zoukankan      html  css  js  c++  java
  • es安全认证search-guard配置

    大数据安全系列的其它文章

    https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos

    https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证

    https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证

    https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证

    https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证

    https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证

    https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证

    一、安装es

    1、解压重命名安装包

    tar -zxvf elasticsearch-6.4.3.tar.gz -C /usr/local/
    mv elasticsearch-6.4.3/ elasticsearch
    

      

    2、创建es组和es用户

    [root@cluster1_host1 elasticsearch]# groupadd es
    [root@cluster1_host1 elasticsearch]# useradd es -g es
    [root@cluster1_host1 elasticsearch]# passwd es
    

      

    3、修改es目录的属组

    chown -R es:es /usr/local/elasticsearch/
    

      

    4、分发配置到其他节点

    scp -r /usr/local/elasticsearch/ root@10.87.18.33:/usr/local/
    

      

    5、修改 /etc/security/limits.conf

    * soft nofile 65536
    * hard nofile 65536
    * soft nproc 65536
    * hard nproc 65536
    

      

    6、修改/etc/sysctl.conf

    vm.max_map_count=262144
    

      

    7、启动es

    [root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'
    ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
    10.87.18.32           27          12   6    0.59    0.25     0.10 mdi       *      cluster1_host2
    10.87.18.33           24          13   7    0.31    0.16     0.07 mdi       -      cluster1_host1
    10.87.18.31           28          13   6    0.41    0.24     0.11 mdi       -      cluster1_host1
    

      

    二、配置er的search-guard插件

    1、下载 search-guard插件

    https://repo1.maven.org/maven2/com/floragunn/search-guard-6/6.4.3-25.5/search-guard-6-6.4.3-25.5.zip
    

      

    2、下载tsltools插件,生成证书

    https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.7/search-guard-tlstool-1.7.tar.gz
    

      

    3、每个节点执行如下命令,标红的设置为每个节点的hostname

    curl -Ss -XPUT 'http://cluster1_host3:9200/_cluster/settings?pretty' 
    -H 'Content-Type: application/json' -d'
    {
      "persistent": {
        "cluster.routing.allocation.enable": "none"
      }
    }
    '
    

      

    然后关闭es

    4、安装search-guard插件,每个节点都需要安装

    [es@cluster1_host1 bin]$ ./elasticsearch-plugin install -b file:///es/search-guard-6-6.4.3-25.5.zip 
    -> Downloading file:///es/search-guard-6-6.4.3-25.5.zip
    

      

    5、tsltools生成证书,解压安装包

    tar -zxvf search-guard-tlstool-1.7.tar.gz -C /usr/local/search-guard-tlstool/
    

      

    6、复制模板的配置文件

    [es@cluster1_host1 config]$ cp example.yml tlsconfig.yml
    [es@cluster1_host1 config]$ ll
    total 24
    -rw-r--r--. 1 es es 4731 Jun  5  2019 example.yml
    -rw-r--r--. 1 es es 5634 Jun  5  2019 template.yml
    -rw-r--r--. 1 es es 4731 Feb 29 02:43 tlsconfig.yml
    [es@cluster1_host1 config]$ pwd
    /usr/local/search-guard-tlstool/config
    [es@cluster1_host1 config]$ 
    

      

    7、修改配置文件

    [es@cluster1_host1 config]$ cat tlsconfig.yml 
    ###
    ### Self-generated certificate authority
    ### 
    # 
    # If you want to create a new certificate authority, you must specify its parameters here. 
    # You can skip this section if you only want to create CSRs
    #
    ca:
       root:
          # The distinguished name of this CA. You must specify a distinguished name.   
          dn: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
    
          # The size of the generated key in bits
          keysize: 2048
    
          # The validity of the generated certificate in days from now
          validityDays: 3650
          
          # Password for private key
          #   Possible values: 
          #   - auto: automatically generated password, returned in config output; 
          #   - none: unencrypted private key; 
          #   - other values: other values are used directly as password   
          pkPassword: teststt 
          
          # The name of the generated files can be changed here
          file: root-ca.pem
          
       # If you want to use an intermediate certificate as signing certificate,
       # please specify its parameters here. This is optional. If you remove this section,
       # the root certificate will be used for signing.         
       intermediate:
          # The distinguished name of this CA. You must specify a distinguished name.
          dn: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
       
          # The size of the generated key in bits   
          keysize: 2048
          
          # The validity of the generated certificate in days from now      
          validityDays: 3650
      
          pkPassword: teststt
                
          # If you have a certificate revocation list, you can specify its distribution points here      
          crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl
    
