sg2是sg1的一次重写,变化很大,项目被拆分为search guard和search guard ssl两个部分,从2开始,节点之间互联必须使用ssl
项目地址
https://github.com/floragunncom/search-guard/tree/2.2 https://github.com/floragunncom/search-guard-ssl
与sg作者交流过,关键功能在2时代依旧维持免费,大家放心使用
sg2相对1有所进步,提供sgadmin的工具,来进行增加用户和改变权限的操作,在1时代,需要重启集群才能做到
###安装步骤###
bin/plugin install com.floragunn/search-guard-ssl/2.2.0.6
bin/plugin install com.floragunn/search-guard-2/2.2.0.0-alpha2
sg ssl插件需要外部netty组件的支持,执行
ES_BIN_DIR=/home/adol/elasticsearch-2.2.0/bin
ES_PLUGIN_DIR=/home/adol/elasticsearch-2.2.0/plugins
NETTY_NATIVE_VERSION=1.1.33.Fork12
NETTY_NATIVE_CLASSIFIER=linux-x86_64
wget -O netty-tcnative-$NETTY_NATIVE_VERSION-$NETTY_NATIVE_CLASSIFIER.jar https://search.maven.org/remotecontent?filepath=io/netty/netty-tcnative/$NETTY_NATIVE_VERSION/netty-tcnative-$NETTY_NATIVE_VERSION-$NETTY_NATIVE_CLASSIFIER.jar > /dev/null 2>&1
echo "Install netty-tcnative for native Openssl support"
cp netty-tcnative-$NETTY_NATIVE_VERSION-$NETTY_NATIVE_CLASSIFIER.jar $ES_PLUGIN_DIR/search-guard-ssl/
elasticsearch.yml中加入配置
security.manager.enabled: false
searchguard.authcz.admin_dn:
- "CN=kirk,OU=client,O=client,l=Test, C=De"
searchguard.authcz.impersonation_dn:
"CN=l2,OU=SSL,O=Test,L=Test,C=DE":
- deal
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_type: JKS
searchguard.ssl.transport.keystore_filepath: /home/adol/search-guard-ssl/example-pki-scripts/gt70-keystore.jks
searchguard.ssl.transport.keystore_password: kspass
#searchguard.ssl.transport.enforce_clientauth: true
searchguard.ssl.transport.truststore_type: JKS
searchguard.ssl.transport.truststore_filepath: /home/adol/search-guard-ssl/example-pki-scripts/truststore.jks
searchguard.ssl.transport.truststore_password: tspass
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
相对1,增加一些新项目 searchguard.authcz.admin_dn,主要负责声明sgadmin工具使用的账户 searchguard.authcz.impersonation_dn,声明es java client使用的账户
更改search-guard-ssl/example-pki-scripts中的example.sh,完整的example.sh如下
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh capass tspass
./gen_node_cert.sh gt70 kspass capass 127.0.0.1
./gen_node_cert.sh l2 kspass capass 127.0.0.1
./gen_client_node_cert.sh kirk kspass capass
./gen_client_node_cert.sh right kspass capass
ssl配置文件生成步骤相对1代,增加了sgadmin工具的ssl配置文件生成步骤,即gen_client_node_cert.sh 修改gen_node_cert.sh,让cn与ip可配
-dname "CN=$NODE_NAME, OU=SSL, O=Test, L=Test, C=DE" \
-ext san=dns:$NODE_NAME,ip:$IP,oid:1.2.3.4.5.5
运行配置好的example.sh,生成节点和sgadmin需要的ssl文件,将相关文件路径填入es的配置文件中,es java client使用的ssl配置文件与节点的配置文件都是由gen_node_cert.sh生成的
2代的配置文件分散在多个不同文件中:
sg_internal_users.yml负责用户注册 sg_roles.yml 负责权限声明 sg_roles_mapping.yml 负责用户与权限的映射 sg_config.yml 负责安全组件的配置 sg_action_groups.yml 访问路径的别名
用户生成:
2代的用户在sg_internal_users.yml中配置,需要使用插件中的密码生成工具生成密码:hasher.sh -p ok 生成密码后,如下格式填入到sg_internal_users.yml中
master:
hash: $2a$12$mkiUz00LuwvL57Uv5VsyNuwgAcBSBrDOdy3ItuDY.aWfkfpKl1UcO
#password is: ok
权限声明:
sg_all_access:
cluster:
- '*'
indices:
'*':
'*':
- ALL
sg_error_access:
cluster:
- '*'
indices:
'index*':
'*':
- ALL
sg_all_access可以访问所有可以访问的路径,而sg_error_access只能访问索引是index开头的索引
用户权限映射:
sg_all_access:
users:
- master
sg_all_access是权限,users下是拥有此权限的用户
