大数据安全系列的其它文章
https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos
https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证
https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证
https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证
https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证
https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证
https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证
一、安装es
1、解压重命名安装包
tar -zxvf elasticsearch-6.4.3.tar.gz -C /usr/local/ mv elasticsearch-6.4.3/ elasticsearch
2、创建es组和es用户
[root@cluster1_host1 elasticsearch]# groupadd es [root@cluster1_host1 elasticsearch]# useradd es -g es [root@cluster1_host1 elasticsearch]# passwd es
3、修改es目录的属组
chown -R es:es /usr/local/elasticsearch/
4、分发配置到其他节点
scp -r /usr/local/elasticsearch/ root@10.87.18.33:/usr/local/
5、修改 /etc/security/limits.conf
* soft nofile 65536 * hard nofile 65536 * soft nproc 65536 * hard nproc 65536
6、修改/etc/sysctl.conf
vm.max_map_count=262144
7、启动es
[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v' ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 10.87.18.32 27 12 6 0.59 0.25 0.10 mdi * cluster1_host2 10.87.18.33 24 13 7 0.31 0.16 0.07 mdi - cluster1_host1 10.87.18.31 28 13 6 0.41 0.24 0.11 mdi - cluster1_host1
二、配置er的search-guard插件
1、下载 search-guard插件
https://repo1.maven.org/maven2/com/floragunn/search-guard-6/6.4.3-25.5/search-guard-6-6.4.3-25.5.zip
2、下载tsltools插件,生成证书
https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.7/search-guard-tlstool-1.7.tar.gz
3、每个节点执行如下命令,标红的设置为每个节点的hostname
curl -Ss -XPUT 'http://cluster1_host3:9200/_cluster/settings?pretty' \
-H 'Content-Type: application/json' -d'
{
"persistent": {
"cluster.routing.allocation.enable": "none"
}
}
'
然后关闭es
4、安装search-guard插件,每个节点都需要安装
[es@cluster1_host1 bin]$ ./elasticsearch-plugin install -b file:///es/search-guard-6-6.4.3-25.5.zip -> Downloading file:///es/search-guard-6-6.4.3-25.5.zip
5、tsltools生成证书,解压安装包
tar -zxvf search-guard-tlstool-1.7.tar.gz -C /usr/local/search-guard-tlstool/
6、复制模板的配置文件
[es@cluster1_host1 config]$ cp example.yml tlsconfig.yml [es@cluster1_host1 config]$ ll total 24 -rw-r--r--. 1 es es 4731 Jun 5 2019 example.yml -rw-r--r--. 1 es es 5634 Jun 5 2019 template.yml -rw-r--r--. 1 es es 4731 Feb 29 02:43 tlsconfig.yml [es@cluster1_host1 config]$ pwd /usr/local/search-guard-tlstool/config [es@cluster1_host1 config]$
7、修改配置文件
[es@cluster1_host1 config]$ cat tlsconfig.yml
###
### Self-generated certificate authority
###
#
# If you want to create a new certificate authority, you must specify its parameters here.
# You can skip this section if you only want to create CSRs
#
ca:
root:
# The distinguished name of this CA. You must specify a distinguished name.
dn: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
# The size of the generated key in bits
keysize: 2048
# The validity of the generated certificate in days from now
validityDays: 3650
# Password for private key
# Possible values:
# - auto: automatically generated password, returned in config output;
# - none: unencrypted private key;
# - other values: other values are used directly as password
pkPassword: teststt
# The name of the generated files can be changed here
file: root-ca.pem
# If you want to use an intermediate certificate as signing certificate,
# please specify its parameters here. This is optional. If you remove this section,
# the root certificate will be used for signing.
intermediate:
# The distinguished name of this CA. You must specify a distinguished name.
dn: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
# The size of the generated key in bits
keysize: 2048
# The validity of the generated certificate in days from now
validityDays: 3650
pkPassword: teststt
# If you have a certificate revocation list, you can specify its distribution points here
crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl
###
### Default values and global settings
###
defaults:
# The validity of the generated certificate in days from now
validityDays: 3650
# Password for private key
# Possible values:
# - auto: automatically generated password, returned in config output;
# - none: unencrypted private key;
# - other values: other values are used directly as password
pkPassword: teststt
# Specifies to recognize legitimate nodes by the distinguished names
# of the certificates. This can be a list of DNs, which can contain wildcards.
# Furthermore, it is possible to specify regular expressions by
# enclosing the DN in //.
# Specification of this is optional. The tool will always include
# the DNs of the nodes specified in the nodes section.
#nodesDn:
#- "CN=*.example.com,OU=Ops,O=Example Com\\, Inc.,DC=example,DC=com"
# - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
# - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'
# - 'CN=elk-devcluster*'
# - '/CN=.*regex/'
# If you want to use OIDs to mark legitimate node certificates,
# the OID can be included in the certificates by specifying the following
# attribute
# nodeOid: "1.2.3.4.5.5"
# The length of auto generated passwords
generatedPasswordLength: 12
# Set this to true in order to generate config and certificates for
# the HTTP interface of nodes
httpsEnabled: true
# Set this to true in order to re-use the node transport certificates
# for the HTTP interfaces. Only recognized if httpsEnabled is true
# reuseTransportCertificatesForHttp: false
# Set this to true to enable hostname verification
#verifyHostnames: false
# Set this to true to resolve hostnames
#resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
- name: cluster1_host1
dn: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
dns: cluster1_host1
ip: 10.87.18.31
- name: cluster1_host2
dn: CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
dns: cluster1_host2
ip: 10.87.18.32
- name: cluster1_host3
dn: CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
dns: cluster1_host3
ip: 10.87.18.33
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true
#
clients:
- name: spock
dn: CN=spock.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
- name: kirk
dn: CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
admin: true
8、将安装目录拷贝到节点,并修改属组为es
[root@cluster1_host1 data]# scp -r /usr/local/search-guard-tlstool/ root@10.87.18.33:/usr/local/
9、生成证书文件
创建证书文件生成目录
[es@cluster1_host1 config]$ cd /usr/local/elasticsearch/config [es@cluster1_host1 config]$ mkdir out
10、生成证书的命令
[es@cluster1_host1 tools]$ ./sgtlstool.sh -c /usr/local/search-guard-tlstool/config/tlsconfig.yml -ca -crt -t /usr/local/elasticsearch/config/out/ Root certificate and signing certificate have been sucessfully created. Created 6 node certificates. Created 2 client certificates.
11、生成的证书文件如下
[es@cluster1_host1 out]$ cd /usr/local/elasticsearch/config/out/ [es@cluster1_host1 out]$ ll total 96 -rw-rw-r--. 1 es es 294 Feb 29 02:59 client-certificates.readme -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host1_elasticsearch_config_snippet.yml -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1.key -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml -rw-rw-r--. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host2.key -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host3_elasticsearch_config_snippet.yml -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3.key -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem -rw-rw-r--. 1 es es 1801 Feb 29 02:59 kirk.key -rw-rw-r--. 1 es es 3144 Feb 29 02:59 kirk.pem -rw-rw-r--. 1 es es 1801 Feb 29 02:59 root-ca.key -rw-rw-r--. 1 es es 1371 Feb 29 02:59 root-ca.pem -rw-rw-r--. 1 es es 1801 Feb 29 02:59 signing-ca.key -rw-rw-r--. 1 es es 1558 Feb 29 02:59 signing-ca.pem -rw-rw-r--. 1 es es 1801 Feb 29 02:59 spock.key -rw-rw-r--. 1 es es 3144 Feb 29 02:59 spock.pem
12、验证证书
[es@cluster1_host1 out]$ /usr/local/search-guard-tlstool/tools/sgtlsdiag.sh -ca /usr/local/elasticsearch/config/out/root-ca.pem -crt /usr/local/elasticsearch/config/out/cluster1_host1.pem
========================================================================
