X-pack结合LDAP进行权限认证
1、生成ssl 证书
通过ES_HOME/bin/x-pack/certgen生成ssl证书
IP:
10.17.90.20,10.17.90.21,10.17.90.22,10.17.90.24,10.17.90.25,10.17.90.26,10.17.90.27,10.17.90.28
hostname:
d1705027.grid.com,d1705028.grid.com,d1705029.grid.com,d1806001.grid.com,d1806002.grid.com,d1806003.grid.com,d1809002.grid.com,d1809003.grid.com
修改salt配置加载ssl配置(完成)
修改配置elasticsearch.yml文件,开启ssl transport
xpack.ssl.key: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.key
xpack.ssl.certificate: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: /data1/elasticsearch9201/config/ca/ca.crt
xpack.security.transport.ssl.enabled: true
2、修改es集群内置账户的密码
./bin/x-pack/setup-passwords interactive
自定义内置账户(elastic、kibana、logstash_system)密码
账户elastic为elasticsearch超级管理员,拥有所有权限
账户kibana用于kibana组件获取相关信息用于web展示
账户logstash_system用于logstash服务获取elasticsearch的监控数据
注意:此步骤需先启动elasticsearch服务,并开启x-pack security
./bin/x-pack/setup-passwords interactive
elastic:
kibana:
logstash_system:
3、es开启ldap验证
修改elasticsearch.yml配置开启
注意:
es集群修改elasticsearch.yml配置添加
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
4、kibana修改启动脚本
未修改
5、kibana修改配置文件
需要安装 x-pack插件 plugin
修改链接es集群的账户和密码
6、logstash修改配置文件
output elasticsearh
添加
user => elastic
password => password
7、重启集群
curl -XPUT -H 'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{
"transient" : {
"cluster.routing.allocation.enable":"none"
}
}'
curl -XPUT -u elastic: -H 'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{
"transient" : {
"cluster.routing.allocation.enable":"all"
}
}'
8、elasticsearch-head 认证登录
?auth_user=elastic&auth_password=
9、角色添加
index_name=cron_term_log
role_name=${index_name}_all
echo "{\"cluster\":[],\"indices\":[{\"names\":[\"${index_name}*\"],\"privileges\":[\"all\"]}],\"run_as\":[],\"transient_metadata\":{\"enabled\":true}}" >${index_name}
curl -XPOST -H "Content-Type: application/json" -u elastic: "http://localhost:9201/_xpack/security/role/$role_name" -d@${index_name}
10、用户绑定角色
11、配置信息如下
cat elasticsearch.yml
cluster.name: elk_cluster
node.master: true
node.data: true
node.attr.box_type: hot
node.name: 10.20.90.36
path.data: /data1/data/elasticsearch
path.logs: /data1/logs/elasticsearch
network.host: 0.0.0.0
http.port: 9200
transport.tcp.compress: true
http.max_content_length: 200mb
discovery.zen.ping.unicast.hosts: ['10.22.90.36', '10.20.90.37']
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping_timeout: 120s
index.store.type: mmapfs
bootstrap.system_call_filter: false
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
# thread_pool config
thread_pool.index.queue_size: 3000
thread_pool.search.min_queue_size: 400
thread_pool.search.max_queue_size: 3000
thread_pool.get.queue_size: 3000
thread_pool.bulk.queue_size: 3000
xpack.ssl.key: /data1/elasticsearch/config/elk_crt/elk.key
xpack.ssl.certificate: /data1/elasticsearch/config/elk_crt/elk.crt
xpack.ssl.certificate_authorities: /data1/elasticsearch/config/elk_crt/ca/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.enabled: true
xpack.monitoring.enabled: true
xpack.graph.enabled: true
xpack.watcher.enabled: true
xpack.monitoring.exporters:
id1:
type: http
host: ["http://10.20.90.36:9200"]
auth.username: elastic
auth.password: RHjv
action.auto_create_index: true
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://111.151.118.122:389"
bind_dn:
bind_password: admin
user_search:
base_dn: ""
attribute: data
group_search:
base_dn: ""
files:
role_mapping: "/data1/elasticsearch/config/x-pack/role_mapping.yml"
unmapped_groups_as_roles: true