es安全认证search-guard配置

大数据安全系列的其它文章

https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos

https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证

https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证

一、安装es

1、解压重命名安装包

1 2	`tar` `-zxvf elasticsearch-6.4.3.tar.gz` `-C` `/usr/local/` `mv elasticsearch-6.4.3/` `elasticsearch`

2、创建es组和es用户

[root@cluster1_host1 elasticsearch]# groupadd es
[root@cluster1_host1 elasticsearch]# useradd es -g es
[root@cluster1_host1 elasticsearch]# passwd es

3、修改es目录的属组

1	`chown` `-R es:es` `/usr/local/elasticsearch/`

4、分发配置到其他节点

1	`scp` `-r` `/usr/local/elasticsearch/` `root@10.87.18.33:/usr/local/`

5、修改 /etc/security/limits.conf

* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536

6、修改/etc/sysctl.conf

1	`vm.max_map_count=262144`

7、启动es

[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'
ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.87.18.32           27          12   6    0.59    0.25     0.10 mdi       *      cluster1_host2
10.87.18.33           24          13   7    0.31    0.16     0.07 mdi       -      cluster1_host1
10.87.18.31           28          13   6    0.41    0.24     0.11 mdi       -      cluster1_host1

二、配置er的search-guard插件

1、下载 search-guard插件

1	`https://repo1.maven.org/maven2/com/floragunn/search-guard-6/6.4.3-25.5/search-guard-6-6.4.3-25.5.zip`

2、下载tsltools插件，生成证书

1	`https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.7/search-guard-tlstool-1.7.tar.gz`

3、每个节点执行如下命令，标红的设置为每个节点的hostname

curl -Ss -XPUT 'http://cluster1_host3:9200/_cluster/settings?pretty' \
-H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "none"
  }
}
'

然后关闭es

4、安装search-guard插件，每个节点都需要安装

1 2	`[es@cluster1_host1` `bin]$ ./elasticsearch-plugin install` `-b` `file:///es/search-guard-6-6.4.3-25.5.zip` `-> Downloading` `file:///es/search-guard-6-6.4.3-25.5.zip`

5、tsltools生成证书，解压安装包

1	`tar` `-zxvf search-guard-tlstool-1.7.tar.gz` `-C` `/usr/local/search-guard-tlstool/`

6、复制模板的配置文件

[es@cluster1_host1 config]$ cp example.yml tlsconfig.yml
[es@cluster1_host1 config]$ ll
total 24
-rw-r--r--. 1 es es 4731 Jun  5  2019 example.yml
-rw-r--r--. 1 es es 5634 Jun  5  2019 template.yml
-rw-r--r--. 1 es es 4731 Feb 29 02:43 tlsconfig.yml
[es@cluster1_host1 config]$ pwd
/usr/local/search-guard-tlstool/config
[es@cluster1_host1 config]$ 

7、修改配置文件

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

[es@cluster1_host1 config]$ cat tlsconfig.yml 
###
### Self-generated certificate authority
### 
# 
# If you want to create a new certificate authority, you must specify its parameters here. 
# You can skip this section if you only want to create CSRs
#
ca:
   root:
      # The distinguished name of this CA. You must specify a distinguished name.   
      dn: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
 
      # The size of the generated key in bits
      keysize: 2048
 
      # The validity of the generated certificate in days from now
      validityDays: 3650
       
      # Password for private key
      #   Possible values: 
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
      pkPassword: teststt 
       
      # The name of the generated files can be changed here
      file: root-ca.pem
       
   # If you want to use an intermediate certificate as signing certificate,
   # please specify its parameters here. This is optional. If you remove this section,
   # the root certificate will be used for signing.         
   intermediate:
      # The distinguished name of this CA. You must specify a distinguished name.
      dn: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
    
      # The size of the generated key in bits   
      keysize: 2048
       
      # The validity of the generated certificate in days from now      
      validityDays: 3650
   
      pkPassword: teststt
             
      # If you have a certificate revocation list, you can specify its distribution points here      
      crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl
 