    ### 
    ### Default values and global settings
    ###
    defaults:
    
          # The validity of the generated certificate in days from now
          validityDays: 3650 
          
          # Password for private key
          #   Possible values: 
          #   - auto: automatically generated password, returned in config output; 
          #   - none: unencrypted private key; 
          #   - other values: other values are used directly as password   
          pkPassword: teststt      
          
          # Specifies to recognize legitimate nodes by the distinguished names
          # of the certificates. This can be a list of DNs, which can contain wildcards.
          # Furthermore, it is possible to specify regular expressions by
          # enclosing the DN in //. 
          # Specification of this is optional. The tool will always include
          # the DNs of the nodes specified in the nodes section.            
          #nodesDn:
          #- "CN=*.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com"
          # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
          # - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'
          # - 'CN=elk-devcluster*'
          # - '/CN=.*regex/' 
    
          # If you want to use OIDs to mark legitimate node certificates, 
          # the OID can be included in the certificates by specifying the following
          # attribute
          
          # nodeOid: "1.2.3.4.5.5"
    
          # The length of auto generated passwords            
          generatedPasswordLength: 12
          
          # Set this to true in order to generate config and certificates for 
          # the HTTP interface of nodes
          httpsEnabled: true
          
          # Set this to true in order to re-use the node transport certificates
          # for the HTTP interfaces. Only recognized if httpsEnabled is true
          
          # reuseTransportCertificatesForHttp: false
          
          # Set this to true to enable hostname verification
          #verifyHostnames: false
          
          # Set this to true to resolve hostnames
          #resolveHostnames: false
          
          
    ###
    ### Nodes
    ###
    #
    # Specify the nodes of your ES cluster here
    #      
    nodes:
      - name: cluster1_host1 
        dn: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
        dns: cluster1_host1
        ip: 10.87.18.31
      - name: cluster1_host2
        dn: CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
        dns: cluster1_host2 
        ip: 10.87.18.32 
      - name: cluster1_host3 
        dn: CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
        dns: cluster1_host3
        ip: 10.87.18.33
    ###
    ### Clients
    ###
    #
    # Specify the clients that shall access your ES cluster with certificate authentication here
    #
    # At least one client must be an admin user (i.e., a super-user). Admin users can
    # be specified with the attribute admin: true    
    #        
    clients:
      - name: spock
        dn: CN=spock.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
      - name: kirk
        dn: CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
        admin: true
    

      

    8、将安装目录拷贝到节点,并修改属组为es

    [root@cluster1_host1 data]# scp -r /usr/local/search-guard-tlstool/ root@10.87.18.33:/usr/local/
    

      

    9、生成证书文件

    创建证书文件生成目录

    [es@cluster1_host1 config]$ cd /usr/local/elasticsearch/config
    [es@cluster1_host1 config]$ mkdir out
    

      

    10、生成证书的命令

    [es@cluster1_host1 tools]$ ./sgtlstool.sh -c /usr/local/search-guard-tlstool/config/tlsconfig.yml -ca -crt -t /usr/local/elasticsearch/config/out/
    Root certificate and signing certificate have been sucessfully created.
    
    Created 6 node certificates.
    Created 2 client certificates.
    

      

    11、生成的证书文件如下

    [es@cluster1_host1 out]$ cd /usr/local/elasticsearch/config/out/
    [es@cluster1_host1 out]$ ll
    total 96
    -rw-rw-r--. 1 es es  294 Feb 29 02:59 client-certificates.readme
    -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host1_elasticsearch_config_snippet.yml
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key
    -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1.key
    -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem
    -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml
    -rw-rw-r--. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key
    -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host2.key
    -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem
    -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host3_elasticsearch_config_snippet.yml
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key
    -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3.key
    -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 kirk.key
    -rw-rw-r--. 1 es es 3144 Feb 29 02:59 kirk.pem
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 root-ca.key
    -rw-rw-r--. 1 es es 1371 Feb 29 02:59 root-ca.pem
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 signing-ca.key
    -rw-rw-r--. 1 es es 1558 Feb 29 02:59 signing-ca.pem
    -rw-rw-r--. 1 es es 1801 Feb 29 02:59 spock.key
    -rw-rw-r--. 1 es es 3144 Feb 29 02:59 spock.pem
    

      

    12、验证证书

    [es@cluster1_host1 out]$ /usr/local/search-guard-tlstool/tools/sgtlsdiag.sh -ca /usr/local/elasticsearch/config/out/root-ca.pem -crt /usr/local/elasticsearch/config/out/cluster1_host1.pem 
    
    ========================================================================
    /usr/local/elasticsearch/config/out/cluster1_host1.pem
    ------------------------------------------------------------------------
    Certificate 1
    ------------------------------------------------------------------------
                SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05
                 MD5 FPR: 1565fb2741046769feb128d2e98e3923
    Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
           Serial Number: 1582963131135
     Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
              Not Before: Sat Feb 29 02:58:53 EST 2020
               Not After: Tue Feb 26 02:58:53 EST 2030
               Key Usage: digitalSignature nonRepudiation keyEncipherment
     Signature Algorithm: SHA256WITHRSA
                 Version: 3
      Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
      Basic Constraints: -1
                    SAN: 
                      dNSName: cluster1_host1
                      iPAddress: 10.87.18.31
    
    ------------------------------------------------------------------------
    Certificate 2
    ------------------------------------------------------------------------
                SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
                 MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
    Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
           Serial Number: 2
     Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
              Not Before: Sat Feb 29 02:58:53 EST 2020
               Not After: Tue Feb 26 02:58:53 EST 2030
               Key Usage: digitalSignature keyCertSign cRLSign
     Signature Algorithm: SHA256WITHRSA
                 Version: 3
      Extended Key Usage: null
      Basic Constraints: 0
                    SAN: (none)
    ------------------------------------------------------------------------
    Trust anchor:
    DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com
    

      

    13、修改es的配置文件

    进入证书文件目录

    [es@cluster1_host1 out]$ pwd
    /usr/local/elasticsearch/config/out
    [es@cluster1_host1 out]$ ll
    total 96
    -rwxrwxr-x. 1 es es  294 Feb 29 02:59 client-certificates.readme
    -rwxrwxr-x. 1 es es 1388 Feb 29 03:30 cluster1_host1_elasticsearch_config_snippet.yml
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key
    -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1.key
    -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem
    -rwxrwxr-x. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml
    -rwxrwxr-x. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key
    -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host2.key
    -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem
    -rwxrwxr-x. 1 es es 1388 Feb 29 03:26 cluster1_host3_elasticsearch_config_snippet.yml
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key
    -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3.key
    -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 kirk.key
    -rwxrwxr-x. 1 es es 3144 Feb 29 02:59 kirk.pem
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 root-ca.key
    -rwxrwxr-x. 1 es es 1371 Feb 29 02:59 root-ca.pem
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 signing-ca.key
    -rwxrwxr-x. 1 es es 1558 Feb 29 02:59 signing-ca.pem
    -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 spock.key
    -rwxrwxr-x. 1 es es 3144 Feb 29 02:59 spock.pem
    

      

    将cluster1_host1_elasticsearch_config_snippet.yml中的内容追加到节点的es配置文件中

    [es@cluster1_host1 config]$ ll
    total 36
    -rw-rw----. 1 es es  207 Feb 28 01:15 elasticsearch.keystore
    -rw-rw----. 1 es es 3895 Feb 29 03:33 elasticsearch.yml
    -rw-rw----. 1 es es 2937 Feb 28 03:33 elasticsearch.yml.bak
    -rw-rw----. 1 es es 2937 Feb 28 01:10 jvm.options
    -rw-rw----. 1 es es 6380 Oct 30  2018 log4j2.properties
    drwxrwxr-x. 2 es es 4096 Feb 29 03:30 out
    -rw-rw----. 1 es es  473 Oct 30  2018 role_mapping.yml
    -rw-rw----. 1 es es  197 Oct 30  2018 roles.yml
    -rw-rw----. 1 es es    0 Oct 30  2018 users
    -rw-rw----. 1 es es    0 Oct 30  2018 users_roles
    [es@cluster1_host1 config]$ pwd
    /usr/local/elasticsearch/config
    

      

    修改内容如下,主要里要指定证书文件的相对路径

    searchguard.ssl.transport.pemcert_filepath: out/cluster1_host1.pem
    searchguard.ssl.transport.pemkey_filepath: out/cluster1_host1.key
    searchguard.ssl.transport.pemkey_password: teststt
    searchguard.ssl.transport.pemtrustedcas_filepath: out/root-ca.pem
    searchguard.ssl.transport.enforce_hostname_verification: false
    searchguard.ssl.transport.resolve_hostname: false
    searchguard.ssl.http.enabled: false
    searchguard.ssl.http.pemcert_filepath: out/cluster1_host1_http.pem
    searchguard.ssl.http.pemkey_filepath: out/cluster1_host1_http.key
    searchguard.ssl.http.pemkey_password: teststt
    searchguard.ssl.http.pemtrustedcas_filepath: out/root-ca.pem
    searchguard.nodes_dn:
    - CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    - CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    - CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    searchguard.authcz.admin_dn:
    - CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    

