大数据安全系列的其它文章

https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos

https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证

https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证

一、安装es

1、解压重命名安装包

tar -zxvf elasticsearch-6.4.3.tar.gz -C /usr/local/

mv elasticsearch-6.4.3/ elasticsearch

  

2、创建es组和es用户

[root@cluster1_host1 elasticsearch]# groupadd es

[root@cluster1_host1 elasticsearch]# useradd es -g es

[root@cluster1_host1 elasticsearch]# passwd es

  

3、修改es目录的属组

chown -R es:es /usr/local/elasticsearch/

  

4、分发配置到其他节点

scp -r /usr/local/elasticsearch/ root@10.87.18.33:/usr/local/

  

5、修改 /etc/security/limits.conf

* soft nofile 65536

* hard nofile 65536

* soft nproc 65536

* hard nproc 65536

  

6、修改/etc/sysctl.conf

vm.max_map_count=262144

  

7、启动es

[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'

ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name

10.87.18.32           27          12   6    0.59    0.25     0.10 mdi       *      cluster1_host2

10.87.18.33           24          13   7    0.31    0.16     0.07 mdi       -      cluster1_host1

10.87.18.31           28          13   6    0.41    0.24     0.11 mdi       -      cluster1_host1

  

二、配置er的search-guard插件

1、下载 search-guard插件

https://repo1.maven.org/maven2/com/floragunn/search-guard-6/6.4.3-25.5/search-guard-6-6.4.3-25.5.zip

  

2、下载tsltools插件,生成证书

https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.7/search-guard-tlstool-1.7.tar.gz

  

3、每个节点执行如下命令,标红的设置为每个节点的hostname

curl -Ss -XPUT 'http://cluster1_host3:9200/_cluster/settings?pretty' \

-H 'Content-Type: application/json' -d'

{

  "persistent": {

    "cluster.routing.allocation.enable": "none"

  }

}

'

  

然后关闭es

4、安装search-guard插件,每个节点都需要安装

[es@cluster1_host1 bin]$ ./elasticsearch-plugin install -b file:///es/search-guard-6-6.4.3-25.5.zip

-> Downloading file:///es/search-guard-6-6.4.3-25.5.zip

  

5、tsltools生成证书,解压安装包

tar -zxvf search-guard-tlstool-1.7.tar.gz -C /usr/local/search-guard-tlstool/

  

6、复制模板的配置文件

[es@cluster1_host1 config]$ cp example.yml tlsconfig.yml

[es@cluster1_host1 config]$ ll

total 24

-rw-r--r--. 1 es es 4731 Jun  5  2019 example.yml

-rw-r--r--. 1 es es 5634 Jun  5  2019 template.yml

-rw-r--r--. 1 es es 4731 Feb 29 02:43 tlsconfig.yml

[es@cluster1_host1 config]$ pwd

/usr/local/search-guard-tlstool/config

[es@cluster1_host1 config]$

  

7、修改配置文件

[es@cluster1_host1 config]$ cat tlsconfig.yml

###

### Self-generated certificate authority

###

#

# If you want to create a new certificate authority, you must specify its parameters here.

# You can skip this section if you only want to create CSRs

#

ca:

   root:

      # The distinguished name of this CA. You must specify a distinguished name.

      dn: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

      # The size of the generated key in bits

      keysize: 2048

      # The validity of the generated certificate in days from now

      validityDays: 3650

      # Password for private key

      #   Possible values:

      #   - auto: automatically generated password, returned in config output;

      #   - none: unencrypted private key;

      #   - other values: other values are used directly as password

      pkPassword: teststt 

      # The name of the generated files can be changed here

      file: root-ca.pem

   # If you want to use an intermediate certificate as signing certificate,

   # please specify its parameters here. This is optional. If you remove this section,

   # the root certificate will be used for signing.

   intermediate:

      # The distinguished name of this CA. You must specify a distinguished name.

      dn: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

      # The size of the generated key in bits

      keysize: 2048

      # The validity of the generated certificate in days from now

      validityDays: 3650

      pkPassword: teststt

      # If you have a certificate revocation list, you can specify its distribution points here

      crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

###

### Default values and global settings

###

defaults:

      # The validity of the generated certificate in days from now

      validityDays: 3650 

      # Password for private key

      #   Possible values:

      #   - auto: automatically generated password, returned in config output;

      #   - none: unencrypted private key;

      #   - other values: other values are used directly as password

      pkPassword: teststt      

      # Specifies to recognize legitimate nodes by the distinguished names

      # of the certificates. This can be a list of DNs, which can contain wildcards.

      # Furthermore, it is possible to specify regular expressions by

      # enclosing the DN in //.

      # Specification of this is optional. The tool will always include

      # the DNs of the nodes specified in the nodes section.

      #nodesDn:

      #- "CN=*.example.com,OU=Ops,O=Example Com\\, Inc.,DC=example,DC=com"

      # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'

      # - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'

      # - 'CN=elk-devcluster*'

      # - '/CN=.*regex/' 

      # If you want to use OIDs to mark legitimate node certificates,

      # the OID can be included in the certificates by specifying the following

      # attribute

      # nodeOid: "1.2.3.4.5.5"

      # The length of auto generated passwords

      generatedPasswordLength: 12

      # Set this to true in order to generate config and certificates for

      # the HTTP interface of nodes

      httpsEnabled: true

      # Set this to true in order to re-use the node transport certificates

      # for the HTTP interfaces. Only recognized if httpsEnabled is true

      # reuseTransportCertificatesForHttp: false

      # Set this to true to enable hostname verification

      #verifyHostnames: false

      # Set this to true to resolve hostnames

      #resolveHostnames: false

###

### Nodes

###

#

# Specify the nodes of your ES cluster here

#

nodes:

  - name: cluster1_host1

    dn: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

    dns: cluster1_host1

    ip: 10.87.18.31

  - name: cluster1_host2

    dn: CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

    dns: cluster1_host2

    ip: 10.87.18.32

  - name: cluster1_host3

    dn: CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

    dns: cluster1_host3

    ip: 10.87.18.33

###

### Clients

###

#

# Specify the clients that shall access your ES cluster with certificate authentication here

#

# At least one client must be an admin user (i.e., a super-user). Admin users can

# be specified with the attribute admin: true

#

clients:

  - name: spock

    dn: CN=spock.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

  - name: kirk

    dn: CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

    admin: true

  

8、将安装目录拷贝到节点,并修改属组为es

[root@cluster1_host1 data]# scp -r /usr/local/search-guard-tlstool/ root@10.87.18.33:/usr/local/

  

9、生成证书文件

创建证书文件生成目录

[es@cluster1_host1 config]$ cd /usr/local/elasticsearch/config

[es@cluster1_host1 config]$ mkdir out

  

10、生成证书的命令

[es@cluster1_host1 tools]$ ./sgtlstool.sh -c /usr/local/search-guard-tlstool/config/tlsconfig.yml -ca -crt -t /usr/local/elasticsearch/config/out/

Root certificate and signing certificate have been sucessfully created.

Created 6 node certificates.

Created 2 client certificates.

  

11、生成的证书文件如下

[es@cluster1_host1 out]$ cd /usr/local/elasticsearch/config/out/

[es@cluster1_host1 out]$ ll

total 96

-rw-rw-r--. 1 es es  294 Feb 29 02:59 client-certificates.readme

-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host1_elasticsearch_config_snippet.yml

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem

-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml

-rw-rw-r--. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host2.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem

-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host3_elasticsearch_config_snippet.yml

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 kirk.key

-rw-rw-r--. 1 es es 3144 Feb 29 02:59 kirk.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 root-ca.key

-rw-rw-r--. 1 es es 1371 Feb 29 02:59 root-ca.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 signing-ca.key

