Skip to content

Instantly share code, notes, and snippets.

@adol001

adol001/search_guard2.md

Created May 14, 2016 02:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adol001/150d3efc10b56db3b87d80736beb36da to your computer and use it in GitHub Desktop.
Save adol001/150d3efc10b56db3b87d80736beb36da to your computer and use it in GitHub Desktop.
Download ZIP
search guard 2 安装指南
Raw
search_guard2.md

sg2是sg1的一次重写,变化很大,项目被拆分为search guard和search guard ssl两个部分,从2开始,节点之间互联必须使用ssl

项目地址

https://github.com/floragunncom/search-guard/tree/2.2 https://github.com/floragunncom/search-guard-ssl

与sg作者交流过,关键功能在2时代依旧维持免费,大家放心使用

sg2相对1有所进步,提供sgadmin的工具,来进行增加用户和改变权限的操作,在1时代,需要重启集群才能做到

###安装步骤###

bin/plugin install com.floragunn/search-guard-ssl/2.2.0.6
bin/plugin install com.floragunn/search-guard-2/2.2.0.0-alpha2

sg ssl插件需要外部netty组件的支持,执行

ES_BIN_DIR=/home/adol/elasticsearch-2.2.0/bin
ES_PLUGIN_DIR=/home/adol/elasticsearch-2.2.0/plugins


NETTY_NATIVE_VERSION=1.1.33.Fork12
NETTY_NATIVE_CLASSIFIER=linux-x86_64
wget -O netty-tcnative-$NETTY_NATIVE_VERSION-$NETTY_NATIVE_CLASSIFIER.jar https://search.maven.org/remotecontent?filepath=io/netty/netty-tcnative/$NETTY_NATIVE_VERSION/netty-tcnative-$NETTY_NATIVE_VERSION-$NETTY_NATIVE_CLASSIFIER.jar > /dev/null 2>&1

echo "Install netty-tcnative for native Openssl support"
cp netty-tcnative-$NETTY_NATIVE_VERSION-$NETTY_NATIVE_CLASSIFIER.jar $ES_PLUGIN_DIR/search-guard-ssl/

elasticsearch.yml中加入配置

security.manager.enabled: false
searchguard.authcz.admin_dn:
  - "CN=kirk,OU=client,O=client,l=Test, C=De"
searchguard.authcz.impersonation_dn:
  "CN=l2,OU=SSL,O=Test,L=Test,C=DE":
    - deal


searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_type: JKS
searchguard.ssl.transport.keystore_filepath: /home/adol/search-guard-ssl/example-pki-scripts/gt70-keystore.jks
searchguard.ssl.transport.keystore_password: kspass
#searchguard.ssl.transport.enforce_clientauth: true
searchguard.ssl.transport.truststore_type: JKS
searchguard.ssl.transport.truststore_filepath: /home/adol/search-guard-ssl/example-pki-scripts/truststore.jks
searchguard.ssl.transport.truststore_password: tspass
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

相对1,增加一些新项目 searchguard.authcz.admin_dn,主要负责声明sgadmin工具使用的账户 searchguard.authcz.impersonation_dn,声明es java client使用的账户

更改search-guard-ssl/example-pki-scripts中的example.sh,完整的example.sh如下

#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh capass tspass
./gen_node_cert.sh gt70 kspass capass 127.0.0.1 
./gen_node_cert.sh l2 kspass capass 127.0.0.1
./gen_client_node_cert.sh kirk kspass capass
./gen_client_node_cert.sh right kspass capass

ssl配置文件生成步骤相对1代,增加了sgadmin工具的ssl配置文件生成步骤,即gen_client_node_cert.sh 修改gen_node_cert.sh,让cn与ip可配

         -dname "CN=$NODE_NAME, OU=SSL, O=Test, L=Test, C=DE" \
         -ext san=dns:$NODE_NAME,ip:$IP,oid:1.2.3.4.5.5

运行配置好的example.sh,生成节点和sgadmin需要的ssl文件,将相关文件路径填入es的配置文件中,es java client使用的ssl配置文件与节点的配置文件都是由gen_node_cert.sh生成的

2代的配置文件分散在多个不同文件中:

sg_internal_users.yml负责用户注册 sg_roles.yml 负责权限声明 sg_roles_mapping.yml 负责用户与权限的映射 sg_config.yml 负责安全组件的配置 sg_action_groups.yml 访问路径的别名

用户生成:

