这里使用的是 elasticsearch-2.3.5
大神的Github地址:https://github.com/floragunncom
功能:可以按组,按用户,按index,按type,按field,进行精细的权限控制。非常强大!媲美Shield!
安装ES插件
bin/plugin install -b com.floragunn/search-guard-ssl/2.3.5.15
bin/plugin install -b com.floragunn/search-guard-2/2.3.5.5
安装成功后,目录如下:
/usr/local/elk/elasticsearch-2.3.5
.
├── bin
├── config
│ └── scripts
├── data
│ └── elasticsearch
├── lib
├── logs
├── modules
│ ├── lang-expression
│ ├── lang-groovy
│ └── reindex
└── plugins
├── head
├── ik
├── kopf
├── search-guard-2
└── search-guard-ssl
下载 searchguard-ssl 的包,里面包含自动创建证书的脚本:
wget https://github.com/floragunncom/search-guard-ssl/archive/v2.3.5.15.zip
unzip v2.3.5.15.zip
cd search-guard-ssl-2.3.5.15/example-pki-scripts/
有三个脚本
gen_client_node_cert.sh 创建客户端证书
gen_node_cert.sh 创建节点证书
gen_root_ca.sh 创建根证书
修改脚本:
vim gen_client_node_cert.sh
找到这行:-dname "CN=$CLIENT_NAME, OU=client, O=client, L=Test, C=DE"
修改为:-dname "CN=$CLIENT_NAME"
vim gen_node_cert.sh
找到这行:-dname "CN=$NODE_NAME.example.com, OU=SSL, O=Test, L=Test, C=DE" \
修改为:-dname "CN=$NODE_NAME" \
编辑脚本 vim example.sh
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh password password
./gen_node_cert.sh node-0 password password
./gen_node_cert.sh node-1 password password
./gen_client_node_cert.sh admin password password
cp truststore.jks node-0-keystore.jks /usr/local/elk/elasticsearch-2.3.5/config/
cp truststore.jks admin-keystore.jks /usr/local/elk/elasticsearch-2.3.5/plugins/search-guard-2/sgconfig/
此时在当前目录下,会生成这么几个文件
node-0-keystore.jks
node-1-keystore.jks
admin-keystore.jks
truststore.jks
上面只列出了node-0节点,需要拷贝哪些文件,node-1节点,需要和上面类似处理。
接下来配置 ES 的 config/elasticsearch.yml
#############################################################################################
# SEARCH GUARD #
# Configuration #
#############################################################################################
searchguard.enable: true
searchguard.authcz.admin_dn:
- CN=admin
#############################################################################################
# SEARCH GUARD SSL #
# Configuration #
#############################################################################################
#############################################################################################
# Transport layer SSL #
# #
#############################################################################################
# Enable or disable node-to-node ssl encryption (default: true)
searchguard.ssl.transport.enabled: true
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.keystore_type: PKCS12
# Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.keystore_alias: my_alias
# Keystore password (default: changeit)
searchguard.ssl.transport.keystore_password: password
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.truststore_type: PKCS12
# Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir
searchguard.ssl.transport.truststore_filepath: truststore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.truststore_alias: my_alias
# Truststore password (default: changeit)
searchguard.ssl.transport.truststore_password: password
# Enforce hostname verification (default: true)
searchguard.ssl.transport.enforce_hostname_verification: false
# If hostname verification specify if hostname should be resolved (default: true)
searchguard.ssl.transport.resolve_hostname: false
# Use native Open SSL instead of JDK SSL if available (default: true)
searchguard.ssl.transport.enable_openssl_if_available: false
启动 ES 集群
./plugins/search-guard-2/tools/sgadmin.sh -cn 集群名称 -h hostname -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass password -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass password -nhnv
hostname:指的是 network.host 设置的值
执行脚本的结果如下:
Will connect to YourIP:9300 ... done
Contacting elasticsearch cluster 'YourCluster' and wait for YELLOW clusterstate ...
Clustername: YourCluster
Clusterstate: GREEN
Number of nodes: 4
Number of data nodes: 4
Search Guard index already exists, so we do not need to create one.
Populate config from /usr/local/elk/elasticsearch-2.3.5/plugins/search-guard-2/sgconfig
Will update 'config' with plugins/search-guard-2/sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'roles' with plugins/search-guard-2/sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'rolesmapping' with plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'internalusers' with plugins/search-guard-2/sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'actiongroups' with plugins/search-guard-2/sgconfig/sg_action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Done with success
然后访问 ES 时,就输入用户名和密码就可以了。
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。