-rw-rw-r--. 1 es es 1558 Feb 29 02:59 signing-ca.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 spock.key

-rw-rw-r--. 1 es es 3144 Feb 29 02:59 spock.pem

  

12、验证证书

[es@cluster1_host1 out]$ /usr/local/search-guard-tlstool/tools/sgtlsdiag.sh -ca /usr/local/elasticsearch/config/out/root-ca.pem -crt /usr/local/elasticsearch/config/out/cluster1_host1.pem 

========================================================================

/usr/local/elasticsearch/config/out/cluster1_host1.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05

             MD5 FPR: 1565fb2741046769feb128d2e98e3923

Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 1582963131135

 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature nonRepudiation keyEncipherment

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth

  Basic Constraints: -1

                SAN:

                  dNSName: cluster1_host1

                  iPAddress: 10.87.18.31

------------------------------------------------------------------------

Certificate 2

------------------------------------------------------------------------

            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b

             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307

Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 2

 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature keyCertSign cRLSign

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 0

                SAN: (none)

------------------------------------------------------------------------

Trust anchor:

DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com

  

13、修改es的配置文件

进入证书文件目录

[es@cluster1_host1 out]$ pwd

/usr/local/elasticsearch/config/out

[es@cluster1_host1 out]$ ll

total 96

-rwxrwxr-x. 1 es es  294 Feb 29 02:59 client-certificates.readme

-rwxrwxr-x. 1 es es 1388 Feb 29 03:30 cluster1_host1_elasticsearch_config_snippet.yml

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem

-rwxrwxr-x. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml

-rwxrwxr-x. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host2.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem

-rwxrwxr-x. 1 es es 1388 Feb 29 03:26 cluster1_host3_elasticsearch_config_snippet.yml

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 kirk.key

-rwxrwxr-x. 1 es es 3144 Feb 29 02:59 kirk.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 root-ca.key

-rwxrwxr-x. 1 es es 1371 Feb 29 02:59 root-ca.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 signing-ca.key

-rwxrwxr-x. 1 es es 1558 Feb 29 02:59 signing-ca.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 spock.key

-rwxrwxr-x. 1 es es 3144 Feb 29 02:59 spock.pem

  

将cluster1_host1_elasticsearch_config_snippet.yml中的内容追加到节点的es配置文件中

[es@cluster1_host1 config]$ ll

total 36

-rw-rw----. 1 es es  207 Feb 28 01:15 elasticsearch.keystore

-rw-rw----. 1 es es 3895 Feb 29 03:33 elasticsearch.yml

-rw-rw----. 1 es es 2937 Feb 28 03:33 elasticsearch.yml.bak

-rw-rw----. 1 es es 2937 Feb 28 01:10 jvm.options

-rw-rw----. 1 es es 6380 Oct 30  2018 log4j2.properties

drwxrwxr-x. 2 es es 4096 Feb 29 03:30 out

-rw-rw----. 1 es es  473 Oct 30  2018 role_mapping.yml

-rw-rw----. 1 es es  197 Oct 30  2018 roles.yml

-rw-rw----. 1 es es    0 Oct 30  2018 users

-rw-rw----. 1 es es    0 Oct 30  2018 users_roles

[es@cluster1_host1 config]$ pwd

/usr/local/elasticsearch/config

  

修改内容如下,主要里要指定证书文件的相对路径

searchguard.ssl.transport.pemcert_filepath: out/cluster1_host1.pem

searchguard.ssl.transport.pemkey_filepath: out/cluster1_host1.key

searchguard.ssl.transport.pemkey_password: teststt

searchguard.ssl.transport.pemtrustedcas_filepath: out/root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: out/cluster1_host1_http.pem

searchguard.ssl.http.pemkey_filepath: out/cluster1_host1_http.key

searchguard.ssl.http.pemkey_password: teststt

searchguard.ssl.http.pemtrustedcas_filepath: out/root-ca.pem

searchguard.nodes_dn:

- CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

- CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

- CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

searchguard.authcz.admin_dn:

- CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

  

校验一下配置文件

[es@cluster1_host1 tools]$ ./sgtlsdiag.sh -es /usr/local/elasticsearch/config/elasticsearch.yml

Reading node config file /usr/local/elasticsearch/config/elasticsearch.yml

========================================================================

/usr/local/elasticsearch/config/out/cluster1_host1.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05

             MD5 FPR: 1565fb2741046769feb128d2e98e3923

Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 1582963131135

 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature nonRepudiation keyEncipherment

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth

  Basic Constraints: -1

                SAN:

                  dNSName: cluster1_host1

                  iPAddress: 10.87.18.31

------------------------------------------------------------------------

Certificate 2

------------------------------------------------------------------------

            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b

             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307

Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 2

 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature keyCertSign cRLSign

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 0

                SAN: (none)

------------------------------------------------------------------------

Trust anchor:

DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com

========================================================================

/usr/local/elasticsearch/config/out/cluster1_host1_http.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: 998fdf16628aeb9da3d9ef741f8d87318f44bf87

             MD5 FPR: bfb40c178312f63af1bf5d83cd7a1021

Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 1582963131136

 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:55 EST 2020

           Not After: Tue Feb 26 02:58:55 EST 2030

           Key Usage: digitalSignature nonRepudiation keyEncipherment

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth

  Basic Constraints: -1

                SAN:

                  dNSName: cluster1_host1

                  iPAddress: 10.87.18.31

------------------------------------------------------------------------

Certificate 2

------------------------------------------------------------------------

            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b

             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307

Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 2

 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature keyCertSign cRLSign

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 0

                SAN: (none)

------------------------------------------------------------------------

Trust anchor:

DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com

========================================================================

/usr/local/elasticsearch/config/out/root-ca.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: b66494fa2c05423e64ada2403e09ca6c76ae3936

             MD5 FPR: 5f0834f0acf6dc8f7fa061eb7be0675a

Subject DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 1

 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:52 EST 2020

           Not After: Tue Feb 26 02:58:52 EST 2030

           Key Usage: digitalSignature keyCertSign cRLSign

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 2147483647

                SAN: (none)

  

14、修改其他节点配置文件

拷贝out目录到其他节点的相同目录

[root@cluster1_host1 data]# scp -r /usr/local/elasticsearch/config/out/ root@10.87.18.33:/usr/local/elasticsearch/config/

  

15、下面的需要在es的所有节点执行

[es@cluster1_host1 search-guard-6]$ pwd

/usr/local/elasticsearch/plugins/search-guard-6

[es@cluster1_host1 search-guard-6]$

[es@cluster1_host1 search-guard-6]$

[es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -esa -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt

Search Guard Admin v6

Will connect to cluster1_host1:9300 ... done

Elasticsearch Version: 6.4.3

Search Guard Version: 6.4.3-25.5

Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

Persistent and transient shard allocation enabled

  

16、执行es命令

Unauthorized[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'

Unauthorized[root@cluster1_host1 ~]#

  

17、打开浏览器访问如下url

http://10.87.18.31:9200/_searchguard/health

  

{"message":null,"mode":"strict","status":"UP"}

18、携带用户名和密码访问es

[root@cluster1_host1 ~]# curl -u admin:admin '10.87.18.31:9200/_cat/indices?v'

health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size

green  open   searchguard XOWOuXN0SJi_69Yz3BPtmw   1   2          0            6     88.6kb         38.4kb

[root@cluster1_host1 ~]#

  

es的search-guard插件配置完成

三、问题

1、如果启动es报错

[2020-02-29T03:54:12,266][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [cluster1_host1] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have additional setting [http.type] in plugin [search-guard-6], already added in plugin [x-pack-security]

  

则需要修改es的配置文件

xpack.security.enabled: false

  

2、如果启动es有告警

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config has insecure file permissions (should be 0700)

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config/out has insecure file permissions (should be 0700)

