zoukankan      html  css  js  c++  java
  • ES/Kibana支持search-guard认证

    es认证:

    https://blog.51cto.com/passed/2287142 

    https://www.jianshu.com/p/aaf9f035b142

    https://docs.search-guard.com/6.x-25/search-guard-installation

     search-guard: https://www.jianshu.com/p/42e278c3b1bf

    docker安装:https://blog.csdn.net/u012811805/article/details/91348067

    es启动:

    错误:

    [WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [] uncaught exception in thread [main]
    org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have more than one plugin implementing a REST wrapper
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.4.3.jar:6.4.3]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.4.3.jar:6.4.3]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) ~[elasticsearch-6.4.3.jar:6.4.3]
    Caused by: java.lang.IllegalArgumentException: Cannot have more than one plugin implementing a REST wrapper
    at org.elasticsearch.action.ActionModule.<init>(ActionModule.java:382) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.node.Node.<init>(Node.java:427) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.node.Node.<init>(Node.java:256) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.4.3.jar:6.4.3]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.4.3.jar:6.4.3]
    ... 6 more

    1.修改目录所属用户:

    chown admin elasticsearch-6.4.3 -R

    2.切换用户:

    su admin

    3.修改配置config/elasticsearch.yml

    xpack.security.enabled = false

    启动

    bin/elasticsearch

    JAVA HIGH LEVEL

    https://www.okcode.net/article/78599

    search-guard

    es

    安装插件

    cd /opt/elasticsearch-6.4.3/

    bin/elasticsearch-plugin install  -b file:///opt/elasticsearch-6.4.3/search-guard-6-6.4.3-25.5.zip

    初始化search-guard配置

    chmod +x plugins/search-guard-6/tools/install_demo_configuration.sh

    vi config/elasticsearch.yml 

    修改searchguard.ssl.http.enabled: false

    [root@localhost elasticsearch-6.4.3]# cat config/elasticsearch.yml 
    # ======================== Elasticsearch Configuration =========================
    #
    # NOTE: Elasticsearch comes with reasonable defaults for most settings.
    #       Before you set out to tweak and tune the configuration, make sure you
    #       understand what are you trying to accomplish and the consequences.
    #
    # The primary way of configuring a node is via this file. This template lists
    # the most important settings you may want to configure for a production cluster.
    #
    # Please consult the documentation for further information on configuration options:
    # https://www.elastic.co/guide/en/elasticsearch/reference/index.html
    #
    # ---------------------------------- Cluster -----------------------------------
    #
    # Use a descriptive name for your cluster:
    #
    #cluster.name: my-application
    #
    # ------------------------------------ Node ------------------------------------
    #
    # Use a descriptive name for the node:
    #
    #node.name: node-1
    #
    # Add custom attributes to the node:
    #
    #node.attr.rack: r1
    #
    # ----------------------------------- Paths ------------------------------------
    #
    # Path to directory where to store the data (separate multiple locations by comma):
    #
    #path.data: /path/to/data
    #
    # Path to log files:
    #
    #path.logs: /path/to/logs
    #
    # ----------------------------------- Memory -----------------------------------
    #
    # Lock the memory on startup:
    #
    #bootstrap.memory_lock: true
    #
    # Make sure that the heap size is set to about half the memory available
    # on the system and that the owner of the process is allowed to use this
    # limit.
    #
    # Elasticsearch performs poorly when the system is swapping the memory.
    #
    # ---------------------------------- Network -----------------------------------
    #
    # Set the bind address to a specific IP (IPv4 or IPv6):
    #
    network.host: 192.168.49.130
    #
    # Set a custom port for HTTP:
    #
    http.port: 9200
    #
    # For more information, consult the network module documentation.
    #
    # --------------------------------- Discovery ----------------------------------
    #
    # Pass an initial list of hosts to perform discovery when new node is started:
    # The default list of hosts is ["127.0.0.1", "[::1]"]
    #
    #discovery.zen.ping.unicast.hosts: ["host1", "host2"]
    #
    # Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
    #
    #discovery.zen.minimum_master_nodes: 
    #
    # For more information, consult the zen discovery module documentation.
    #
    # ---------------------------------- Gateway -----------------------------------
    #
    # Block initial recovery after a full cluster restart until N nodes are started:
    #
    #gateway.recover_after_nodes: 3
    #
    # For more information, consult the gateway module documentation.
    #
    # ---------------------------------- Various -----------------------------------
    #
    # Require explicit names when deleting indices:
    #
    #action.destructive_requires_name: true
    
