Elasticsearch添加Shield后TransportClient如何连接？

Elasticsearch添加Shield后TransportClient如何连接？

时间 2015-12-28 10:24:01  旁门左道

原文  http://log.medcl.net/item/2015/12/shieldtransportclient-xia-ru-he-shi-yong/

主题 Elastic Search

Shield是Elasticsearch一个安全防护插件,提供了权限访问控制和日志审计功能,企业可以很方便的和LDAP或是ActiveDirectory进行集成,重用现有的安全认证体系.

Elasticsearch使用了Shield后,Elasticsearch就需要权限才能访问了,和默认的调用方式有些不同,下面简单介绍一下HTTP和TCP两种方式的连接.

关于Shield的安装和配置我这里不就具体介绍,创建了一个用户名和密码都是tribe_user的用户,权限是admin.

1.HTTP方式现在直接访问es的http接口就会报错

curl http://localhost:9200

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}},"status":401}

shield支持HttpBasic验证,所以正确的访问姿势是:

curl -u tribe_user:tribe_user http://localhost:9200
{
  "name" : "Melter",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "2.1.1",
    "build_hash" : "805c528f3167980046f224310f9147fa745e5371",
    "build_timestamp" : "2015-12-09T20:23:16Z",
    "build_snapshot" : false,
    "lucene_version" : "5.3.1"
  },
  "tagline" : "You Know, for Search"
}

如果是浏览器访问的话,第一次访问会弹出验证窗口,后续只要不关闭这个浏览器保持这个session就能一直访问.注意http basic是不安全的认证方式,仅供开发调试使用,生产环境还需要结合HTTPS的加密通道使用.

2.TransportClient方式的访问Shield加防的Elasticsearch,稍微麻烦点,需要依赖Shield的包,步骤如下:2.1 如果你是maven管理的项目,在pom.xml文件里添加Elasticsearch的maven仓库源,如下:

<repositories>
   <repository>
      <id>elasticsearch-releases</id>
      <url>https://maven.elasticsearch.org/releases</url>
      <releases>
         <enabled>true</enabled>
      </releases>
      <snapshots>
         <enabled>false</enabled>
      </snapshots>
    </repository>
</repositories>

2.2 添加依赖的配置

<dependency>
   <groupId>org.elasticsearch.plugin</groupId>
   <artifactId>shield</artifactId>
   <version>2.1.1</version>
</dependency

2.3 构建TransportClient的地方增加访问用户的配置

import org.elasticsearch.shield.ShieldPlugin;
import org.elasticsearch.shield.authc.support.SecuredString;
import static 
org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;

String clusterName="elasticsearch";
String ip= "127.0.0.1";
Settings settings = Settings.settingsBuilder()
 
        .put("cluster.name", clusterName)
         .put("shield.user", "tribe_user:tribe_user")
        .build();
try {
    client = TransportClient.builder()
            .addPlugin(ShieldPlugin.class)
            .settings(settings).build()
            .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(ip),9300));
    String token = basicAuthHeaderValue("tribe_user",
            new SecuredString("tribe_user".toCharArray()));
 
    client.prepareSearch().putHeader("Authorization", token).get();
 
} catch (UnknownHostException e) {
    logger.error("es",e);
}