### 
### Default values and global settings
###
defaults:
 
      # The validity of the generated certificate in days from now
      validityDays: 3650
       
      # Password for private key
      #   Possible values: 
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
      pkPassword: teststt      
       
      # Specifies to recognize legitimate nodes by the distinguished names
      # of the certificates. This can be a list of DNs, which can contain wildcards.
      # Furthermore, it is possible to specify regular expressions by
      # enclosing the DN in //. 
      # Specification of this is optional. The tool will always include
      # the DNs of the nodes specified in the nodes section.            
      #nodesDn:
      #- "CN=*.example.com,OU=Ops,O=Example Com\\, Inc.,DC=example,DC=com"
      # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=elk-devcluster*'
      # - '/CN=.*regex/' 
 
      # If you want to use OIDs to mark legitimate node certificates, 
      # the OID can be included in the certificates by specifying the following
      # attribute
       
      # nodeOid: "1.2.3.4.5.5"
 
      # The length of auto generated passwords            
      generatedPasswordLength: 12
       
      # Set this to true in order to generate config and certificates for 
      # the HTTP interface of nodes
      httpsEnabled: true
       
      # Set this to true in order to re-use the node transport certificates
      # for the HTTP interfaces. Only recognized if httpsEnabled is true
       
      # reuseTransportCertificatesForHttp: false
       
      # Set this to true to enable hostname verification
      #verifyHostnames: false
       
      # Set this to true to resolve hostnames
      #resolveHostnames: false
       
       
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#      
nodes:
  - name: cluster1_host1 
    dn: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    dns: cluster1_host1
    ip: 10.87.18.31
  - name: cluster1_host2
    dn: CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    dns: cluster1_host2 
    ip: 10.87.18.32
  - name: cluster1_host3 
    dn: CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    dns: cluster1_host3
    ip: 10.87.18.33
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true    
#        
clients:
  - name: spock
    dn: CN=spock.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
  - name: kirk
    dn: CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
    admin: true

8、将安装目录拷贝到节点，并修改属组为es

1	`[root@cluster1_host1 data]# scp -r /usr/local/search-guard-tlstool/ root@10.87.18.33:/usr/local/`

9、生成证书文件

创建证书文件生成目录

1 2	`[es@cluster1_host1 config]$ cd` `/usr/local/elasticsearch/config` `[es@cluster1_host1 config]$ mkdir out`

10、生成证书的命令

[es@cluster1_host1 tools]$ ./sgtlstool.sh -c /usr/local/search-guard-tlstool/config/tlsconfig.yml -ca -crt -t /usr/local/elasticsearch/config/out/
Root certificate and signing certificate have been sucessfully created.
 
Created 6 node certificates.
Created 2 client certificates.

11、生成的证书文件如下

[es@cluster1_host1 out]$ cd /usr/local/elasticsearch/config/out/
[es@cluster1_host1 out]$ ll
total 96
-rw-rw-r--. 1 es es  294 Feb 29 02:59 client-certificates.readme
-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host1_elasticsearch_config_snippet.yml
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key
-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1.key
-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem
-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml
-rw-rw-r--. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key
-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host2.key
-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem
-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host3_elasticsearch_config_snippet.yml
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key
-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3.key
-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 kirk.key
-rw-rw-r--. 1 es es 3144 Feb 29 02:59 kirk.pem
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 root-ca.key
-rw-rw-r--. 1 es es 1371 Feb 29 02:59 root-ca.pem
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 signing-ca.key
-rw-rw-r--. 1 es es 1558 Feb 29 02:59 signing-ca.pem
-rw-rw-r--. 1 es es 1801 Feb 29 02:59 spock.key
-rw-rw-r--. 1 es es 3144 Feb 29 02:59 spock.pem

