关于 elasticsearch 7.2 的 x-pack 安全认证的东西我折腾了好久,遇到各种报错,很多都没记录下来,新东西坑比较多,折腾出来了才发现,原来是这样......以下仅供个人学习记录,话不多说,进入正文...... #### 简述 **为什么做es集群的身份认证** Elasticsearch 在默认安装后,不提供任何形式的安全防护。生产环境中,错误的配置 network.host 导致公网可以访问ES集群,造成ES裸奔,当然,就是为了安全才做的啦 **网上一些免费的方案** - 设置 Nginx 反向代理,具体可以参考我的[上一篇博客](https://erica.kkwen.cn/admin/write-post.php?cid=231 "上一篇博客")。但是呢,个人认为这种方式不太适合多机器的es集群呢 - 安装免费的 Security 插件,具体的我没有实际操作过,所以就不多说了,提供一些参考链接 Search Guard https://search-guard.com/ ReadOnly REST https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin https://deepmind.t-salon.cc/article/1780 - X-Pack 的 Basic 版本,这也是今天的主题啦 2019年5月21日 es 7.x 开始,免费开放了一些的基础安全功能,如Security,具体不同版本的对比见下面的链接 https://www.elastic.co/cn/subscriptions https://www.elastic.co/cn/what-is/elastic-stack-security  **身份认证 — Authentication** 一般的认证类型包括 提供用户名和密码 或者 提供密钥等,x-pack中使用的是Realms的认证服务,内置的Realms之免费的,用户名和密码保存在es中,而外部的Realms是收费的 **RBAC —— Role-based access control** **RBAC**:即基于角色的访问控制,定义角色,分配权限,将角色分配给用户,构造成“用户-角色-权限”的授权模型,从而使这些用户拥有这些权限。  ``` User The authenticated User Role A named set of permissions Group one or more groups to which a user belongs Permission A set of one or more privileges against a secured resource Privilege A named group of 1 or more actions that user may execute against a secured resource Cluster privileges(https://www.elastic.co/guide/en/elastic-stack-overview/7.2/security-privileges.html#privileges-list-cluster) all / monitor / manager / manage_index / manage_index_template / manage_rollup Indices privilegesedit(https://www.elastic.co/guide/en/elastic-stack-overview/7.2/security-privileges.html#privileges-list-indices) all / create / create_index / delete / delete_index / index / manage / read /write / view_index_metadata ``` **内置用户和角色** | 用户 | 角色 | | ---------------------- | ------------------------------------------------------------ | | elastic | Super user | | kibana | The user that is used by Kibana to connect and communicate with Elasticsearch. | | logstash_system | The user that is used by Logstash when storing monitoring information in Elasticsearch. | | beats_system | The user that the different Beats use when storing monitoring information in Elasticsearch. | | apm_system | The user that the APM server uses when storing monitoring information in Elasticsearch. | | remote_monitoring_user | The user that is used by Metricbeat when collecting and storing monitoring information in Elasticsearch | **Security API** Security API 文档链接:https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api-put-user.html - **创建用户** ``` POST /_security/user/jacknich { "password" : "j@rV1s", "roles" : [ "admin", "other_role1" ], "full_name" : "Jack Nicholson", "email" : "jacknich@example.com", "metadata" : { "intelligence" : 7 } } ``` #### 配置x-pack 的TLS和身份认证 **官方文档**:https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security #### **环境** ``` docker version: 18.09.7 docker-compose version: 1.24.1 CentOS: 7.6.1810 Elasticsearch集群IP: master 192.168.0.3 slave 192.168.0.4 ``` **master节点 192.168.0.3** 因为各节点的证书需要一致,可以先构建一个基础镜像A,生成好证书,基于镜像A在进行后面的操作 我这里选择证书挂载出来,再上传到从节点上去,略显笨拙,欢迎大家有的办法分享给我呀 - 创建文件夹 certs并赋予777权限 用于挂载到容器中 ``` [root@7a /data/elk/es7-master]# mkdir certs && chmod -R 777 certs ``` - 创建数据挂载卷目录,并给777权限 ``` [root@7a /data/elk/es7-master]# mkdir -p /data/els/{data,logs} [root@7a /data/elk/es7-master]# chmod -R 777 /data/els ``` - 目录结构 ``` ├── certs │ └── elastic-certificates.p12 ├── config │ └── elasticsearch.yml └── docker-compose.yml ``` - elasticsearch.yml ``` cluster.name: myels node.name: master node.master: true node.data: true network.host: 0.0.0.0 network.publish_host: 192.168.0.3 http.port: 9200 transport.tcp.port: 9300 discovery.seed_hosts: - 192.168.0.4:9301 cluster.initial_master_nodes: - master path.data: /usr/share/elasticsearch/data path.logs: /usr/share/elasticsearch/logs