guard安装教程
03-01
2019年elaticsearch6.6.0,kibana6.6.0,logstash6.6.0不再使用x-pack,替换为search guard安装教程。
ELK之elasticsearch6安装认证模块search guard
abtmh02622的专栏
03-22 688
  参考:https://www.cnblogs.com/marility/p/9392645.html   1,安装环境及软件版本 程序   版本 安装方式 elasticsearch  6.3.1 rpm kibana 6.3.1  rpm java 1.8.0 tar   2,search ...
Elasticsearch集群部署以及认证配置
最新发布
xjxy52o的博客
05-23 682
在其中一台机器上执行,我这里在 192.168.95.174 node-01节点机器操作,我这里密码全部设置为(123456)去到cd /path/elasticsearch-7.10.1/bin。配置systemd服务启动es
linux安装elasticsearch8.1.0教程
xingluner的博客
03-18 6504
1.下载地址 :Get Started with Elasticsearch, Kibana, and the Elastic Stack | ElasticNew to Elasticsearch? A few steps to download and you'll be searching & analyzing with Elasticsearch, visualizing with Kibana, and securing with the Elastic Stack.https://ww
Elasticsearch增加访问权限:使用用户名和密码访问
weixin_45760485的博客
03-20 1027
【代码】Elasticsearch增加访问权限:使用用户名和密码访问。
elasticsearch集群安全加密插件之search-guard
11-04
Search Guard是一款强大的安全解决方案,专为Elasticsearch设计,提供全面的数据保护、访问控制和安全监控功能。它可以帮助企业满足合规性要求,确保数据在传输和存储过程中的安全性。下面我们将深入探讨Search ...
ik Search Guard elasticsearch
01-18
**ik Search Guard for Elasticsearch** **一、Search Guard 简介** Search Guard 是一款功能强大的安全解决方案,专为 Elastic...正确地配置和使用 Search Guard,是构建安全、可靠的数据存储和检索平台的关键。
elasticsearch head guard 5.5.2
01-17
- **审计**:Search Guard 记录所有尝试的访问操作,便于合规性和安全审查。 5. **可视化工具:Elasticsearch-Head** Elasticsearch-Head 是一个基于浏览器的 Elasticsearch 管理界面,可以帮助用户直观地查看和...
search-guard-7-7.5.1-37.1.0.zip
03-18
基于Search GuardElasticsearch安全认证授权配置组件资源,在官网是能够下载,不一定要下载我的,图方便的话可以下载这个,然后这个是我自己安装过程中一些步骤,也许对你有帮助...
es searchguard
05-15
**Elasticsearch SearchGuard**是Elasticsearch的一个第三方安全插件,它提供了全面的安全认证授权功能,确保了数据在存储和检索过程中的安全性。SearchGuard适用于那些对数据隐私和安全有高度要求的企业和组织,...
Elasticsearch 管集群身份认证与用户鉴权
爱死亡机器人
03-10 914
文章目录1. 数据泄露2. 原因分析3. 数据安全性的基本需求4. 一些免费的方案5. Anthentication - 身份认证6. RBAC - 用户鉴权7. Privilege8. 创建内置的用户和角色9. 使用 Security API 创建用户10. 开启并配置 X-Pack 的认证与鉴权配置 Kibana 1. 数据泄露 5700 万用户数据泄漏 1.08 亿条投注信息泄漏 2. 原因分析 ES 在默认安装后,不提供任何形式的安全防护 错误的配置信息导致公网可以访问 ES 集群 在 ela
Search Guard 1.3 测试配置
Choleen的博客
07-03 937
测试配置 在上面三个小节Search Guard 1.0、 1.1、1.2中,我们配置了用户和角色。现在来测试一下这些配置是否成功。 本文: 检查配置的用户 访问Elasticsearch 在检查之前,我们看下需要的配置: 在sg_internal_users.yml中创建用户 在sg_roles.yml中创建角色 在sg_roles_mapping.yml创建一个映射去连接用户和Search Guard的角色对应 检查配置的用户 作为第一步,我们想去检查我们配置的的用户是否在
使用开源权限控制组件search-guard来操作Elasticsearch
争当鲲鹏飞万里 不做燕雀恋子巢
03-26 2896
一、集群级别权限 1、原来自定义角色sg_zyl_role,只有对所有索引有all操作权限,对集群级别权限没有 # zyl脚本可以监控集群,只能对customer索引有操作权限 sg_zyl_role: indices: '*': '*': - '*' 2、建立zyl用户,并将zyl用户赋予sg_zyl_role角色,使用zyl用户去查询集群节点列表...
ElasticSearch配置SearchGuard
hq.zheng的博客
04-11 808
复制es目录/config/key下的root-ca.pem,client-certificates/CN=sgadmin.crtfull.pem,client-certificates/CN=sgadmin.key.pem 到/usr/local/elasticsearch-6.4.3/plugins/search-guard-6/tools下。3、 修改/usr/local/elasticsearch-6.4.3/config/elasticsearch.yml。
search-guard
qq_18746961的博客
03-23 3551
search-guard elasticsearch
SearchGuard证书配置
刘军的博客
09-05 2710
参考: https://www.jianshu.com/p/cc71e7793f6f TLS工具安装 下载TLS工具 https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.5/ 解压unzip search-guard-tlstool-1.6.zip tlstool-1.6 TLS生成证书配置 复制&l...
Search Guard整合ES安全验证
weixin_44094720的博客
11-26 1471
Search Guard整合ES安全验证 概述 安装程序 安装包及版本 elasticsearch-6.6.2.tar.gz kibana-6.6.2.tar.gz logstash-6.6.2.tar.gz search-guard-6-6.6.2-25.5.zip search-guard-kibana-plugin-6-6.6.2-19.0.zip 下载地址(Search Guard & kibana plugin) https://docs.search-guard.com/latest
ElasticSearch7.10配置Search-Guard
Choleen的博客
06-27 1156
ElasticSearch7.10配置Search-Guard 1.下载elasticsearch7.10 2. 修改系统属性 $ vim /etc/security/limits.conf * soft nofile 655360 * hard nofile 655360 * soft nproc 65536 * hard nproc 65536 $ vim /etc/sysctl.conf vm.max_map_count=262144 3. 增加es组和es用户 3.1 创建 $ grou
Elasticsearch XPACK安全认证
01-11
Elasticsearch XPACK安全认证提供了一种保护和加密Elasticsearch集群的方式。它包括以下几个方面的功能: 1. 用户认证授权:可以创建和管理多个用户,并为每个用户分配不同的角色和权限。可以使用`./bin/elasticsearch-users`命令来创建和管理用户。 2. 传输层安全性:可以通过配置传输层安全性(TLS/SSL)来加密Elasticsearch节点之间的通信。可以使用`./bin/elasticsearch-certutil`命令来生成和管理证书。 3. HTTP层安全性:可以通过配置HTTP层安全性(TLS/SSL)来加密Elasticsearch与客户端之间的通信。可以使用`./bin/elasticsearch-certutil`命令来生成和管理证书。 4. 安全审计:可以启用安全审计功能,记录用户的操作和集群的状态变化。可以使用`./bin/elasticsearch-setup-passwords`命令来设置和重置密码。 下面是一些示例命令: 1. 重置用户密码(随机密码): ```shell ./bin/elasticsearch-reset-password -u elastic ``` 2. 添加安全证书密码: ```shell ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password ``` 请注意,以上命令只是示例,实际使用时需要根据具体情况进行调整。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值