12、验证证书

[es@cluster1_host1 out]$ /usr/local/search-guard-tlstool/tools/sgtlsdiag.sh -ca /usr/local/elasticsearch/config/out/root-ca.pem -crt /usr/local/elasticsearch/config/out/cluster1_host1.pem 
 
========================================================================
/usr/local/elasticsearch/config/out/cluster1_host1.pem
------------------------------------------------------------------------
Certificate 1
------------------------------------------------------------------------
            SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05
             MD5 FPR: 1565fb2741046769feb128d2e98e3923
Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
       Serial Number: 1582963131135
 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
          Not Before: Sat Feb 29 02:58:53 EST 2020
           Not After: Tue Feb 26 02:58:53 EST 2030
           Key Usage: digitalSignature nonRepudiation keyEncipherment
 Signature Algorithm: SHA256WITHRSA
             Version: 3
  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
  Basic Constraints: -1
                SAN: 
                  dNSName: cluster1_host1
                  iPAddress: 10.87.18.31
 
------------------------------------------------------------------------
Certificate 2
------------------------------------------------------------------------
            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
       Serial Number: 2
 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
          Not Before: Sat Feb 29 02:58:53 EST 2020
           Not After: Tue Feb 26 02:58:53 EST 2030
           Key Usage: digitalSignature keyCertSign cRLSign
 Signature Algorithm: SHA256WITHRSA
             Version: 3
  Extended Key Usage: null
  Basic Constraints: 0
                SAN: (none)
------------------------------------------------------------------------
Trust anchor:
DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com

13、修改es的配置文件

进入证书文件目录

[es@cluster1_host1 out]$ pwd
/usr/local/elasticsearch/config/out
[es@cluster1_host1 out]$ ll
total 96
-rwxrwxr-x. 1 es es  294 Feb 29 02:59 client-certificates.readme
-rwxrwxr-x. 1 es es 1388 Feb 29 03:30 cluster1_host1_elasticsearch_config_snippet.yml
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key
-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1.key
-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem
-rwxrwxr-x. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml
-rwxrwxr-x. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key
-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host2.key
-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem
-rwxrwxr-x. 1 es es 1388 Feb 29 03:26 cluster1_host3_elasticsearch_config_snippet.yml
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key
-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3.key
-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 kirk.key
-rwxrwxr-x. 1 es es 3144 Feb 29 02:59 kirk.pem
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 root-ca.key
-rwxrwxr-x. 1 es es 1371 Feb 29 02:59 root-ca.pem
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 signing-ca.key
-rwxrwxr-x. 1 es es 1558 Feb 29 02:59 signing-ca.pem
-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 spock.key
-rwxrwxr-x. 1 es es 3144 Feb 29 02:59 spock.pem

将cluster1_host1_elasticsearch_config_snippet.yml中的内容追加到节点的es配置文件中

[es@cluster1_host1 config]$ ll
total 36
-rw-rw----. 1 es es  207 Feb 28 01:15 elasticsearch.keystore
-rw-rw----. 1 es es 3895 Feb 29 03:33 elasticsearch.yml
-rw-rw----. 1 es es 2937 Feb 28 03:33 elasticsearch.yml.bak
-rw-rw----. 1 es es 2937 Feb 28 01:10 jvm.options
-rw-rw----. 1 es es 6380 Oct 30  2018 log4j2.properties
drwxrwxr-x. 2 es es 4096 Feb 29 03:30 out
-rw-rw----. 1 es es  473 Oct 30  2018 role_mapping.yml
-rw-rw----. 1 es es  197 Oct 30  2018 roles.yml
-rw-rw----. 1 es es    0 Oct 30  2018 users
-rw-rw----. 1 es es    0 Oct 30  2018 users_roles
[es@cluster1_host1 config]$ pwd
/usr/local/elasticsearch/config