      

    校验一下配置文件

    [es@cluster1_host1 tools]$ ./sgtlsdiag.sh -es /usr/local/elasticsearch/config/elasticsearch.yml
    Reading node config file /usr/local/elasticsearch/config/elasticsearch.yml
    
    ========================================================================
    /usr/local/elasticsearch/config/out/cluster1_host1.pem
    ------------------------------------------------------------------------
    Certificate 1
    ------------------------------------------------------------------------
                SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05
                 MD5 FPR: 1565fb2741046769feb128d2e98e3923
    Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
           Serial Number: 1582963131135
     Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
              Not Before: Sat Feb 29 02:58:53 EST 2020
               Not After: Tue Feb 26 02:58:53 EST 2030
               Key Usage: digitalSignature nonRepudiation keyEncipherment
     Signature Algorithm: SHA256WITHRSA
                 Version: 3
      Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
      Basic Constraints: -1
                    SAN: 
                      dNSName: cluster1_host1
                      iPAddress: 10.87.18.31
    
    ------------------------------------------------------------------------
    Certificate 2
    ------------------------------------------------------------------------
                SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
                 MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
    Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
           Serial Number: 2
     Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
              Not Before: Sat Feb 29 02:58:53 EST 2020
               Not After: Tue Feb 26 02:58:53 EST 2030
               Key Usage: digitalSignature keyCertSign cRLSign
     Signature Algorithm: SHA256WITHRSA
                 Version: 3
      Extended Key Usage: null
      Basic Constraints: 0
                    SAN: (none)
    ------------------------------------------------------------------------
    Trust anchor:
    DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com
    
    ========================================================================
    /usr/local/elasticsearch/config/out/cluster1_host1_http.pem
    ------------------------------------------------------------------------
    Certificate 1
    ------------------------------------------------------------------------
                SHA1 FPR: 998fdf16628aeb9da3d9ef741f8d87318f44bf87
                 MD5 FPR: bfb40c178312f63af1bf5d83cd7a1021
    Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
           Serial Number: 1582963131136
     Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
              Not Before: Sat Feb 29 02:58:55 EST 2020
               Not After: Tue Feb 26 02:58:55 EST 2030
               Key Usage: digitalSignature nonRepudiation keyEncipherment
     Signature Algorithm: SHA256WITHRSA
                 Version: 3
      Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
      Basic Constraints: -1
                    SAN: 
                      dNSName: cluster1_host1
                      iPAddress: 10.87.18.31
    
    ------------------------------------------------------------------------
    Certificate 2
    ------------------------------------------------------------------------
                SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
                 MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
    Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
           Serial Number: 2
     Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
              Not Before: Sat Feb 29 02:58:53 EST 2020
               Not After: Tue Feb 26 02:58:53 EST 2030
               Key Usage: digitalSignature keyCertSign cRLSign
     Signature Algorithm: SHA256WITHRSA
                 Version: 3
      Extended Key Usage: null
      Basic Constraints: 0
                    SAN: (none)
    ------------------------------------------------------------------------
    Trust anchor:
    DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com
    
    ========================================================================
    /usr/local/elasticsearch/config/out/root-ca.pem
    ------------------------------------------------------------------------
    Certificate 1
    ------------------------------------------------------------------------
                SHA1 FPR: b66494fa2c05423e64ada2403e09ca6c76ae3936
                 MD5 FPR: 5f0834f0acf6dc8f7fa061eb7be0675a
    Subject DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
           Serial Number: 1
     Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
              Not Before: Sat Feb 29 02:58:52 EST 2020
               Not After: Tue Feb 26 02:58:52 EST 2030
               Key Usage: digitalSignature keyCertSign cRLSign
     Signature Algorithm: SHA256WITHRSA
                 Version: 3
      Extended Key Usage: null
      Basic Constraints: 2147483647
                    SAN: (none)
    

      

    14、修改其他节点配置文件

    拷贝out目录到其他节点的相同目录

    [root@cluster1_host1 data]# scp -r /usr/local/elasticsearch/config/out/ root@10.87.18.33:/usr/local/elasticsearch/config/
    

