Elasticsearch
管理Elasticsearch 集群
集群身份认证与用户鉴权
原因分析
- Elasticsearch在默认安装后,不提供任何形式的安全防护
- 错 误的配置信息导致公网可以访问ES集群
- 在 elasticsearch. yml文件中,server. host被错误的配置为0. 0.0.0.
数据安全性的基本需求
一些免费的方案
- 设置Nginx反向代理
- 安装免费的Security 插件
- Search Guard - https://search- guard. com/
- Read0nly REST - https://gi thub. com/ sscarduz io/elas ticsearch-readonlyrest-plugin
- Search Guard - https://search- guard. com/
- X-Pack 的Basic 版
- 从 ES 6.8& ES 7.0开始,Security纳入x-pack 的Basic 版本中,免费使用一些基本的功能
- https://www. elastic. co/what-is/elastic-s tack- security
Authentication -身份认证
- 认证体 系的几种类型
- 提供用户名和密码
- 提供秘钥或Kerberos 票据
- Realms: X-Pack 中的认证服务
- 内置Realms (免费)
- File / Native (用户名密码保存在Elasticsearch )
- 外部 Realms (收费)
- LDAP / Active Directory / PKI / SAML / Kerberos
- 内置Realms (免费)
RBAC -用户鉴权
- 什么是RBAC: Role Based Access Control,定 义一个角色,并分配- -组权限。权限包括索引
级,字段级,集群级的不同的操作。然后通过将角色分配给用户,使得用户拥有这些权限- User: The authenticated User
- Role: A named set of permiss ions
- Permission - A set of one or more privileges against a secured resource
- Privilege - A named group of 1 or more actions that user may execute against a secured
resource
Privilege
- Cluster Privileges
- all / monitor / manager / manage_ index / manage_ index_ template / manage_ _rollup
- Indices Privileges
- all / create / create_ index / delete / delete_ index / index / manage / read /write / view_ index_metadata
创建内置的用户和角色
- 内置的角色与用户
| 用户 | 角色 |
|---|---|
| elastic | Supper User |
| kibana | The user that is used by Kibana to connect and communicate with Elasticsearch. |
| logstash_ system | The user that is used by Logstash when storing monitoring information in Elasticsearch. |
| beats_ system | The user that the different Beats use when storing monitoring information in Elastics earch. |
| apm_ system | The user that the APM server uses when storing monitoring information in Elasticsearch. . |
| Remote_ moni toring _user | The user that is used by Metricbeat when collecting and storing monitoring information in Elasticsearch. |
使用Security API创建用户
开启并配置X-Pack的认证与鉴权
-
修改配置文件, 打开认证与授权
- bin/elasticsearch -E node. name=node0 -E cluster. name=geektime -E path. data=node0_ _data -E http. port=9200 -E xpack. security. enab led=true
-
创建默认的用户和分组.
- bin/elasticsearch-password interactive
-
当集群开启身份认证之后,配置Kibana .
-
Demo
- 创建-一个Role, 配置为对某个索引只读权限/创建-一个用户,把用户加入Role
配置Kibana
-
修改kibana. yml
- elasticsearch.username : "kibana”
- elasticsearch. password: "changeme’
创建Role
创建用户
删除索引失败
demoAPI
#启动单节点
bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true
#使用Curl访问ES,或者浏览器访问 “localhost:9200/_cat/nodes?pretty”。返回401错误
curl 'localhost:9200/_cat/nodes?pretty'
#运行密码设定的命令,设置ES内置用户及其初始密码。
bin/elasticsearch-setup-passwords interactive
curl -u elastic 'localhost:9200/_cat/nodes?pretty'
# 修改 kibana.yml
elasticsearch.username: "kibana"
elasticsearch.password: "changeme"
#启动。使用用户名,elastic,密码elastic
./bin/kibana
POST orders/_bulk
{"index":{}}
{"product" : "1","price" : 18,"payment" : "master","card" : "9876543210123456","name" : "jack"}
{"index":{}}
{"product" : "2","price" : 99,"payment" : "visa","card" : "1234567890123456","name" : "bob"}
#create a new role named read_only_orders, that satisfies the following criteria:
#The role has no cluster privileges
#The role only has access to indices that match the pattern sales_record
#The index privileges are read, and view_index_metadata
#create sales_user that satisfies the following criteria:
# Use your own email address
# Assign the user to two roles: read_only_orders and kibana_user
#验证读权限,可以执行
POST orders/_search
{}
#验证写权限,报错
POST orders/_bulk
{"index":{}}
{"product" : "1","price" : 18,"payment" : "master","card" : "9876543210123456","name" : "jack"}
{"index":{}}
{"product" : "2","price" : 99,"payment" : "visa","card" : "1234567890123456","name" : "bob"}
相关配置链接
https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-security.html
本节知识点
-
为什么 需要保护ES中的数据.