修改内容如下，主要里要指定证书文件的相对路径

searchguard.ssl.transport.pemcert_filepath: out/cluster1_host1.pem
searchguard.ssl.transport.pemkey_filepath: out/cluster1_host1.key
searchguard.ssl.transport.pemkey_password: teststt
searchguard.ssl.transport.pemtrustedcas_filepath: out/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: out/cluster1_host1_http.pem
searchguard.ssl.http.pemkey_filepath: out/cluster1_host1_http.key
searchguard.ssl.http.pemkey_password: teststt
searchguard.ssl.http.pemtrustedcas_filepath: out/root-ca.pem
searchguard.nodes_dn:
- CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
- CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
- CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
searchguard.authcz.admin_dn:
- CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

校验一下配置文件

100

101

102

103

[es@cluster1_host1 tools]$ ./sgtlsdiag.sh -es /usr/local/elasticsearch/config/elasticsearch.yml
Reading node config file /usr/local/elasticsearch/config/elasticsearch.yml
 
========================================================================
/usr/local/elasticsearch/config/out/cluster1_host1.pem
------------------------------------------------------------------------
Certificate 1
------------------------------------------------------------------------
            SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05
             MD5 FPR: 1565fb2741046769feb128d2e98e3923
Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
       Serial Number: 1582963131135
 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
          Not Before: Sat Feb 29 02:58:53 EST 2020
           Not After: Tue Feb 26 02:58:53 EST 2030
           Key Usage: digitalSignature nonRepudiation keyEncipherment
 Signature Algorithm: SHA256WITHRSA
             Version: 3
  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
  Basic Constraints: -1
                SAN: 
                  dNSName: cluster1_host1
                  iPAddress: 10.87.18.31
 
------------------------------------------------------------------------
Certificate 2
------------------------------------------------------------------------
            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
       Serial Number: 2
 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
          Not Before: Sat Feb 29 02:58:53 EST 2020
           Not After: Tue Feb 26 02:58:53 EST 2030
           Key Usage: digitalSignature keyCertSign cRLSign
 Signature Algorithm: SHA256WITHRSA
             Version: 3
  Extended Key Usage: null
  Basic Constraints: 0
                SAN: (none)
------------------------------------------------------------------------
Trust anchor:
DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com
 
========================================================================
/usr/local/elasticsearch/config/out/cluster1_host1_http.pem
------------------------------------------------------------------------
Certificate 1
------------------------------------------------------------------------
            SHA1 FPR: 998fdf16628aeb9da3d9ef741f8d87318f44bf87
             MD5 FPR: bfb40c178312f63af1bf5d83cd7a1021
Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
       Serial Number: 1582963131136
 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
          Not Before: Sat Feb 29 02:58:55 EST 2020
           Not After: Tue Feb 26 02:58:55 EST 2030
           Key Usage: digitalSignature nonRepudiation keyEncipherment
 Signature Algorithm: SHA256WITHRSA
             Version: 3
  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
  Basic Constraints: -1
                SAN: 
                  dNSName: cluster1_host1
                  iPAddress: 10.87.18.31
 
------------------------------------------------------------------------
Certificate 2
------------------------------------------------------------------------
            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
       Serial Number: 2
 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
          Not Before: Sat Feb 29 02:58:53 EST 2020
           Not After: Tue Feb 26 02:58:53 EST 2030
           Key Usage: digitalSignature keyCertSign cRLSign
 Signature Algorithm: SHA256WITHRSA
             Version: 3
  Extended Key Usage: null
  Basic Constraints: 0
                SAN: (none)
------------------------------------------------------------------------
Trust anchor:
DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com
 
========================================================================
/usr/local/elasticsearch/config/out/root-ca.pem
------------------------------------------------------------------------
Certificate 1
------------------------------------------------------------------------
            SHA1 FPR: b66494fa2c05423e64ada2403e09ca6c76ae3936
             MD5 FPR: 5f0834f0acf6dc8f7fa061eb7be0675a
Subject DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
       Serial Number: 1
 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
          Not Before: Sat Feb 29 02:58:52 EST 2020
           Not After: Tue Feb 26 02:58:52 EST 2030
           Key Usage: digitalSignature keyCertSign cRLSign
 Signature Algorithm: SHA256WITHRSA
             Version: 3
  Extended Key Usage: null
  Basic Constraints: 2147483647
                SAN: (none)

