X-pack结合LDAP进行权限认证

1、生成ssl 证书

通过ES_HOME/bin/x-pack/certgen生成ssl证书
IP:

10.17.90.20,10.17.90.21,10.17.90.22,10.17.90.24,10.17.90.25,10.17.90.26,10.17.90.27,10.17.90.28

hostname:

d1705027.grid.com,d1705028.grid.com,d1705029.grid.com,d1806001.grid.com,d1806002.grid.com,d1806003.grid.com,d1809002.grid.com,d1809003.grid.com

修改salt配置加载ssl配置（完成）
修改配置elasticsearch.yml文件，开启ssl transport

xpack.ssl.key: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.key
xpack.ssl.certificate: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: /data1/elasticsearch9201/config/ca/ca.crt
xpack.security.transport.ssl.enabled: true

2、修改es集群内置账户的密码

./bin/x-pack/setup-passwords interactive
自定义内置账户(elastic、kibana、logstash_system)密码
账户elastic为elasticsearch超级管理员，拥有所有权限
账户kibana用于kibana组件获取相关信息用于web展示
账户logstash_system用于logstash服务获取elasticsearch的监控数据
注意：此步骤需先启动elasticsearch服务，并开启x-pack security
./bin/x-pack/setup-passwords interactive
elastic:
kibana:
logstash_system:

3、es开启ldap验证

修改elasticsearch.yml配置开启
注意：
es集群修改elasticsearch.yml配置添加
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

4、kibana修改启动脚本

未修改

5、kibana修改配置文件

需要安装 x-pack插件 plugin
修改链接es集群的账户和密码

6、logstash修改配置文件

output elasticsearh
添加
user => elastic
password => password

7、重启集群

curl -XPUT -H  'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{ 
"transient" : { 
"cluster.routing.allocation.enable":"none"
} 
}'
curl -XPUT -u elastic: -H  'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{ 
"transient" : { 
"cluster.routing.allocation.enable":"all"
} 
}'

8、elasticsearch-head 认证登录

?auth_user=elastic&auth_password=

9、角色添加

index_name=cron_term_log
role_name=${index_name}_all
echo "{"cluster":[],"indices":[{"names":["${index_name}*"],"privileges":["all"]}],"run_as":[],"transient_metadata":{"enabled":true}}" >${index_name}

    curl -XPOST -H "Content-Type: application/json"  -u elastic:  "http://localhost:9201/_xpack/security/role/$role_name" -d@${index_name}

10、用户绑定角色

11、配置信息如下

cat elasticsearch.yml

cluster.name: elk_cluster
node.master: true
node.data: true
node.attr.box_type: hot
node.name: 10.20.90.36
path.data: /data1/data/elasticsearch
path.logs: /data1/logs/elasticsearch
network.host: 0.0.0.0
http.port: 9200
transport.tcp.compress: true
http.max_content_length: 200mb
discovery.zen.ping.unicast.hosts: ['10.22.90.36', '10.20.90.37']
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping_timeout: 120s
index.store.type: mmapfs
bootstrap.system_call_filter: false
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

# thread_pool config
thread_pool.index.queue_size: 3000
thread_pool.search.min_queue_size: 400
thread_pool.search.max_queue_size: 3000
thread_pool.get.queue_size: 3000
thread_pool.bulk.queue_size: 3000
xpack.ssl.key: /data1/elasticsearch/config/elk_crt/elk.key
xpack.ssl.certificate: /data1/elasticsearch/config/elk_crt/elk.crt
xpack.ssl.certificate_authorities: /data1/elasticsearch/config/elk_crt/ca/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.enabled: true
xpack.monitoring.enabled: true
xpack.graph.enabled: true
xpack.watcher.enabled: true
xpack.monitoring.exporters:
  id1:
    type: http
    host: ["http://10.20.90.36:9200"]
    auth.username: elastic
    auth.password: RHjv
action.auto_create_index: true
xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldap://111.151.118.122:389"
          bind_dn: 
          bind_password: admin
          user_search:
            base_dn: ""
            attribute: data
          group_search:
            base_dn: ""
          files:
            role_mapping: "/data1/elasticsearch/config/x-pack/role_mapping.yml"
          unmapped_groups_as_roles: true