/usr/local/elasticsearch/config/out/cluster1_host1.pem
------------------------------------------------------------------------
Certificate 1
------------------------------------------------------------------------
SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05
MD5 FPR: 1565fb2741046769feb128d2e98e3923
Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
Serial Number: 1582963131135
Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Not Before: Sat Feb 29 02:58:53 EST 2020
Not After: Tue Feb 26 02:58:53 EST 2030
Key Usage: digitalSignature nonRepudiation keyEncipherment
Signature Algorithm: SHA256WITHRSA
Version: 3
Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
Basic Constraints: -1
SAN:
dNSName: cluster1_host1
iPAddress: 10.87.18.31
------------------------------------------------------------------------
Certificate 2
------------------------------------------------------------------------
SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Serial Number: 2
Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Not Before: Sat Feb 29 02:58:53 EST 2020
Not After: Tue Feb 26 02:58:53 EST 2030
Key Usage: digitalSignature keyCertSign cRLSign
Signature Algorithm: SHA256WITHRSA
Version: 3
Extended Key Usage: null
Basic Constraints: 0
SAN: (none)
------------------------------------------------------------------------
Trust anchor:
DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com
13、修改es的配置文件
进入证书文件目录
[es@cluster1_host1 out]$ pwd /usr/local/elasticsearch/config/out [es@cluster1_host1 out]$ ll total 96 -rwxrwxr-x. 1 es es 294 Feb 29 02:59 client-certificates.readme -rwxrwxr-x. 1 es es 1388 Feb 29 03:30 cluster1_host1_elasticsearch_config_snippet.yml -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1.key -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem -rwxrwxr-x. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml -rwxrwxr-x. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host2.key -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem -rwxrwxr-x. 1 es es 1388 Feb 29 03:26 cluster1_host3_elasticsearch_config_snippet.yml -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3.key -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 kirk.key -rwxrwxr-x. 1 es es 3144 Feb 29 02:59 kirk.pem -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 root-ca.key -rwxrwxr-x. 1 es es 1371 Feb 29 02:59 root-ca.pem -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 signing-ca.key -rwxrwxr-x. 1 es es 1558 Feb 29 02:59 signing-ca.pem -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 spock.key -rwxrwxr-x. 1 es es 3144 Feb 29 02:59 spock.pem
将cluster1_host1_elasticsearch_config_snippet.yml中的内容追加到节点的es配置文件中
[es@cluster1_host1 config]$ ll total 36 -rw-rw----. 1 es es 207 Feb 28 01:15 elasticsearch.keystore -rw-rw----. 1 es es 3895 Feb 29 03:33 elasticsearch.yml -rw-rw----. 1 es es 2937 Feb 28 03:33 elasticsearch.yml.bak -rw-rw----. 1 es es 2937 Feb 28 01:10 jvm.options -rw-rw----. 1 es es 6380 Oct 30 2018 log4j2.properties drwxrwxr-x. 2 es es 4096 Feb 29 03:30 out -rw-rw----. 1 es es 473 Oct 30 2018 role_mapping.yml -rw-rw----. 1 es es 197 Oct 30 2018 roles.yml -rw-rw----. 1 es es 0 Oct 30 2018 users -rw-rw----. 1 es es 0 Oct 30 2018 users_roles [es@cluster1_host1 config]$ pwd /usr/local/elasticsearch/config
修改内容如下,主要里要指定证书文件的相对路径
searchguard.ssl.transport.pemcert_filepath: out/cluster1_host1.pem searchguard.ssl.transport.pemkey_filepath: out/cluster1_host1.key searchguard.ssl.transport.pemkey_password: teststt searchguard.ssl.transport.pemtrustedcas_filepath: out/root-ca.pem searchguard.ssl.transport.enforce_hostname_verification: false searchguard.ssl.transport.resolve_hostname: false searchguard.ssl.http.enabled: false searchguard.ssl.http.pemcert_filepath: out/cluster1_host1_http.pem searchguard.ssl.http.pemkey_filepath: out/cluster1_host1_http.key searchguard.ssl.http.pemkey_password: teststt searchguard.ssl.http.pemtrustedcas_filepath: out/root-ca.pem searchguard.nodes_dn: - CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com - CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com - CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com searchguard.authcz.admin_dn: - CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