14、修改其他节点配置文件

1	`[root@cluster1_host1 data]# scp -r /usr/local/elasticsearch/config/out/ root@10.87.18.33:/usr/local/elasticsearch/config/`

15、下面的需要在es的所有节点执行

[es@cluster1_host1 search-guard-6]$ pwd
/usr/local/elasticsearch/plugins/search-guard-6
[es@cluster1_host1 search-guard-6]$ 
[es@cluster1_host1 search-guard-6]$ 
[es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -esa -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt
Search Guard Admin v6
Will connect to cluster1_host1:9300 ... done
Elasticsearch Version: 6.4.3
Search Guard Version: 6.4.3-25.5
Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
Persistent and transient shard allocation enabled

16、执行es命令

Unauthorized[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'
 
Unauthorized[root@cluster1_host1 ~]# 

17、打开浏览器访问如下url

1	`http://10.87.18.31:9200/_searchguard/health`

{"message":null,"mode":"strict","status":"UP"}

18、携带用户名和密码访问es

[root@cluster1_host1 ~]# curl -u admin:admin '10.87.18.31:9200/_cat/indices?v'
health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   searchguard XOWOuXN0SJi_69Yz3BPtmw   1   2          0            6     88.6kb         38.4kb
[root@cluster1_host1 ~]# 

es的search-guard插件配置完成

三、问题

1、如果启动es报错

[2020-02-29T03:54:12,266][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [cluster1_host1] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have additional setting [http.type] in plugin [search-guard-6], already added in plugin [x-pack-security]

则需要修改es的配置文件

1	`xpack.security.enabled: false`

2、如果启动es有告警

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config has insecure file permissions (should be 0700)
[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config/out has insecure file permissions (should be 0700)
[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.pem has insecure file permissions (should be 0600)
[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.key has insecure file permissions (should be 0600)
[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/signing-ca.pem has insecure file permissions (should be 0600)

则修改权限

1 2	`chmod` `0600` `/usr/local/elasticsearch/config/out/*` `chmod` `0700` `/usr/local/elasticsearch/config/`

3、如果执行es命令有如下报错

1 2	`[root@cluster1_host1 config]# curl '10.87.18.31:9200/_cat/nodes?v'` `Search Guard` `not` `initialized (SG11). See http://docs.search-guard.com/v6/sgadmin[root@cluster1_host1 config]`

进入如下目录

1 2	`[es@cluster1_host1 search-guard-6]$ pwd` `/usr/local/elasticsearch/plugins/search-guard-6`

做如下修改，如果报文件不存在，则重启es在试一次，只需要在一个节点执行即可

[es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -cd ./sgconfig/ -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt
Search Guard Admin v6
Will connect to cluster1_host1:9300 ... done
Elasticsearch Version: 6.4.3
Search Guard Version: 6.4.3-25.5
Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: my-application
Clusterstate: YELLOW
Number of nodes: 3
Number of data nodes: 3
searchguard index already exists, so we do not need to create one.
INFO: searchguard index state is YELLOW, it seems you miss some replicas
Populate config from /usr/local/elasticsearch/plugins/search-guard-6/sgconfig
Will update 'sg/config' with ./sgconfig/sg_config.yml 
   SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with ./sgconfig/sg_roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with ./sgconfig/sg_roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with ./sgconfig/sg_internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with ./sgconfig/sg_action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Done with success
[es@cluster1_host1 search-guard-6]$ pwd

posted on 2020-03-27 22:43 bainianminguo 阅读(4916) 评论(0) 编辑收藏举报