Docker部署ELK后配置search guard认证模块

　　Docker部署ELK参考

　　https://www.cnblogs.com/minseo/p/12956563.html

　　安装search guard参考

　　https://www.cnblogs.com/minseo/p/10576126.html

　　在线生成证书

　　https://search-guard.com/tls-certificate-generator/

　　在线生成证书本次只输入一个地址192.168.1.227生成证书，使用邮箱接收生成的证书

　　启动elasticsearch

docker run -d --name elasticsearch -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node"

-v /nas/nas/scripts/docker_es_kibana/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /usr/share/elasticsearch/data:/usr/share/elasticsearch/data docker.elastic.co/elasticsearch/elasticsearch:6.6.2

　　把证书及search guard模块拷贝至容器内

1 2	`docker cp search-guard-6-6.6.2-24.2.zip elasticsearch:/opt/` `docker cp search-guard-certificates elasticsearch:/opt/`

　　登录容器

1	`docker exec -it elasticsearch bash`

　　安装search guard模块

　　模块最好下载成文件使用file安装，否则网络速度较慢安装时间比较长

1	`/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///opt/search-guard-6-6.6.2-24.2.zip`

　　安装输入y确认

　　查看是否安装成功

# /usr/share/elasticsearch/bin/elasticsearch-plugin list                                              
ingest-geoip
ingest-user-agent
search-guard-6

　　创建证书目录，因为容器配置文件在目录/usr/share/elasticsearch/config配置文件使用相对路径所以创建的key目录也在改目录下

1	`mkdir /usr/share/elasticsearch/config/key`

　　把解压后的证书拷贝至此目录

1	`mv /opt/search-guard-certificates/* /usr/share/elasticsearch/config/key/`

　　设置目录权限为elasticsearch，因为使用用户elasticsearch启动，不设置权限会导致启动失败

1	`chown -R elasticsearch:elasticsearch key/`

　　修改配置文件添加search guard配置

# cat /usr/share/elasticsearch/config/elasticsearch.yml 
cluster.name: myes
#node.name: node-1
path.data: /usr/share/elasticsearch/data
#path.logs: /var/log/elasticsearch     
bootstrap.memory_lock: false
network.host: 0.0.0.0          
http.port: 9200
 
#search guard config start
searchguard.ssl.transport.pemcert_filepath: key/node-certificates/CN=IP-192.168.1.227.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: key/node-certificates/CN=IP-192.168.1.227.key.pem
searchguard.ssl.transport.pemkey_password: c7c81d49530b771b415f
searchguard.ssl.transport.pemtrustedcas_filepath: key/chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: key/node-certificates/CN=IP-192.168.1.227.crtfull.pem
searchguard.ssl.http.pemkey_filepath: key/node-certificates/CN=IP-192.168.1.227.key.pem
searchguard.ssl.http.pemkey_password: c7c81d49530b771b415f
searchguard.ssl.http.pemtrustedcas_filepath: key/chain-ca.pem
searchguard.authcz.admin_dn:
  - CN=sgadmin
searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
xpack.security.enabled: false
#search guard config end

　　退出容器重启容器生效

1	`docker restart elasticsearch`

　　验证安装是否成功，在web页面访问，默认用户名和密码都是admin

1	`https://192.168.1.227:9200/_searchguard/authinfo`

出现以下json格式代表安装正常

　　设置权限因子

　　登录容器操作

　　拷贝证书

1 2	`cd /usr/share/elasticsearch/config/key` `cp root-ca.pem client-certificates/CN\=sgadmin.key.pem client-certificates/CN\=sgadmin.crtfull.pem /usr/share/elasticsearch/plugins/search-guard-6/tools/`

　　设置权限因子，该命令可以在证书的README.txt找到

cd /usr/share/elasticsearch/plugins/search-guard-6/tools/
chmod +x sgadmin.sh 
./sgadmin.sh -cacert root-ca.pem -cert CN=sgadmin.crtfull.pem -key CN=sgadmin.key.pem -keypass e569191697316c8f6711 -nhnv -icl -cd ../sgconfig/

　　初始化搜索保护设置

cd /usr/share/elasticsearch/config/key
cp truststore.jks client-certificates/CN\=sgadmin-keystore.jks /usr/share/elasticsearch/plugins/search-guard-6/tools/
cd /usr/share/elasticsearch/plugins/search-guard-6/tools/
./sgadmin.sh -ts truststore.jks -tspass 4246ab5a580067d6b361 -ks CN=sgadmin-keystore.jks -kspass e569191697316c8f6711 -nhnv -icl -cd ../sgconfig/

　　该命令也在README.txt中

　　配置kibana

　　启动kibana容器

1	`docker run -d --name kibana -p 5601:5601 -v /nas/nas/scripts/docker_es_kibana/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml docker.elastic.co/kibana/kibana:6.6.2`

　　拷贝search guard模块至容器中

1	`docker cp search-guard-kibana-plugin-6.6.2-18.1.zip kibana:/opt/`

　　登录容器安装模块

1	`docker exec -it kibana bash`

1	`/usr/share/kibana/bin/kibana-plugin install file:///opt/search-guard-kibana-plugin-6.6.2-18.1.zip`

　　安装查看

1 2	`$ /usr/share/kibana/bin/kibana-plugin list` `searchguard@6.6.2-18.1`

　　修改挂载的kibana配置文件kibana.yml添加配置

　　注意无法在容器中修改该文件，需要修改挂载的配置文件然后重启容器

# cat kibana.yml 
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "https://192.168.1.227:9200"
kibana.index: ".kibana"
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]
xpack.monitoring.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.watcher.enabled: false
xpack.security.enabled: false                 