http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 ``` - docker-compose.yml ``` version: '3' services: es: image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0 container_name: master environment: - "ES_JAVA_OPTS=-Xms512m -Xmx512m" user: elasticsearch command: - /bin/sh - -c - | /usr/share/elasticsearch/bin/elasticsearch-certutil cert -out /usr/share/elasticsearch/config/certs/elastic-certificates.p12 -pass "" elasticsearch volumes: - /data/els/data:/usr/share/elasticsearch/data - /data/els/logs:/usr/share/elasticsearch/logs - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - /etc/localtime:/etc/localtime - ./certs/:/usr/share/elasticsearch/config/certs/ ports: - 9200:9200 - 9300:9300 ``` - 启动 ``` [root@7a /data/elk/es7-master]# docker-compose up -d ``` - 将certs目录面 elastic-certificates.p12 上传到 192.168.0.4机器上 ``` [root@7a /data/elk/es7-master]# scp certs/elastic-certificates.p12 root@192.168.0.4:/data/elk/es7-slave ``` - 创建集群密码,进入容器中执行命令 ``` [root@7a /data/elk/es7-master]# docker exec -it master /bin/bash $ bin/elasticsearch-setup-passwords auto # 自动创建密码 或者 $ bin/elasticsearch-setup-passwords interactive # 手动创建密码 ``` **slave 节点 192.168.0.4** - 目录结构 ``` ├── certs │ └── elastic-certificates.p12 ├── config │ └── elasticsearch.yml └── docker-compose.yml ``` - 创建文件夹 certs并赋予777权限 用于挂载到容器中 ``` [root@7b /data/elk/es7-master]# mkdir certs [root@7b /data/elk/es7-master]# mv elastic-certificates.p12 certs [root@7b /data/elk/es7-master]# chmod -R 777 certs ``` - 创建数据挂载卷目录,并给777权限 ``` [root@7b /data/elk/es7-master]# mkdir -p /data/els/{data,logs} [root@7b /data/elk/es7-master]# chmod -R 777 /data/els ``` - elasticsearch.yml ``` cluster.name: "myels" node.name: "slave" node.master: false node.data: true network.host: 0.0.0.0 http.port: 9201 transport.tcp.port: 9301 network.publish_host: 192.168.0.4 path.data: /usr/share/elasticsearch/data path.logs: /usr/share/elasticsearch/logs # 需要注意的是,此配置文件中使用9301作为内部通信端口,所以下面的discovery.seed_hosts写192.168.0.3机器的时候要带上9200端口,不然默认就是9301,造成无法发现master节点 discovery.seed_hosts: ["192.168.0.3:9300"] cluster.initial_master_nodes: - master http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 ``` - docker-compose.yml ``` version: '3' services: es: image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0 container_name: slave environment: - "ES_JAVA_OPTS=-Xms512m -Xmx512m" volumes: - /data/els/data:/usr/share/elasticsearch/data - /data/els/logs:/usr/share/elasticsearch/logs - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./certs/:/usr/share/elasticsearch/config/certs/ ports: - 9201:9201 - 9301:9301 ``` - 启动即可 ``` [root@7b /data/elk/es7-master]# docker-compose up -d ``` #### 附 Dockerfile 上面没有添加es分词插件之类的,如果想要添加插件,可以使用挂载的方式或者使用Dockerfile,下面是直接使用Dockerfile开启x-pack,按需修改 ``` FROM elasticsearch:7.2.0 LABEL maintainer="Erica" ENV LANG C.UTF-8 ENV TIMEZONE Asia/Shanghai ADD ./config/elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml ADD plugins /usr/share/elasticsearch/plugins RUN ln -snf /usr/share/zoneinfo/$TIMEZONE /etc/localtime && echo $TIMEZONE > /etc/timezone USER elasticsearch RUN mkdir /usr/share/elasticsearch/config/certs/ && /usr/share/elasticsearch/bin/elasticsearch-certutil cert -out /usr/share/elasticsearch/config/certs/elastic-certificates.p12 -pass "" EXPOSE 9100 9200 9300 CMD ["elasticsearch"] ``` #### 参考 ``` https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api-put-user.html https://www.elastic.co/guide/en/elastic-stack-overview/7.2/authorization.html https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api.html https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin https://deepmind.t-salon.cc/article/1780 https://www.elastic.co/cn/subscriptions https://www.elastic.co/cn/what-is/elastic-stack-security ``` 最后修改:2019 年 09 月 06 日 02 : 27 PM © 著作权归作者所有