    xpack.security.enabled: false
    
    
    ######## Start Search Guard Demo Configuration ########
    # WARNING: revise all the lines below before you go into production
    searchguard.ssl.transport.pemcert_filepath: esnode.pem
    searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
    searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
    searchguard.ssl.transport.enforce_hostname_verification: false
    searchguard.ssl.http.enabled: false
    searchguard.ssl.http.pemcert_filepath: esnode.pem
    searchguard.ssl.http.pemkey_filepath: esnode-key.pem
    searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
    searchguard.allow_unsafe_democertificates: true
    searchguard.allow_default_init_sgindex: true
    searchguard.authcz.admin_dn:
      - CN=kirk,OU=client,O=client,L=test, C=de
    
    searchguard.audit.type: internal_elasticsearch
    searchguard.enable_snapshot_restore_privilege: true
    searchguard.check_snapshot_restore_write_privileges: true
    searchguard.restapi.roles_enabled: ["sg_all_access"]
    cluster.routing.allocation.disk.threshold_enabled: false
    cluster.name: searchguard_demo
    discovery.zen.minimum_master_nodes: 1
    node.max_local_storage_nodes: 3
    ######## End Search Guard Demo Configuration ########
    

      

    su admin

    bin/elasticsearch

    修改密码方法:

    chmod +x tools/hash.sh 

    生成密码的hash值,将hash值替换sg_internal_users.yml对应的用户原有的hash值

    [root@localhost search-guard-6]# tools/hash.sh admin123
    WARNING: JAVA_HOME not set, will use /usr/bin/java
    [Password:]
    $2y$12$uUXOEr9UhZKGIiLSd88MMunokt2KgGYKzEY/bBMKZsCjW.6rrFtAa

     vi sgconfig/sg_internal_users.yml

    admin:
      readonly: true
      hash: $2y$12$uUXOEr9UhZKGIiLSd88MMunokt2KgGYKzEY/bBMKZsCjW.6rrFtAa
      roles:
        - admin
      attributes:
        #no dots allowed in attribute names
        attribute1: value1
        attribute2: value2
        attribute3: value3
    

      

    重新启动elasticsearch

    kibana

    安装插件

    cd /opt/kibana-6.4.3-linux-x86_64/

    bin/kibana-plugin install file:///opt/kibana-6.4.3-linux-x86_64/search-guard-kibana-plugin-6-6.4.3-19.0.zip 

    等待很长时间,安装后示意如下:

     vi  config/kibana.yml 

    修改  xpack.security.enabled: false

    [root@localhost ~]# cat /opt/kibana-6.4.3-linux-x86_64/config/kibana.yml 
    # Kibana is served by a back end server. This setting specifies the port to use.
    server.port: 5601
    
    # Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
    # The default is 'localhost', which usually means remote machines will not be able to connect.
    # To allow connections from remote users, set this parameter to a non-loopback address.
    server.host: "192.168.49.130"
    
    # Enables you to specify a path to mount Kibana at if you are running behind a proxy.
    # Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
    # from requests it receives, and to prevent a deprecation warning at startup.
    # This setting cannot end in a slash.
    #server.basePath: ""
    
    # Specifies whether Kibana should rewrite requests that are prefixed with
    # `server.basePath` or require that they are rewritten by your reverse proxy.
    # This setting was effectively always `false` before Kibana 6.3 and will
    # default to `true` starting in Kibana 7.0.
    #server.rewriteBasePath: false
    