　　重启容器

1	`docker restart kibana`

　　登录kibana需要输入用户名和密码admin

　　使用Dockerfile配置

　　以上配置如果重新启动容器又需要重新配置，下面使用Dockerfile一次性配置

　　elasticsearch配置文件

# cat elasticsearch.yml 
cluster.name: myes
#node.name: node-1
path.data: /usr/share/elasticsearch/data
#path.logs: /var/log/elasticsearch     
bootstrap.memory_lock: false
network.host: 0.0.0.0          
http.port: 9200
 
#search guard config start
searchguard.ssl.transport.pemcert_filepath: key/node-certificates/CN=IP-192.168.1.227.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: key/node-certificates/CN=IP-192.168.1.227.key.pem
searchguard.ssl.transport.pemkey_password: c7c81d49530b771b415f
searchguard.ssl.transport.pemtrustedcas_filepath: key/chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: key/node-certificates/CN=IP-192.168.1.227.crtfull.pem
searchguard.ssl.http.pemkey_filepath: key/node-certificates/CN=IP-192.168.1.227.key.pem
searchguard.ssl.http.pemkey_password: c7c81d49530b771b415f
searchguard.ssl.http.pemtrustedcas_filepath: key/chain-ca.pem
searchguard.authcz.admin_dn:
  - CN=sgadmin
searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
xpack.security.enabled: false
#search guard config end

　　Dockerfile

# cat Dockerfile 
FROM docker.elastic.co/elasticsearch/elasticsearch:6.6.2
MAINTAINER liuym
#添加search模块
ADD search-guard-6-6.6.2-24.2.zip /opt/search-guard-6-6.6.2-24.2.zip
#安装模块,需要交互输入y
RUN sh -c '/bin/echo -e "y"|/usr/share/elasticsearch/bin/elasticsearch-plugin  install -s file:///opt/search-guard-6-6.6.2-24.2.zip'
#创建证书文件夹
RUN mkdir /usr/share/elasticsearch/config/key
#添加生成的证书文件,tar文件会在文件夹自动解压
ADD search-guard-certificates.tar /opt
#把证书复制到对应证书目录
RUN mv /opt/search-guard-certificates/* /usr/share/elasticsearch/config/key
#设置证书权限
RUN chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/config/key
#添加配置文件
ADD elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml

　　文件夹下放置证书以及search guard文件，目录下有以下文件

# tree
.
├── Dockerfile
├── elasticsearch.yml
├── search-guard-6-6.6.2-24.2.zip
└── search-guard-certificates.tar
 
0 directories, 4 files

　　使用Dockerfile生成镜像

# docker build -t elasticsearch:6.6.2 .
Sending build context to Docker daemon     27MB
Step 1/9 : FROM docker.elastic.co/elasticsearch/elasticsearch:6.6.2
 ---> 1bca39c5a102
Step 2/9 : MAINTAINER liuym
 ---> Using cache
 ---> ddf98d53d79f
Step 3/9 : ADD search-guard-6-6.6.2-24.2.zip /opt/search-guard-6-6.6.2-24.2.zip
 ---> Using cache
 ---> ded97929bfae
Step 4/9 : RUN sh -c '/bin/echo -e "y"|/usr/share/elasticsearch/bin/elasticsearch-plugin  install -s file:///opt/search-guard-6-6.6.2-24.2.zip'
 ---> Using cache
 ---> 514b9328f86b
Step 5/9 : RUN mkdir /usr/share/elasticsearch/config/key
 ---> Using cache
 ---> 301d21f14bbd
Step 6/9 : ADD search-guard-certificates.tar /opt
 ---> Using cache
 ---> 321a70d3ca47
Step 7/9 : RUN mv /opt/search-guard-certificates/* /usr/share/elasticsearch/config/key
 ---> Using cache
 ---> d5996471ed8e
Step 8/9 : RUN chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/config/key
 ---> Using cache
 ---> aa1a06cce611
Step 9/9 : ADD elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml
 ---> 7f40dd51a36f
Successfully built 7f40dd51a36f
Successfully tagged elasticsearch:6.6.2

　　查看新镜像

　　使用新镜像启动

1	`docker run -d --name elasticsearch -p 9200:9200 -p 9300:9300 -e` `"discovery.type=single-node"` `-v /usr/share/elasticsearch/data:/usr/share/elasticsearch/data elasticsearch:6.6.2`

　　因为生成镜像已经把配置文件加入所以不需要挂载配置文件，只需要挂载数据文件

　　访问测试，需要输入用户名和密码，出现json格式文件代表正常

1	`https://192.168.1.227:9200/_searchguard/authinfo`

　　kibana配置文件

# cat kibana.yml 
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "https://192.168.1.227:9200"
kibana.index: ".kibana"
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]
xpack.monitoring.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.watcher.enabled: false
xpack.security.enabled: false                 

　　Dockerfile文件

# cat Dockerfile 
FROM docker.elastic.co/kibana/kibana:6.6.2
MAINTAINER liuym
#添加search模块
ADD search-guard-kibana-plugin-6.6.2-18.1.zip /opt/search-guard-kibana-plugin-6.6.2-18.1.zip
#安装模块,需要交互输入y
RUN sh -c '/bin/echo -e "y"|/usr/share/kibana/bin/kibana-plugin  install -s file:///opt/search-guard-kibana-plugin-6.6.2-18.1.zip'
#添加配置文件
ADD kibana.yml /usr/share/kibana/config/kibana.yml

　　生成新镜像