校验一下配置文件
[es@cluster1_host1 tools]$ ./sgtlsdiag.sh -es /usr/local/elasticsearch/config/elasticsearch.yml
Reading node config file /usr/local/elasticsearch/config/elasticsearch.yml
========================================================================
/usr/local/elasticsearch/config/out/cluster1_host1.pem
------------------------------------------------------------------------
Certificate 1
------------------------------------------------------------------------
SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05
MD5 FPR: 1565fb2741046769feb128d2e98e3923
Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
Serial Number: 1582963131135
Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Not Before: Sat Feb 29 02:58:53 EST 2020
Not After: Tue Feb 26 02:58:53 EST 2030
Key Usage: digitalSignature nonRepudiation keyEncipherment
Signature Algorithm: SHA256WITHRSA
Version: 3
Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
Basic Constraints: -1
SAN:
dNSName: cluster1_host1
iPAddress: 10.87.18.31
------------------------------------------------------------------------
Certificate 2
------------------------------------------------------------------------
SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Serial Number: 2
Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Not Before: Sat Feb 29 02:58:53 EST 2020
Not After: Tue Feb 26 02:58:53 EST 2030
Key Usage: digitalSignature keyCertSign cRLSign
Signature Algorithm: SHA256WITHRSA
Version: 3
Extended Key Usage: null
Basic Constraints: 0
SAN: (none)
------------------------------------------------------------------------
Trust anchor:
DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com
========================================================================
/usr/local/elasticsearch/config/out/cluster1_host1_http.pem
------------------------------------------------------------------------
Certificate 1
------------------------------------------------------------------------
SHA1 FPR: 998fdf16628aeb9da3d9ef741f8d87318f44bf87
MD5 FPR: bfb40c178312f63af1bf5d83cd7a1021
Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com
Serial Number: 1582963131136
Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Not Before: Sat Feb 29 02:58:55 EST 2020
Not After: Tue Feb 26 02:58:55 EST 2030
Key Usage: digitalSignature nonRepudiation keyEncipherment
Signature Algorithm: SHA256WITHRSA
Version: 3
Extended Key Usage: id_kp_serverAuth id_kp_clientAuth
Basic Constraints: -1
SAN:
dNSName: cluster1_host1
iPAddress: 10.87.18.31
------------------------------------------------------------------------
Certificate 2
------------------------------------------------------------------------
SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b
MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307
Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Serial Number: 2
Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Not Before: Sat Feb 29 02:58:53 EST 2020
Not After: Tue Feb 26 02:58:53 EST 2030
Key Usage: digitalSignature keyCertSign cRLSign
Signature Algorithm: SHA256WITHRSA
Version: 3
Extended Key Usage: null
Basic Constraints: 0
SAN: (none)
------------------------------------------------------------------------
Trust anchor:
DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com
========================================================================
/usr/local/elasticsearch/config/out/root-ca.pem
------------------------------------------------------------------------
Certificate 1
------------------------------------------------------------------------
SHA1 FPR: b66494fa2c05423e64ada2403e09ca6c76ae3936
MD5 FPR: 5f0834f0acf6dc8f7fa061eb7be0675a
Subject DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Serial Number: 1
Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
Not Before: Sat Feb 29 02:58:52 EST 2020
Not After: Tue Feb 26 02:58:52 EST 2030