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.pem has insecure file permissions (should be 0600)

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.key has insecure file permissions (should be 0600)

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/signing-ca.pem has insecure file permissions (should be 0600)

  

则修改权限

chmod 0600 /usr/local/elasticsearch/config/out/*

chmod 0700 /usr/local/elasticsearch/config/

  

3、如果执行es命令有如下报错

[root@cluster1_host1 config]# curl '10.87.18.31:9200/_cat/nodes?v'

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin[root@cluster1_host1 config]

  

进入如下目录

[es@cluster1_host1 search-guard-6]$ pwd

/usr/local/elasticsearch/plugins/search-guard-6

  

做如下修改,如果报文件不存在,则重启es在试一次,只需要在一个节点执行即可

[es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -cd ./sgconfig/ -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt

Search Guard Admin v6

Will connect to cluster1_host1:9300 ... done

Elasticsearch Version: 6.4.3

Search Guard Version: 6.4.3-25.5

Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...

Clustername: my-application

Clusterstate: YELLOW

Number of nodes: 3

Number of data nodes: 3

searchguard index already exists, so we do not need to create one.

INFO: searchguard index state is YELLOW, it seems you miss some replicas

Populate config from /usr/local/elasticsearch/plugins/search-guard-6/sgconfig

Will update 'sg/config' with ./sgconfig/sg_config.yml

   SUCC: Configuration for 'config' created or updated

Will update 'sg/roles' with ./sgconfig/sg_roles.yml

   SUCC: Configuration for 'roles' created or updated

Will update 'sg/rolesmapping' with ./sgconfig/sg_roles_mapping.yml

   SUCC: Configuration for 'rolesmapping' created or updated

Will update 'sg/internalusers' with ./sgconfig/sg_internal_users.yml

   SUCC: Configuration for 'internalusers' created or updated

Will update 'sg/actiongroups' with ./sgconfig/sg_action_groups.yml

   SUCC: Configuration for 'actiongroups' created or updated

Done with success

[es@cluster1_host1 search-guard-6]$ pwd

  

es安全认证search-guard配置的更多相关文章

  1. elasticsearch安装与使用(5)-- search guard安装与配置

    一.安装search guard插件必须要安装两部分: ①search-guard-xx ②search-guard-ssl (XX指的是与elasticsearch引擎对应的版本) github地址 ...

  2. ELK之elasticsearch6安装认证模块search guard

    参考:https://www.cnblogs.com/marility/p/9392645.html 1,安装环境及软件版本 程序 版本 安装方式  elasticsearch  6.3.1  rpm ...

  3. ELK之安装了search guard认证后安装elasticsearch-head

    安装searc guard参考https://www.cnblogs.com/minseo/p/10576126.html 安装elasticsearch-head参考 https://www.cnb ...

  4. Elasticsearch 5.0 安装 Search Guard 5 插件 (五)

    一.Search Guard 简介 Search Guard  是 Elasticsearch 的安全插件.它为后端系统(如LDAP或Kerberos)提供身份验证和授权,并向Elasticsearc ...

  5. Elasticsearch 5.0 安装 Search Guard 5 插件

    一.Search Guard 简介 Search Guard  是 Elasticsearch 的安全插件.它为后端系统(如LDAP或Kerberos)提供身份验证和授权,并向Elasticsearc ...

  6. (转) Elasticsearch 5.0 安装 Search Guard 5 插件

    一.Search Guard 简介 Search Guard  是 Elasticsearch 的安全插件.它为后端系统(如LDAP或Kerberos)提供身份验证和授权,并向Elasticsearc ...

  7. [ElasticSearch]#解决问题#修改Search Guard密码时 报错:ERR: Seems there is no Elasticsearch running on localhost:9300 - Will exit

    问题复现 [root@es2 tools]# ps -ef | grep elasticsearch 9200 22693 1 1 09:31 ? 00:04:54 /usr/bin/java -Xm ...

