search-guard 在 Elasticsearch 2.3 上的運用
Author:uni3orns
參考內容:
- http://kibana.logstash.es/content/elasticsearch/auth/searchguard-2.html
- https://groups.google.com/forum/#!forum/search-guard
- https://github.com/floragunncom/search-guard
此文章基於以下軟體版本,不同版本可能略有差異:
- elasticsearch 2.3.3
- search-guard 2.3.3 RC1
0x00 背景
Elasticsearch是一個基於Lucene構建的開源,分散式,RESTful搜尋引擎,大量使用於各種場景,隨著不斷的發展,不可避免的會產生安全問題,一些危害比較大的漏洞比如CVE-2015-3337、CVE-2015-5531。面對這些漏洞(包括0day)的威脅,以及多業務使用使用同一套es叢集的情況,使用一套認證授權系統就顯得尤為必要。
經過es1代到2代產品的過度,目前主流的方案就只有官方的shield以及開源search-guard,然而我廠比較扣。
0x01 search-guard
search-guard 更新到2.x後跟 shield 配置上很相似,相比1.x的版本邏輯上更加鬆散。
searchguard 優點有:
- 節點之間透過 SSL/TLS 傳輸
- 支援 JDK SSL 和 Open SSL
- 支援熱載入,不需要重啟服務
- 支援 kibana4 及 logstash 的配置
- 可以控制不同的使用者訪問不同的許可權
- 配置簡單
0x02 安裝
安裝search-guard-ssl
#!bash
sudo bin/plugin install -b com.floragunn/search-guard-ssl/2.3.3.11
安裝search-guard-2
#!bash
sudo bin/plugin install -b com.floragunn/search-guard-2/2.3.3.0-rc1
0x03 證照
根據自身情況修改官方指令碼生成admin證照、node證照、根證照,將 node 證照和根證照放在 elasticsearch 配置檔案目錄下,同時將admin證照和根證照放到search-guard 配置檔案目錄下
tips:證照需要統一生成
0x04 配置 elasticsearch 支援 ssl
elasticsearch.yml增加以下配置:
#!bash
#############################################################################################
# SEARCH GUARD #
# Configuration #
#############################################################################################
# Add the following properties to your standard elasticsearch.yml
# (alongside with the SG SSL settings)
# This settings must always be the same on all nodes in the cluster
# This defines the DNs (distinguished names) of certificates
# to which admin privileges should be assigned
security.manager.enabled: false
searchguard.authcz.admin_dn:
- "CN=kirk,OU=client,O=client,l=tEst, C=De"
# kirk是administrator,可以自行修改
# This is optional
# Only needed when impersonation is used
# Allow DNs (distinguished names) to impersonate as other users
#searchguard.authcz.impersonation_dn:
# "CN=spock,OU=client,O=client,L=Test,C=DE":
# - worf
# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
# - user2
# - user1
# Auditlog configuration:
searchguard.audit.type: internal_elasticsearch
#searchguard.audit.type: external_elasticsearch
#searchguard.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']"
#searchguard.audit.config.index: auditlog # make sure you secure this index properly
#searchguard.audit.config.type: auditlog
#searchguard.audit.config.username: auditloguser
#searchguard.audit.config.password: auditlogpassword
#searchguard.audit.config.enable_ssl: false
#searchguard.audit.config.verify_hostnames: false
#searchguard.audit.config.enable_ssl_client_auth: false
# If Kerberos authentication should be used you have to configure this:
# The absolute path or relative path to config/ directory
# to krb5.conf file
#searchguard.kerberos.krb5_filepath: '/etc/krb5.conf'