我们只需要最基本的安全组件配置
searchguard:
dynamic:
http:
xff:
enabled: false
authcz:
authentication_domain_basic_internal:
enabled: true
order: 0
#roles_only: false
authentication_backend:
type: com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend
authorization_backend:
type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend
http_authenticator:
type: com.floragunn.searchguard.http.HTTPBasicAuthenticator
配置妥当,向es集群写入配置
./sgadmin.sh -cd /home/adol/elasticsearch-2.2.0/plugins/search-guard-2/sgconfig -ks /home/adol/search-guard-ssl/example-pki-scripts/kirk-keystore.jks -ts /home/adol/search-guard-ssl/example-pki-scripts/truststore.jks -nhnv -tspass tspass -kspass kspass
任务完成
es java client访问
import java.io.File
import java.net.InetAddress
import com.floragunn.searchguard.ssl.SearchGuardSSLPlugin
import org.apache.log4j.{ConsoleAppender, Level, Logger, PatternLayout}
import org.elasticsearch.client.transport.TransportClient
import org.elasticsearch.common.settings.Settings
import org.elasticsearch.common.transport.InetSocketTransportAddress
/**
* Created by adol on 15-12-31.
*/
object Try37 {
def main(args: Array[String]): Unit ={
val console = new ConsoleAppender();
val pattern = "%d [%p|%c|%C{1}] %m%n";
console.setLayout(new PatternLayout(pattern));
console.setThreshold(Level.DEBUG);
console.activateOptions();
val log = Logger.getLogger("org.elasticsearch");
log.addAppender(console)
val kf = new File("/home/adol/search-guard-ssl/example-pki-scripts/l2-keystore.jks")
val tf = new File("/home/adol/search-guard-ssl/example-pki-scripts/truststore.jks")
//println(kf.canRead)
//println(tf.canRead)
val tsettings = Settings
.settingsBuilder()
.put("client.transport.sniff", true)
.put("path.conf", "/home/adol/elasticsearch-2.2.0/plugins/search-guard-2/sgconfig")
.put("path.home", ".")
.put("searchguard.ssl.transport.enabled", true)
.put("searchguard.ssl.transport.keystore_password", "kspass")
.put("searchguard.ssl.transport.keystore_type", "JKS")
.put("searchguard.ssl.transport.keystore_filepath",
kf)
.put("searchguard.ssl.transport.truststore_type", "JKS")
.put("searchguard.ssl.transport.truststore_password", "tspass")
.put("searchguard.ssl.transport.truststore_filepath",
tf)
.put("searchguard.ssl.transport.enforce_hostname_verification", false)
.put("searchguard.ssl.transport.resolve_hostname", false)
.build()
val client = TransportClient.builder().settings(tsettings).addPlugin(classOf[SearchGuardSSLPlugin]).build();
client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByAddress(Array(127, 0, 0, 1).map(_.toByte)), 9300))
val gr = client.prepareGet("device_mapping", "base", "38cad569cb9b967548eeb75966428830")
gr.putHeader("sg.impersonate.as", "deal")
println(gr.get().getSource)
client.close
}
}
es-hadoop访问
settings.put(ConfigurationOptions.ES_NET_HTTP_AUTH_USER, user)
settings.put(ConfigurationOptions.ES_NET_HTTP_AUTH_PASS, password)
marvel访问 在elasticsearch.yml中加入
marvel.agent.exporters:
id1:
type: http
host: ["http://localhost:9200"]
auth:
username: master
password: ok
在kibana.yml中加入
elasticsearch.username: "master"
elasticsearch.password: "ok"