elasticsearch概念解释参考:
https://segmentfault.com/a/11...
elasticsearch安装可参考:
https://segmentfault.com/a/11...
安装xpack扩展
下载xpack插件包: https://artifacts.elastic.co/...
通过elasticsearch-plugin命令安装xpack;
[[email protected] elasticsearch-6.0.0]$ ./bin/elasticsearch-plugin install file:///home/elasticsearch/software/x-pack-6.0.0.zip --batch
-> Downloading file:///home/elasticsearch/software/x-pack-6.0.0.zip
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.io.FilePermission \\.\pipe\* read,write
* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission setFactory
* java.net.SocketPermission * connect,accept,resolve
* java.security.SecurityPermission createPolicy.JavaPolicy
* java.security.SecurityPermission getPolicy
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setPolicy
* java.util.PropertyPermission * read,write
* java.util.PropertyPermission sun.nio.ch.bugLevel write
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin forks a native controller @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
This plugin launches a native controller that is not subject to the Java
security manager nor to system call filters.
Elasticsearch keystore is required by plugin [x-pack], creating...
-> Installed x-pack
[[email protected] elasticsearch-6.0.0]$
配置java相关权限上述操作提示即为需添加下述配置
添加下述配置至$JAVA_HOME/jre/lib/security/java.policy文件
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.activation.registries"; permission
java.lang.RuntimePermission "getClassLoader"; permission
java.lang.RuntimePermission "setContextClassLoader"; permission
java.lang.RuntimePermission "setFactory"; permission
java.security.SecurityPermission "createPolicy.JavaPolicy"; permission
java.security.SecurityPermission "getPolicy"; permission
java.security.SecurityPermission "putProviderProperty.BC"; permission
java.security.SecurityPermission "setPolicy"; permission
java.util.PropertyPermission "*","read,write"; permission
java.util.PropertyPermission "sun.nio.ch.bugLevel","write"; permission
javax.net.ssl.SSLPermission "setHostnameVerifier";
[[email protected] elasticsearch-6.0.0]$ vim ~/software/jdk1.8.0_121/jre/lib/security/java.policy
重启elasticsearch服务并使用ldap域账户user01登录
[[email protected] elasticsearch-6.0.0]$ killall java
[[email protected] elasticsearch-6.0.0]$ ./bin/elasticsearch -d
[[email protected] elasticsearch-6.0.0]$ curl -XGET -u user01:user01 'http://10.59.30.96:9200/_cat?pretty'
=^.^=
/_cat/allocation
/_cat/shards
/_cat/shards/{index}
/_cat/master
/_cat/nodes
/_cat/tasks
/_cat/indices
/_cat/indices/{index}
/_cat/segments
/_cat/segments/{index}
/_cat/count
/_cat/count/{index}
/_cat/recovery
/_cat/recovery/{index}
/_cat/health
/_cat/pending_tasks
/_cat/aliases
/_cat/aliases/{alias}
/_cat/thread_pool
/_cat/thread_pool/{thread_pools}
/_cat/plugins
/_cat/fielddata
/_cat/fielddata/{fields}
/_cat/nodeattrs
/_cat/repositories
/_cat/snapshots/{repository}
/_cat/templates
[[email protected] elasticsearch-6.0.0]$
使用AD域账户rocshen登录
[[email protected] elasticsearch-6.0.0]$ curl http://10.59.30.96:9200/_cat?pretty -u rocshen:AD.123456
=^.^=
/_cat/allocation
/_cat/shards
/_cat/shards/{index}
/_cat/master
/_cat/nodes
/_cat/tasks
/_cat/indices
/_cat/indices/{index}
/_cat/segments
/_cat/segments/{index}
/_cat/count
/_cat/count/{index}
/_cat/recovery
/_cat/recovery/{index}
/_cat/health
/_cat/pending_tasks
/_cat/aliases
/_cat/aliases/{alias}
/_cat/thread_pool
/_cat/thread_pool/{thread_pools}
/_cat/plugins
/_cat/fielddata
/_cat/fielddata/{fields}
/_cat/nodeattrs
/_cat/repositories
/_cat/snapshots/{repository}
/_cat/templates
[[email protected] elasticsearch-6.0.0]$
为域账户信息映射角色
接口为:
POST /_xpack/security/role_mapping/
下述为映射user1*账户为管理员角色的操作步骤
[[email protected] elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role_mapping/ldap_user_admin?pretty' -d '{
> "roles": [ "admin" ],
> "enabled": true,
> "rules": {
> "any": [
> {
> "field": {
> "username": "/user1*/"
> }
> }
> ]
> }
> }'
{
"role_mapping" : {
"created" : true
}
}
[[email protected] elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role_mapping/ldap_user_admin?pretty'
{
"ldap_user_admin" : {
"enabled" : true,
"roles" : [
"admin"
],
"rules" : {
"any" : [
{
"field" : {
"username" : "/user1*/"
}
}
]
},
"metadata" : { }
}
}
[[email protected] elasticsearch-6.0.0]$
验证域账户权限,使用user01无权访问indices接口,使用user11可以访问;
[[email protected] elasticsearch-6.0.0]$ curl -XGET -u user01:user01 'http://10.59.30.96:9200/_cat/indices?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [cluster:monitor/state] is unauthorized for user [user01]"
}
],
"type" : "security_exception",
"reason" : "action [cluster:monitor/state] is unauthorized for user [user01]"
},
"status" : 403
}
[[email protected] elasticsearch-6.0.0]$ curl -XGET -u user11:user11 'http://10.59.30.96:9200/_cat/indices?pretty'
yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1 6178 44 5.9mb 5.9mb
yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1 0 0 11.7kb 11.7kb
green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0
yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1 777 0 1.1mb 1.1mb
yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1 5 0 40.2kb 40.2kb
yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1 1 0 12.8kb 12.8kb
[[email protected] elasticsearch-6.0.0]$
常见报错
No subject alternative names matching IP address
[2018-01-10T19:19:35,483][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [fzP4t-4] exception caught on transport layer [[id: 0x5d97fe48, L:/0:0:0:0:0:0:0:1:49121 ! R:/0:0:0:0:0:0:0:1:9300]], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
......
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 0:0:0:0:0:0:0:1 found
解决方案为一种是关闭IPv6地址,另一种是修改ES_HOME/config/elasticsearch.yml中的network.host值为本机eth0的IP
参考文档
官方安装步骤:
https://www.elastic.co/guide/...
配置内置账户密码:
https://www.elastic.co/guide/...
修改账户密码:
https://www.elastic.co/guide/...
用户相关操作:
https://www.elastic.co/guide/...
使用LDAP认证:
https://www.elastic.co/guide/...
用户角色映射:
https://www.elastic.co/guide/...