# The absolute path or relative path to config/ directory
# to the keytab where the acceptor_principal credentials are stored.
#searchguard.kerberos.acceptor_keytab_filepath: 'eskeytab.tab'
#############################################################################################
# SEARCH GUARD SSL #
# Configuration #
#############################################################################################
#############################################################################################
# Transport layer SSL #
# #
#############################################################################################
# Enable or disable node-to-node ssl encryption (default: true)
searchguard.ssl.transport.enabled: true
# JKS or PKCS12 (default: JKS)
searchguard.ssl.transport.keystore_type: JKS
# Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
# 當前節點的證照,根據節點名字生成
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.keystore_alias: my_alias
# Keystore password (default: changeit)
#searchguard.ssl.transport.keystore_password: changeit
# JKS or PKCS12 (default: JKS)
searchguard.ssl.transport.truststore_type: JKS
# Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir
searchguard.ssl.transport.truststore_filepath: truststore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.truststore_alias: my_alias
# Truststore password (default: changeit)
searchguard.ssl.transport.truststore_password: changeit
# Enforce hostname verification (default: true)
searchguard.ssl.transport.enforce_hostname_verification: true
# 如果沒有證照伺服器,需要設定為false,否則無法加入叢集
# If hostname verification specify if hostname should be resolved (default: true)
searchguard.ssl.transport.resolve_hostname: true
# Use native Open SSL instead of JDK SSL if available (default: true)
searchguard.ssl.transport.enable_openssl_if_available: false
# Enabled SSL cipher suites for transport protocol (only Java format is supported)
# WARNING: Expert setting, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
#searchguard.ssl.transport.enabled_ciphers:
# - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
# - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
# Enabled SSL protocols for transport protocol (only Java format is supported)
# WARNING: Expert setting, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
#searchguard.ssl.transport.enabled_protocols:
# - "TLSv1.2"
#############################################################################################
# HTTP/REST layer SSL #
# #
#############################################################################################
# Enable or disable rest layer security - https, (default: false)
#searchguard.ssl.http.enabled: true
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.http.keystore_type: PKCS12
# Relative path to the keystore file (this stores the server certificates), must be placed under the config/ dir
#searchguard.ssl.http.keystore_filepath: keystore_https_node1.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.http.keystore_alias: my_alias
# Keystore password (default: changeit)
#searchguard.ssl.http.keystore_password: changeit
# Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is OPTIONAL
# To enforce authentication use REQUIRE, to completely disable client certificates use NONE
#searchguard.ssl.http.clientauth_mode: REQUIRE
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.http.truststore_type: PKCS12
# Relative path to the truststore file (this stores the client certificates), must be placed under the config/ dir
#searchguard.ssl.http.truststore_filepath: truststore_https.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.http.truststore_alias: my_alias
# Truststore password (default: changeit)
#searchguard.ssl.http.truststore_password: changeit
# Use native Open SSL instead of JDK SSL if available (default: true)
#searchguard.ssl.http.enable_openssl_if_available: false
# Enabled SSL cipher suites for http protocol (only Java format is supported)
# WARNING: Expert setting, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
#searchguard.ssl.http.enabled_ciphers:
# - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
# - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
# Enabled SSL protocols for http protocol (only Java format is supported)
# WARNING: Expert setting, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
#searchguard.ssl.http.enabled_protocols:
# - “TLSv1.2"
重啟 elasticsearch
注意:任何修改elasticsearch.yml的操作都需要重啟elasticsearch才能生效
配置檔案介紹
searchguard 主要有5個配置檔案在 plugins/search-guard-2/sgconfig 下:
sg_config.yml:
- 主配置檔案不需要做改動
sg_internal_users.yml:
本地使用者檔案,定義使用者密碼以及對應的許可權。例如:對於 ELK 我們需要一個 kibana 登入使用者和一個 logstash 使用者:
#!bash kibana4: hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO #password is: kirk roles: - kibana4 logstash: hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO roles: - logstash
密碼可用plugins/search-guard-2/tools/hash.sh生成
sg_roles.yml:
許可權配置檔案,這裡提供 kibana4 和 logstash 的許可權樣例
#!bash #<sg_role_name>: # cluster: # - '<permission>' # indices: # '<indexname or alias>': # '<type>': # - '<permission>' # _dls_: '<querydsl query>' # _fls_: # - '<field>' # - '<field>' sg_kibana4: cluster: - cluster:monitor/nodes/info - cluster:monitor/health indices: '*': '*': - indices:admin/mappings/fields/get - indices:admin/validate/query - indices:data/read/search - indices:data/read/msearch - indices:admin/get - indices:data/read/field_stats '?kibana': '*': - indices:admin/exists - indices:admin/mapping/put - indices:admin/mappings/fields/get - indices:admin/refresh - indices:admin/validate/query - indices:data/read/get sg_logstash: cluster: - indices:admin/template/get - indices:admin/template/put indices: 'logstash-*': '*': - WRITE - indices:data/write/bulk - indices:data/write/delete - indices:data/write/update - indices:data/read/search - indices:data/read/scroll - CREATE_INDEX
sg_roles_mapping.yml:
定義使用者的對映關係,新增 kibana 及 logstash 使用者對應的對映:
#!bash sg_logstash: users: - logstash sg_kibana4: backendroles: - kibana users: - kibana4
sg_action_groups.yml:
- 定義許可權
載入配置並啟用
#!bash
sh plugins/search-guard-2/tools/sgadmin.sh -cn 叢集名稱(預設為elasticsearch,修改名稱必須新增此引數) -h 127.0.0.1 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/kirk-keystore.jks -kspass kspass -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass tspass -nhnv
如修改了searchguard,則需要重新載入配置執行
注意:search-guard配置的相關改動不需要重啟elasticsearch,相關的配置實際上儲存在searchguard 的indice下了
至此大家就可以安全的使用elasticsearch
關於ldap以及https的配置將在下一篇給出
相關文章
- Elasticsearch深度應用(上)2022-07-08Elasticsearch
- Elasticsearch在物流資料中心的應用2018-11-23Elasticsearch
- Elasticsearch 在業界的大量應用案例2021-07-24Elasticsearch
- 教程:在Ubuntu 18.04.1上安裝Elasticsearch2018-08-24UbuntuElasticsearch
- Elasticsearch在Hdfs上build的實現及優化2018-11-29ElasticsearchUI優化
- JavaScript 2.3 js之||、&&、|、&、三目運算子2020-09-27JavaScriptJS
- 2.3 應用程式容器中的應用程式概述2020-03-16
- Elasticsearch運維指南2024-03-20Elasticsearch運維
- Elasticsearch在華泰證券內部的應用實踐2018-07-25Elasticsearch
- 你的Elasticsearch在“裸奔”嗎?2019-02-21Elasticsearch
- ElasticSearch(八)Elasticsearch-head 連線不上Elasticsearch的原因和解決方案2019-01-07Elasticsearch
- SPI介面在LCD上的應用2021-05-30
- 稀疏映象在OpenHarmony上的應用2023-02-08
- [Elasticsearch] ES 的Mapping 設計在實際場景中應用2021-12-24ElasticsearchAPP
- 半透明色塊在PPT中的運用2018-06-25
- Elasticsearch在Laravel中的實踐2021-02-23ElasticsearchLaravel
- 線上課程|儲存與計算分離,京東在Elasticsearch上的實踐分享2020-03-19Elasticsearch
- 工控機在高鐵上的應用2018-09-27
- Random 函式在批次造資料中的運用2020-12-08random函式
- 在學習中運用類比2018-09-17
- Elasticsearch在資料湖中的地位2018-11-09Elasticsearch
- ElasticSearch7.6.2在windows上如何配置ik分詞器與用法2020-12-22ElasticsearchWindows分詞
- 400+節點的 Elasticsearch 叢集運維2019-03-26Elasticsearch運維
- 400+ 節點的 Elasticsearch 叢集運維2019-04-25Elasticsearch運維
- ElasticSearch 叢集的規劃部署與運維2021-03-03Elasticsearch運維
- GitLab CI構建SpringBoot-2.3應用2020-12-29GitlabSpring Boot
- rgba與opacity的區別以及在遮罩層的運用2018-11-25遮罩
- elasticsearch的開發應用(3)2022-11-27Elasticsearch
- 3.5寸彩屏在料理機上的應用2021-11-01
- AI在春運搶票中是如何應用的?2019-01-07AI
- ~,&,|,^等位運算子在JavaScript中的一些應用2018-10-15JavaScript
- 人工智慧在IT運維中的研究和應用2019-05-13人工智慧運維
- ES6 在日常工作中的運用2018-03-24
- 豬行天下之Python基礎——2.3 變數,常量,運算子2019-04-03Python變數
- 使用ConnectableFlux在elasticsearch上進行後臺批處理 - Jeroen van Wilgenburg2020-01-18UXElasticsearch
- 系統運維 SysOM profiling 在雲上環境的應用觀測實踐 | 龍蜥技術2023-02-02運維
- Spring 對 Junit4,Junit5 的支援上的運用2024-05-20Spring
- 上雲桌面用固態硬碟—IT運維的定海神針2018-06-11硬碟運維