  8. [ElasticSearch]#Search Guard#sgadmin参数说明

    sgadmin.sh/sgadmin.bat是Elastic Search的开源安全组件Search Guard内的可执行脚本. 在修改SG组件的用户角色.权限.密码时,需使用到此脚本. 在修改完Se ...

  9. elasticsearch 6.x 安装search guard

    前言 es之前版本一直无用户验证功能,不过官方有提供一x-pack,但是问题是付费.在es的6.3.2版本中,已经集成了x-pack,虽然es团队已经对x-pack开源,但是在该版本中如果需要使用到安 ...

  10. 8021x 获取IP信息失败,请检查锐捷认证客户端当前配置是否符合所在网络的要求,检查完毕后尝试重新认证

    早上一起床,登陆锐捷客户端上网,谁知道错问题了.不能联网了,锐捷登陆成功,但是一会儿就提示失败,获取IP信息失败了.下面我描述一下问题原因: 锐捷登陆后有认证提示,和往常正常情况一样的,不过有个小感叹 ...

随机推荐

  1. 高级工程师面试大全- spring篇

    1.spring是什么 Spring是一个轻量级的IoC和AOP容器框架.是为Java应用程序提供基础性服务的一套框架,目的是用于简化企业应用程序的开发,它使得开发者只需要关心业务需求.主要包括以下七 ...

  2. shell脚本中exit命令

    shell脚本中exit命令使用千次阅读 2020-09-30 10:19:54 exit命令用于退出当前shell,在shell脚本中可以终止当前脚本执行. $ exit --help exit: ...

  3. 2023 CCPC 哈尔滨游记

    board zsy 11.3 下了高代课跟教练聊了会,以为差点赶不上飞机了,结果还好.飞机上一直在看<笑傲江湖> 晚上本来想写作业的,还是摆了 拉 zsy 打雀魂,三人麻将到第二天了 11 ...

  4. 从0实现基于Linux socket聊天室-多线程服务器模型-1

    前言 Socket在实际系统程序开发当中,应用非常广泛,也非常重要.实际应用中服务器经常需要支持多个客户端连接,实现高并发服务器模型显得尤为重要.高并发服务器从简单的循环服务器模型处理少量网络并发请求 ...

  5. sublime text _正则表达式01

    概述 sublime 常用正则表达式 预备工作:打开sublime之后,ctrl+h,点选使用正则表达式. (\S+) :匹配所有符号外的字符 用到的地方: 小明 小黄 小红 (构造批量插入sql语句 ...

  6. 解密华为问界M7 Pro:智能出行的全新里程碑与技术亮点

    解读华为问界M7 Pro的智能里程碑 引言 2024年8月,智能出行领域迎来了一个激动人心的时刻--问界M7 Pro的重磅发布.这款智能SUV,不仅是华为在汽车领域的又一次大胆尝试,更是鸿蒙智行系统的 ...

  7. 【YashanDB知识库】开源调度框架Quartz写入Boolean值到YashanDB报错

    问题现象 Quartz 是一个广泛应用于企业级应用中的开源作业调度框架,它主要用于在Java环境中管理和执行任务. 为了任务调度,Quartz的数据模型中使用了大量的布尔值记录任务.流程的各种状态,如 ...

  8. 6.23 Web日志分析&php&自动化工具

    应急响应的目的:保护阶段.分析.复现.修复.建议 分析出攻击时间,攻击操作,攻击结果,安全修复等给出合理方案: 知识点 熟悉常见web安全攻击技术 熟悉日志启用及存储查看 熟悉日志中记录数据库分类及分 ...

  9. react 中获取子组件

    wrappedComponentRef={(form) => this.table = form}

  10. 【解题报告】P8478 「GLR-R3」清明

    P8478 「GLR-R3」清明 参考了出题人题解和 xcyyyyyy 大神的题解,强推前两篇. 拿到题完全没思路怎么办??? 人类智慧的巅峰,思维量的登峰造极. 换句话说就是非人题目,不过不得不说 ...