Key Usage: digitalSignature keyCertSign cRLSign
Signature Algorithm: SHA256WITHRSA
Version: 3
Extended Key Usage: null
Basic Constraints: 2147483647
SAN: (none)
14、修改其他节点配置文件
拷贝out目录到其他节点的相同目录
[root@cluster1_host1 data]# scp -r /usr/local/elasticsearch/config/out/ root@10.87.18.33:/usr/local/elasticsearch/config/
15、下面的需要在es的所有节点执行
[es@cluster1_host1 search-guard-6]$ pwd /usr/local/elasticsearch/plugins/search-guard-6 [es@cluster1_host1 search-guard-6]$ [es@cluster1_host1 search-guard-6]$ [es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -esa -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt Search Guard Admin v6 Will connect to cluster1_host1:9300 ... done Elasticsearch Version: 6.4.3 Search Guard Version: 6.4.3-25.5 Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com Persistent and transient shard allocation enabled
16、执行es命令
Unauthorized[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v' Unauthorized[root@cluster1_host1 ~]#
17、打开浏览器访问如下url
http://10.87.18.31:9200/_searchguard/health
{"message":null,"mode":"strict","status":"UP"}
18、携带用户名和密码访问es
[root@cluster1_host1 ~]# curl -u admin:admin '10.87.18.31:9200/_cat/indices?v' health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open searchguard XOWOuXN0SJi_69Yz3BPtmw 1 2 0 6 88.6kb 38.4kb [root@cluster1_host1 ~]#
es的search-guard插件配置完成
三、问题
1、如果启动es报错
[2020-02-29T03:54:12,266][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [cluster1_host1] uncaught exception in thread [main] org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have additional setting [http.type] in plugin [search-guard-6], already added in plugin [x-pack-security]
则需要修改es的配置文件
xpack.security.enabled: false
2、如果启动es有告警
[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin ] Directory /usr/local/elasticsearch/config has insecure file permissions (should be 0700) [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin ] Directory /usr/local/elasticsearch/config/out has insecure file permissions (should be 0700) [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin ] File /usr/local/elasticsearch/config/out/root-ca.pem has insecure file permissions (should be 0600) [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin ] File /usr/local/elasticsearch/config/out/root-ca.key has insecure file permissions (should be 0600) [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin ] File /usr/local/elasticsearch/config/out/signing-ca.pem has insecure file permissions (should be 0600)
则修改权限
chmod 0600 /usr/local/elasticsearch/config/out/* chmod 0700 /usr/local/elasticsearch/config/
3、如果执行es命令有如下报错
[root@cluster1_host1 config]# curl '10.87.18.31:9200/_cat/nodes?v' Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin[root@cluster1_host1 config]
进入如下目录
[es@cluster1_host1 search-guard-6]$ pwd /usr/local/elasticsearch/plugins/search-guard-6
做如下修改,如果报文件不存在,则重启es在试一次,只需要在一个节点执行即可
[es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -cd ./sgconfig/ -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt Search Guard Admin v6 Will connect to cluster1_host1:9300 ... done Elasticsearch Version: 6.4.3 Search Guard Version: 6.4.3-25.5 Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ... Clustername: my-application Clusterstate: YELLOW Number of nodes: 3 Number of data nodes: 3 searchguard index already exists, so we do not need to create one. INFO: searchguard index state is YELLOW, it seems you miss some replicas Populate config from /usr/local/elasticsearch/plugins/search-guard-6/sgconfig Will update 'sg/config' with ./sgconfig/sg_config.yml SUCC: Configuration for 'config' created or updated Will update 'sg/roles' with ./sgconfig/sg_roles.yml SUCC: Configuration for 'roles' created or updated Will update 'sg/rolesmapping' with ./sgconfig/sg_roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update 'sg/internalusers' with ./sgconfig/sg_internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update 'sg/actiongroups' with ./sgconfig/sg_action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Done with success [es@cluster1_host1 search-guard-6]$ pwd
