java中es如何过ldap认证,elasticsearch6.0安装xpack并配置ldap认证

于 2021-03-11 16:23:03 发布
阅读量329 收藏
点赞数
文章标签: java中es如何过ldap认证

elasticsearch概念解释参考:

https://segmentfault.com/a/11...

elasticsearch安装可参考:

https://segmentfault.com/a/11...

安装xpack扩展

下载xpack插件包: https://artifacts.elastic.co/...

通过elasticsearch-plugin命令安装xpack;

[[email protected] elasticsearch-6.0.0]$ ./bin/elasticsearch-plugin install file:///home/elasticsearch/software/x-pack-6.0.0.zip --batch

-> Downloading file:///home/elasticsearch/software/x-pack-6.0.0.zip

[=================================================] 100%

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: plugin requires additional permissions @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

* java.io.FilePermission \\.\pipe\* read,write

* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries

* java.lang.RuntimePermission getClassLoader

* java.lang.RuntimePermission setContextClassLoader

* java.lang.RuntimePermission setFactory

* java.net.SocketPermission * connect,accept,resolve

* java.security.SecurityPermission createPolicy.JavaPolicy

* java.security.SecurityPermission getPolicy

* java.security.SecurityPermission putProviderProperty.BC

* java.security.SecurityPermission setPolicy

* java.util.PropertyPermission * read,write

* java.util.PropertyPermission sun.nio.ch.bugLevel write

See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html

for descriptions of what these permissions allow and the associated risks.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: plugin forks a native controller @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

This plugin launches a native controller that is not subject to the Java

security manager nor to system call filters.

Elasticsearch keystore is required by plugin [x-pack], creating...

-> Installed x-pack

[[email protected] elasticsearch-6.0.0]$

配置java相关权限上述操作提示即为需添加下述配置

添加下述配置至$JAVA_HOME/jre/lib/security/java.policy文件

permission java.lang.RuntimePermission

"accessClassInPackage.com.sun.activation.registries"; permission

java.lang.RuntimePermission "getClassLoader"; permission

java.lang.RuntimePermission "setContextClassLoader"; permission

java.lang.RuntimePermission "setFactory"; permission

java.security.SecurityPermission "createPolicy.JavaPolicy"; permission

java.security.SecurityPermission "getPolicy"; permission

java.security.SecurityPermission "putProviderProperty.BC"; permission

java.security.SecurityPermission "setPolicy"; permission

java.util.PropertyPermission "*","read,write"; permission

java.util.PropertyPermission "sun.nio.ch.bugLevel","write"; permission

javax.net.ssl.SSLPermission "setHostnameVerifier";

[[email protected] elasticsearch-6.0.0]$ vim ~/software/jdk1.8.0_121/jre/lib/security/java.policy

87be84bb45c3c94f74d247d384b29e0d.svg

重启elasticsearch服务并使用ldap域账户user01登录

[[email protected] elasticsearch-6.0.0]$ killall java

[[email protected] elasticsearch-6.0.0]$ ./bin/elasticsearch -d

[[email protected] elasticsearch-6.0.0]$ curl -XGET -u user01:user01 'http://10.59.30.96:9200/_cat?pretty'

=^.^=

/_cat/allocation

/_cat/shards

/_cat/shards/{index}

/_cat/master

/_cat/nodes

/_cat/tasks

/_cat/indices

/_cat/indices/{index}

/_cat/segments

/_cat/segments/{index}

/_cat/count

/_cat/count/{index}

/_cat/recovery

/_cat/recovery/{index}

/_cat/health

/_cat/pending_tasks

/_cat/aliases

/_cat/aliases/{alias}

/_cat/thread_pool

/_cat/thread_pool/{thread_pools}

/_cat/plugins

/_cat/fielddata

/_cat/fielddata/{fields}

/_cat/nodeattrs

/_cat/repositories

/_cat/snapshots/{repository}

/_cat/templates

[[email protected] elasticsearch-6.0.0]$

使用AD域账户rocshen登录

[[email protected] elasticsearch-6.0.0]$ curl http://10.59.30.96:9200/_cat?pretty -u rocshen:AD.123456

=^.^=

/_cat/allocation

/_cat/shards

/_cat/shards/{index}

/_cat/master

/_cat/nodes

/_cat/tasks

/_cat/indices

/_cat/indices/{index}

/_cat/segments

/_cat/segments/{index}

/_cat/count

/_cat/count/{index}

/_cat/recovery

/_cat/recovery/{index}

/_cat/health

/_cat/pending_tasks

/_cat/aliases

/_cat/aliases/{alias}

/_cat/thread_pool

/_cat/thread_pool/{thread_pools}

/_cat/plugins

/_cat/fielddata

/_cat/fielddata/{fields}

/_cat/nodeattrs

/_cat/repositories

/_cat/snapshots/{repository}

/_cat/templates

[[email protected] elasticsearch-6.0.0]$

为域账户信息映射角色

接口为:

POST /_xpack/security/role_mapping/

下述为映射user1*账户为管理员角色的操作步骤

[[email protected] elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role_mapping/ldap_user_admin?pretty' -d '{

> "roles": [ "admin" ],

> "enabled": true,

> "rules": {

> "any": [

> {

> "field": {

> "username": "/user1*/"

> }

> }

> ]

> }

> }'

{

"role_mapping" : {

"created" : true

}

}

[[email protected] elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role_mapping/ldap_user_admin?pretty'

{

"ldap_user_admin" : {

"enabled" : true,

"roles" : [

"admin"

],

"rules" : {

"any" : [

{

"field" : {

"username" : "/user1*/"

}

}

]

},

"metadata" : { }

}

}

[[email protected] elasticsearch-6.0.0]$

验证域账户权限,使用user01无权访问indices接口,使用user11可以访问;

[[email protected] elasticsearch-6.0.0]$ curl -XGET -u user01:user01 'http://10.59.30.96:9200/_cat/indices?pretty'

{

"error" : {

"root_cause" : [

{

"type" : "security_exception",

"reason" : "action [cluster:monitor/state] is unauthorized for user [user01]"

}

],

"type" : "security_exception",

"reason" : "action [cluster:monitor/state] is unauthorized for user [user01]"

},

"status" : 403

}

[[email protected] elasticsearch-6.0.0]$ curl -XGET -u user11:user11 'http://10.59.30.96:9200/_cat/indices?pretty'

yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1 6178 44 5.9mb 5.9mb

yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1 0 0 11.7kb 11.7kb

green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0

yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1 777 0 1.1mb 1.1mb

yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1 5 0 40.2kb 40.2kb

yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1 1 0 12.8kb 12.8kb

[[email protected] elasticsearch-6.0.0]$

常见报错

No subject alternative names matching IP address

[2018-01-10T19:19:35,483][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [fzP4t-4] exception caught on transport layer [[id: 0x5d97fe48, L:/0:0:0:0:0:0:0:1:49121 ! R:/0:0:0:0:0:0:0:1:9300]], closing connection

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

......

Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 0:0:0:0:0:0:0:1 found

解决方案为一种是关闭IPv6地址,另一种是修改ES_HOME/config/elasticsearch.yml中的network.host值为本机eth0的IP

参考文档

官方安装步骤:

https://www.elastic.co/guide/...

配置内置账户密码:

https://www.elastic.co/guide/...

修改账户密码:

https://www.elastic.co/guide/...

用户相关操作:

https://www.elastic.co/guide/...

使用LDAP认证:

https://www.elastic.co/guide/...

用户角色映射:

https://www.elastic.co/guide/...

漫dadsd
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值