-
如何使用 X-Pack Security保护你的数据
-
Elasticsearch中RBAC的机制和默认创建的用户和角色
-
配置Elasticsearch 和Kibana 开启身份认证和用户鉴权
-
使用Native Realm,通过API和Kibana管理用户分组和权限
集群内部安全通信
为什么要加密通讯
为节点创建证书
-
TLS
- TLS协议要求Trusted Certificate Authority (CA) 签发的X. 509的证书.
-
证书认证的不同级别
-
Certificate -节点加入需要使用相同CA签发的证书
-
Full Verification -节点加入集群需要相同CA签发的证书,还需要验证Host name或IP 地址
-
No Verification -任何节点都可以加入,开发环境中用于诊断目的
-
生成节点证书
- bin/elasticsearch-certutil ca
- bin/elasti csearch-certutil cert --ca elastic-stack-ca. p12
- https://www. elastic. co/ guide/en/elasticsearch/reference/7.1/configuring-tls. html
配置节点间通讯
xpack. security. transport.ssl.enabled: true
xpack. security. transport.ssl.verification mode: certificate
xpack. security. transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack. security. transport.ssl. truststore.path: certs/elastic-certificates.p12
demoAPI
# 生成证书
# 为您的Elasticearch集群创建一个证书颁发机构。例如,使用elasticsearch-certutil ca命令:
bin/elasticsearch-certutil ca
#为群集中的每个节点生成证书和私钥。例如,使用elasticsearch-certutil cert 命令:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
#将证书拷贝到 config/certs目录下
elastic-certificates.p12
bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12
bin/elasticsearch -E node.name=node1 -E cluster.name=geektime -E path.data=node1_data -E http.port=9201 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12
#不提供证书的节点,无法加入
bin/elasticsearch -E node.name=node2 -E cluster.name=geektime -E path.data=node2_data -E http.port=9202 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate
## elasticsearch.yml 配置
#xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
#xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
#xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
本节知识点
- 为什么内部通信需要加密
- 创建Certificate Authority (CA) 和节点的Certificates
- 配置Elasticsearch节点间通信加密
集群与外部间的安全通信
本节知识点
- 使用HTTPS 的重要性
- 配置Elasticsearch
- 配置Kibana
- Kibana to Elasticsearch
- Browser to Kibana .
为什么需要HTTPS
配置Elasticsearch for HTTPS
xpack. security.http.ssl.enabled: true
xpack. security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack. security.http .ss1.truststore.path: certs/elastic-certificates.p12
# ES 启用 https
bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.http.ssl.enabled=true -E xpack.security.http.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.http.ssl.truststore.path=certs/elastic-certificates.p12
配置Kibana 连接ES HTTPS
elasticsearch.hosts: ["https://<your_ elasticsearch host>:9200"]
elasticsearch. ssl . certificateAuthorities: /path/to/your/ca.crt
配置使用HTTPS 访问Kibana
bin/elasticsearch-certutil cert --ca /path/to/your/ca --pem
server.ssl.enabled: true
server.ssl.key: /path/to/your/key
server .ssl.certificate: /path/to/your/crt
#Kibana 连接 ES https
# 为kibana生成pem
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.ssl.certificateAuthorities: [ "/Users/yiruan/geektime/kibana-7.1.0/config/certs/elastic-ca.pem" ]
elasticsearch.ssl.verificationMode: certificate
# 为 Kibna 配置 HTTPS
# 生成后解压,包含了instance.crt 和 instance.key
bin/elasticsearch-certutil ca --pem
server.ssl.enabled: true
server.ssl.certificate: config/certs/instance.crt
server.ssl.key: config/certs/instance.key
647
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