2代的用户在sg_internal_users.yml中配置,需要使用插件中的密码生成工具生成密码:hasher.sh -p ok 生成密码后,如下格式填入到sg_internal_users.yml中

master:
  hash: $2a$12$mkiUz00LuwvL57Uv5VsyNuwgAcBSBrDOdy3ItuDY.aWfkfpKl1UcO
  #password is: ok

权限声明:

sg_all_access:
  cluster:
    - '*'
  indices:
    '*':
      '*':
        - ALL 


sg_error_access:
  cluster:
    - '*'
  indices:
    'index*':
      '*':
        - ALL

sg_all_access可以访问所有可以访问的路径,而sg_error_access只能访问索引是index开头的索引

用户权限映射:

sg_all_access:
  users:
    - master

sg_all_access是权限,users下是拥有此权限的用户

我们只需要最基本的安全组件配置

searchguard:
  dynamic:
    http:
      xff:
        enabled: false
    authcz:
      authentication_domain_basic_internal:
        enabled: true
        order: 0
        #roles_only: false
        authentication_backend:
          type: com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend
        authorization_backend:
          type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend
        http_authenticator:
          type: com.floragunn.searchguard.http.HTTPBasicAuthenticator

配置妥当,向es集群写入配置

./sgadmin.sh -cd /home/adol/elasticsearch-2.2.0/plugins/search-guard-2/sgconfig -ks /home/adol/search-guard-ssl/example-pki-scripts/kirk-keystore.jks -ts /home/adol/search-guard-ssl/example-pki-scripts/truststore.jks -nhnv -tspass tspass -kspass kspass

任务完成

es java client访问

import java.io.File
import java.net.InetAddress

import com.floragunn.searchguard.ssl.SearchGuardSSLPlugin
import org.apache.log4j.{ConsoleAppender, Level, Logger, PatternLayout}
import org.elasticsearch.client.transport.TransportClient
import org.elasticsearch.common.settings.Settings
import org.elasticsearch.common.transport.InetSocketTransportAddress

/**
 * Created by adol on 15-12-31.
 */
object Try37 {
  def main(args: Array[String]): Unit ={
    val console = new ConsoleAppender();
    val pattern = "%d [%p|%c|%C{1}] %m%n";
    console.setLayout(new PatternLayout(pattern));
    console.setThreshold(Level.DEBUG);
    console.activateOptions();


    val log = Logger.getLogger("org.elasticsearch");
    log.addAppender(console)


    val kf = new File("/home/adol/search-guard-ssl/example-pki-scripts/l2-keystore.jks")
    val tf = new File("/home/adol/search-guard-ssl/example-pki-scripts/truststore.jks")

    //println(kf.canRead)
    //println(tf.canRead)

    val tsettings = Settings
      .settingsBuilder()
      .put("client.transport.sniff", true)
      .put("path.conf", "/home/adol/elasticsearch-2.2.0/plugins/search-guard-2/sgconfig")
      .put("path.home", ".")
      .put("searchguard.ssl.transport.enabled", true)
      .put("searchguard.ssl.transport.keystore_password", "kspass")
      .put("searchguard.ssl.transport.keystore_type", "JKS")
      .put("searchguard.ssl.transport.keystore_filepath",
        kf)
      .put("searchguard.ssl.transport.truststore_type", "JKS")
      .put("searchguard.ssl.transport.truststore_password", "tspass")
      .put("searchguard.ssl.transport.truststore_filepath",
        tf)
      .put("searchguard.ssl.transport.enforce_hostname_verification", false)
      .put("searchguard.ssl.transport.resolve_hostname", false)
      .build()


    val client = TransportClient.builder().settings(tsettings).addPlugin(classOf[SearchGuardSSLPlugin]).build();
    client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByAddress(Array(127, 0, 0, 1).map(_.toByte)), 9300))


    val gr = client.prepareGet("device_mapping", "base", "38cad569cb9b967548eeb75966428830")
    gr.putHeader("sg.impersonate.as", "deal")

    println(gr.get().getSource)
    client.close

  }
}

es-hadoop访问

    settings.put(ConfigurationOptions.ES_NET_HTTP_AUTH_USER, user)
    settings.put(ConfigurationOptions.ES_NET_HTTP_AUTH_PASS, password)

marvel访问 在elasticsearch.yml中加入

marvel.agent.exporters:
  id1:
    type: http
    host: ["http://localhost:9200"]
    auth:
      username: master
      password: ok

在kibana.yml中加入

elasticsearch.username: "master"
elasticsearch.password: "ok"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment