Elasticsearch 許可權控制

隨著ES的廣泛使用，其安全問題也備受關注，雖然ES叢集一般部署於公司內網，但多個業務部門使用同一套ES叢集的情況非常多，如何做好資料共享、訪問隔離，防止使用者誤操作、資料洩露等，這需要一套良好的許可權控制機制。

1.方案調研

目前官方的安全模組Shield需要收費，所以普及率並不高，下面調研了以下幾種方案：

1）elasticsearch-http-basic

https://github.com/Asquera/elasticsearch-http-basic
支援版本：目前最高支援elasticsearch.1.7.0
特點：部署簡單，實現了賬號認證和IP白名單認證功能，功能單一。

2）kibana-authentication-proxy

https://github.com/fangli/kibana-authentication-proxy
支援版本：Kibana 3 ，程式碼最後一次更新是2年前。
特點：針對kibana實現的認證，支援Google OAuth2，Basic Authentication， CAS Auth。

3）Shield

https://www.elastic.co/downloads/shield
支援版本：支援到Elaticsearch 2.x
特點：功能豐富，文件齊全，30天試用；

4）search-guard

https://github.com/floragunncom/search-guard

---

2.編譯打包

mvn package -DskipTests 

如果報以下錯誤：

[ERROR][com.floragunn.searchguard.SearchGuardPlugin] Class enhancements for DLS/FLS not successful due to javassist.CannotCompileException: [source error] no such field: context

修改SearchGuardPlugin類原始碼，並重新編譯：

//me.insertAt(559, "if(callback != null) {callback.onCreateContext(context, request);}");
me.insertAt(574, "if(callback != null) {callback.onCreateContext(context, request);}");

pom檔案：

<build>
<plugins>
    <plugin>
        <artifactId>maven-assembly-plugin</artifactId>
        <configuration>
            <descriptorRefs>
               <descriptorRef>jar-with-dependencies</descriptorRef>
            </descriptorRefs>
        </configuration>
        <executions>
            <execution>
                <id>make-assembly</id>
                <phase>package</phase>
                <goals>
                    <goal>single</goal>
                </goals>
            </execution>
        </executions>
    </plugin>

    <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>exec-maven-plugin</artifactId>
        <version>1.2.1</version>
        <executions>
            <execution>
                <goals>
                    <goal>exec</goal>
                </goals>
            </execution>
        </executions>
    </plugin>
</plugins>

拷貝jar包到elastic search/plusgin/search-guard，注意目錄target/releases/：

target/releases/search-guard-0.6-SNAPSHOT.jar

否則報錯：

Caused by: java.lang.ClassNotFoundException: javassist.ClassPool    
[2015-11-19 18:37:24,287][INFO ][watcher.trigger.schedule ] [idc] using [ticker] schedule trigger engine
{1.7.1}: Initialization Failed ...
- NoClassDefFoundError[waffle/windows/auth/IWindowsAuthProvider]

---

3.手動安裝

 ../bin/plugin -u file:./search-guard-0.6-SNAPSHOT.jar  -i search-guard

日誌：

-> Installing search-guard...
Trying file:./search-guard-0.6-SNAPSHOT-jar-with-dependencies.jar...
Downloading.........................................................................
DONE
Installed search-guard into /usr/local/webserver/elasticsearch/plugins/search-guard

---

4.許可權測試

{
   "error": "ClassCastException[com.petalmd.armor.http.netty.SessionAwareNettyHttpChannel cannot be cast to org.elasticsearch.http.HttpChannel]",
   "status": 500

}

許可權修改

curl -XPUT 'http://***.***.***.***:9200/armor/ac/ac' -d '{
"acl": [
{
    "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
    "hosts": ["*"], "indices": ["*"],
    "filters_bypass": [],
    "filters_execute": ["actionrequestfilter.readonly"]
 },

 {
       "__Comment__": "For role *root* all filters are bypassed (so none will be executed). This means unrestricted access.",
       "hosts": ["*"],
       "roles": [
           "root"
       ],"indices": ["*"],
       "filters_bypass": ["*"],
       "filters_execute": []
 }
 ]

}’

armor 索引只允許在部署elasticsearch的機器上訪問，否則會報錯：

[2015-11-30 15:49:39,610][ERROR][com.petalmd.armor.filter.ArmorActionFilter] Forbidden while apply() due to com.petalmd.armor.authorization.ForbiddenException: Only allowed from localhost (loopback) for action indices:data/read/search
com.petalmd.armor.authorization.ForbiddenException: Only allowed from localhost (loopback)

user1使用者只有只讀許可權，在head介面建立索引時，會報如下錯：

[2015-11-30 15:25:21,565][ERROR][com.petalmd.armor.filter.ArmorActionFilter] Forbidden while apply() due to com.petalmd.armor.authorization.ForbiddenException: Action 'indices:admin/create' is forbidden due to DEFAULT for action indices:admin/create
com.petalmd.armor.authorization.ForbiddenException: Action 'indices:admin/create' is forbidden due to DEFAULT

通過admin使用者則成功建立test-log索引。

在新增許可權後，往測試索引中新增資料無響應：

 curl -XPOST 'http://***.***.***.***:9200/test-log/order' -d '{"date":"2015-11-20 15:39:00","customerID":"user1”}’， 

需要加上具有寫許可權的使用者名稱/密碼：

curl -v --user admin:admin -XPOST 'http://***.***.***.***:9200/test-log/order' -d '{"date":"2015-11-20 15:39:00","customerID":"user1”}’

* Hostname was NOT found in DNS cache
*   Trying 10.1.***.***...
* Connected to 10.1.***.*** (10.1.***.***) port 9200 (#0)
* Server auth using Basic with user 'admin'
> POST /test-log/order HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.37.1
> Host: 10.1.***.***:9200
> Accept: */*
> Content-Length: 51
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 51 out of 51 bytes
< HTTP/1.1 201 Created
< Content-Type: application/json; charset=UTF-8
< Content-Length: 94
< 
* Connection #0 to host 10.1.***.*** left intact

返回結果：

{"_index":"test-log","_type":"order","_id":"AVFXVBQXMJgnGjM0BUcq","_version":1,"created":true}

此時在head介面，就能看到剛插入的資料了：

如果user1使用者試圖刪除它沒許可權的索引：

curl -v --user user1:123 -XDELETE http://10.1.***.***:9200/armor

將返回：

 {"error":"ForbiddenException[Only allowed from localhost (loopback)]","status":403}