      

    15、下面的需要在es的所有节点执行

    [es@cluster1_host1 search-guard-6]$ pwd
    /usr/local/elasticsearch/plugins/search-guard-6
    [es@cluster1_host1 search-guard-6]$ 
    [es@cluster1_host1 search-guard-6]$ 
    [es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -esa -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt
    Search Guard Admin v6
    Will connect to cluster1_host1:9300 ... done
    Elasticsearch Version: 6.4.3
    Search Guard Version: 6.4.3-25.5
    Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    Persistent and transient shard allocation enabled
    

      

    16、执行es命令

    Unauthorized[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'
    
    Unauthorized[root@cluster1_host1 ~]# 
    

      

    17、打开浏览器访问如下url

    http://10.87.18.31:9200/_searchguard/health
    

      

    {"message":null,"mode":"strict","status":"UP"}

    18、携带用户名和密码访问es

    [root@cluster1_host1 ~]# curl -u admin:admin '10.87.18.31:9200/_cat/indices?v'
    health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
    green  open   searchguard XOWOuXN0SJi_69Yz3BPtmw   1   2          0            6     88.6kb         38.4kb
    [root@cluster1_host1 ~]# 
    

      

    es的search-guard插件配置完成

    三、问题

     

    1、如果启动es报错

    [2020-02-29T03:54:12,266][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [cluster1_host1] uncaught exception in thread [main]
    org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have additional setting [http.type] in plugin [search-guard-6], already added in plugin [x-pack-security]
    

      

    则需要修改es的配置文件

    xpack.security.enabled: false
    

      

    2、如果启动es有告警

    [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config has insecure file permissions (should be 0700)
    [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config/out has insecure file permissions (should be 0700)
    [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.pem has insecure file permissions (should be 0600)
    [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.key has insecure file permissions (should be 0600)
    [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/signing-ca.pem has insecure file permissions (should be 0600)
    

      

    则修改权限

    chmod 0600 /usr/local/elasticsearch/config/out/*
    chmod 0700 /usr/local/elasticsearch/config/
    

      

    3、如果执行es命令有如下报错

    [root@cluster1_host1 config]# curl '10.87.18.31:9200/_cat/nodes?v'
    Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin[root@cluster1_host1 config]
    

      

    进入如下目录

    [es@cluster1_host1 search-guard-6]$ pwd
    /usr/local/elasticsearch/plugins/search-guard-6
    

      

    做如下修改,如果报文件不存在,则重启es在试一次,只需要在一个节点执行即可

    [es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -cd ./sgconfig/ -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt
    Search Guard Admin v6
    Will connect to cluster1_host1:9300 ... done
    Elasticsearch Version: 6.4.3
    Search Guard Version: 6.4.3-25.5
    Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
    Clustername: my-application
    Clusterstate: YELLOW
    Number of nodes: 3
    Number of data nodes: 3
    searchguard index already exists, so we do not need to create one.
    INFO: searchguard index state is YELLOW, it seems you miss some replicas
    Populate config from /usr/local/elasticsearch/plugins/search-guard-6/sgconfig
    Will update 'sg/config' with ./sgconfig/sg_config.yml 
       SUCC: Configuration for 'config' created or updated
    Will update 'sg/roles' with ./sgconfig/sg_roles.yml 
       SUCC: Configuration for 'roles' created or updated
    Will update 'sg/rolesmapping' with ./sgconfig/sg_roles_mapping.yml 
       SUCC: Configuration for 'rolesmapping' created or updated
    Will update 'sg/internalusers' with ./sgconfig/sg_internal_users.yml 
       SUCC: Configuration for 'internalusers' created or updated
    Will update 'sg/actiongroups' with ./sgconfig/sg_action_groups.yml 
       SUCC: Configuration for 'actiongroups' created or updated
    Done with success
    [es@cluster1_host1 search-guard-6]$ pwd
    

      

  • 相关阅读:
    消息队列技术
    NET Core中使用Apworks
    TCP基础
    Oracle停止一个JOB
    如何在Java 8中愉快地处理日期和时间
    mysql字符串区分大小写的问题
    【已解决】javax.validation.UnexpectedTypeException: HV000030: No validator could be found for constraint
    spring boot 1.4默认使用 hibernate validator
    mysql shell
    android:background="@drawable/home_tab_bg"
  • 原文地址:https://www.cnblogs.com/bainianminguo/p/12584880.html
Copyright © 2011-2022 走看看