zoukankan      html  css  js  c++  java
  • X-pack结合LDAP进行权限认证

    1、生成ssl 证书

    通过ES_HOME/bin/x-pack/certgen生成ssl证书
    IP:

    10.17.90.20,10.17.90.21,10.17.90.22,10.17.90.24,10.17.90.25,10.17.90.26,10.17.90.27,10.17.90.28

    hostname:

    d1705027.grid.com,d1705028.grid.com,d1705029.grid.com,d1806001.grid.com,d1806002.grid.com,d1806003.grid.com,d1809002.grid.com,d1809003.grid.com

    修改salt配置加载ssl配置(完成)
    修改配置elasticsearch.yml文件,开启ssl transport

    xpack.ssl.key: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.key
    xpack.ssl.certificate: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.crt
    xpack.ssl.certificate_authorities: /data1/elasticsearch9201/config/ca/ca.crt
    xpack.security.transport.ssl.enabled: true

    2、修改es集群内置账户的密码

    ./bin/x-pack/setup-passwords interactive
    自定义内置账户(elastic、kibana、logstash_system)密码
    账户elastic为elasticsearch超级管理员,拥有所有权限
    账户kibana用于kibana组件获取相关信息用于web展示
    账户logstash_system用于logstash服务获取elasticsearch的监控数据
    注意:此步骤需先启动elasticsearch服务,并开启x-pack security
    ./bin/x-pack/setup-passwords interactive
    elastic:
    kibana:
    logstash_system:

    3、es开启ldap验证

    修改elasticsearch.yml配置开启
    注意:
    es集群修改elasticsearch.yml配置添加
    http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

    4、kibana修改启动脚本

    未修改

    5、kibana修改配置文件

    需要安装 x-pack插件 plugin
    修改链接es集群的账户和密码

    6、logstash修改配置文件

    output elasticsearh
    添加
    user => elastic
    password => password

    7、重启集群

    curl -XPUT -H  'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{ 
    "transient" : { 
    "cluster.routing.allocation.enable":"none"
    } 
    }'
    curl -XPUT -u elastic: -H  'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{ 
    "transient" : { 
    "cluster.routing.allocation.enable":"all"
    } 
    }'
    

    8、elasticsearch-head 认证登录

    ?auth_user=elastic&auth_password=

    9、角色添加

    index_name=cron_term_log
    role_name=${index_name}_all
    echo "{"cluster":[],"indices":[{"names":["${index_name}*"],"privileges":["all"]}],"run_as":[],"transient_metadata":{"enabled":true}}" >${index_name}
    
        curl -XPOST -H "Content-Type: application/json"  -u elastic:  "http://localhost:9201/_xpack/security/role/$role_name" -d@${index_name}
    

    10、用户绑定角色

    11、配置信息如下

    cat elasticsearch.yml

    cluster.name: elk_cluster
    node.master: true
    node.data: true
    node.attr.box_type: hot
    node.name: 10.20.90.36
    path.data: /data1/data/elasticsearch
    path.logs: /data1/logs/elasticsearch
    network.host: 0.0.0.0
    http.port: 9200
    transport.tcp.compress: true
    http.max_content_length: 200mb
    discovery.zen.ping.unicast.hosts: ['10.22.90.36', '10.20.90.37']
    discovery.zen.minimum_master_nodes: 2
    discovery.zen.ping_timeout: 120s
    index.store.type: mmapfs
    bootstrap.system_call_filter: false
    http.cors.enabled: true
    http.cors.allow-origin: "*"
    http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
    
    # thread_pool config
    thread_pool.index.queue_size: 3000
    thread_pool.search.min_queue_size: 400
    thread_pool.search.max_queue_size: 3000
    thread_pool.get.queue_size: 3000
    thread_pool.bulk.queue_size: 3000
    xpack.ssl.key: /data1/elasticsearch/config/elk_crt/elk.key
    xpack.ssl.certificate: /data1/elasticsearch/config/elk_crt/elk.crt
    xpack.ssl.certificate_authorities: /data1/elasticsearch/config/elk_crt/ca/ca.crt
    xpack.security.transport.ssl.enabled: true
    xpack.security.enabled: true
    xpack.monitoring.enabled: true
    xpack.graph.enabled: true
    xpack.watcher.enabled: true
    xpack.monitoring.exporters:
      id1:
        type: http
        host: ["http://10.20.90.36:9200"]
        auth.username: elastic
        auth.password: RHjv
    action.auto_create_index: true
    xpack:
      security:
        authc:
          realms:
            ldap1:
              type: ldap
              order: 0
              url: "ldap://111.151.118.122:389"
              bind_dn: 
              bind_password: admin
              user_search:
                base_dn: ""
                attribute: data
              group_search:
                base_dn: ""
              files:
                role_mapping: "/data1/elasticsearch/config/x-pack/role_mapping.yml"
              unmapped_groups_as_roles: true
  • 相关阅读:
    Java编程练习(四)——集合框架应用
    89. Gray Code (Java)
    加解密算法
    Cookie、Session和Token
    87. Scramble String (Java)
    51. N-Queens (JAVA)
    85. Maximal Rectangle (JAVA)
    84. Largest Rectangle in Histogram (JAVA)
    81. Search in Rotated Sorted Array II (JAVA)
    77. Combinations (JAVA)
  • 原文地址:https://www.cnblogs.com/stone1989/p/11357797.html
Copyright © 2011-2022 走看看