    # The maximum payload size in bytes for incoming server requests.
    #server.maxPayloadBytes: 1048576
    
    # The Kibana server's name.  This is used for display purposes.
    #server.name: "your-hostname"
    
    # The URL of the Elasticsearch instance to use for all your queries.
    elasticsearch.url: "http://192.168.49.130:9200"
    
    # When this setting's value is true Kibana uses the hostname specified in the server.host
    # setting. When the value of this setting is false, Kibana uses the hostname of the host
    # that connects to this Kibana instance.
    #elasticsearch.preserveHost: true
    
    # Kibana uses an index in Elasticsearch to store saved searches, visualizations and
    # dashboards. Kibana creates a new index if the index doesn't already exist.
    #kibana.index: ".kibana"
    
    # The default application to load.
    #kibana.defaultAppId: "home"
    
    # If your Elasticsearch is protected with basic authentication, these settings provide
    # the username and password that the Kibana server uses to perform maintenance on the Kibana
    # index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
    # is proxied through the Kibana server.
    elasticsearch.username: "admin"
    elasticsearch.password: "admin"
    
    
    # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
    # These settings enable SSL for outgoing requests from the Kibana server to the browser.
    #server.ssl.enabled: false
    #server.ssl.certificate: /path/to/your/server.crt
    #server.ssl.key: /path/to/your/server.key
    
    # Optional settings that provide the paths to the PEM-format SSL certificate and key files.
    # These files validate that your Elasticsearch backend uses the same key files.
    #elasticsearch.ssl.certificate: /path/to/your/client.crt
    #elasticsearch.ssl.key: /path/to/your/client.key
    
    # Optional setting that enables you to specify a path to the PEM file for the certificate
    # authority for your Elasticsearch instance.
    #elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
    
    # To disregard the validity of SSL certificates, change this setting's value to 'none'.
    #elasticsearch.ssl.verificationMode: full
    
    # Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
    # the elasticsearch.requestTimeout setting.
    #elasticsearch.pingTimeout: 1500
    
    # Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
    # must be a positive integer.
    #elasticsearch.requestTimeout: 30000
    
    # List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
    # headers, set this value to [] (an empty list).
    #elasticsearch.requestHeadersWhitelist: [ authorization ]
    
    # Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
    # by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
    #elasticsearch.customHeaders: {}
    
    # Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
    #elasticsearch.shardTimeout: 30000
    
    # Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
    #elasticsearch.startupTimeout: 5000
    
    # Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
    #elasticsearch.logQueries: false
    
    # Specifies the path where Kibana creates the process ID file.
    #pid.file: /var/run/kibana.pid
    
    # Enables you specify a file where Kibana stores log output.
    #logging.dest: stdout
    
    # Set the value of this setting to true to suppress all logging output.
    #logging.silent: false
    
    # Set the value of this setting to true to suppress all logging output other than error messages.
    #logging.quiet: false
    
    # Set the value of this setting to true to log all events, including system usage information
    # and all requests.
    #logging.verbose: false
    
    # Set the interval in milliseconds to sample system and process performance
    # metrics. Minimum is 100ms. Defaults to 5000.
    #ops.interval: 5000
    
    # The default locale. This locale can be used in certain circumstances to substitute any missing
    # translations.
    #i18n.defaultLocale: "en"
    
    xpack.security.enabled: false
    timelion.enabled: false
    

      

      

     bin/kibana 等待优化时间,时间很长,约10分钟

  • 相关阅读:
    2020牛客暑期多校第三场B-Classical String Problem(字符串移动思维)
    2020牛客暑期多校第四场B-Basic Gcd Problem(思维+数论)
    2020牛客暑期多校第三场E-Two Matchings(规律DP)
    2020牛客暑期多校第三场C-Operation Love(计算几何-顺逆时针的判断)
    odoo高级物流应用:跨厂区生产
    Odoo车辆管理
    安装odoo 9实录
    Odoo 养猪
    【转】结转本年利润的有关分录
    Odoo POS
  • 原文地址:https://www.cnblogs.com/beilong/p/12119141.html
Copyright © 2011-2022 走看看