ElasticSearch 使用 SearchGuard 安全控制元件

這裡使用的是 elasticsearch-2.3.5

大神的Github地址：https://github.com/floragunncom

功能：可以按組，按使用者，按index，按type，按field，進行精細的許可權控制。非常強大！媲美Shield！

安裝ES外掛

bin/plugin install -b com.floragunn/search-guard-ssl/2.3.5.15
bin/plugin install -b com.floragunn/search-guard-2/2.3.5.5

安裝成功後，目錄如下：

/usr/local/elk/elasticsearch-2.3.5

.
├── bin
├── config
│   └── scripts
├── data
│   └── elasticsearch
├── lib
├── logs
├── modules
│   ├── lang-expression
│   ├── lang-groovy
│   └── reindex
└── plugins
    ├── head
    ├── ik
    ├── kopf
    ├── search-guard-2
    └── search-guard-ssl

下載 searchguard-ssl 的包，裡面包含自動建立證書的指令碼：

wget https://github.com/floragunncom/search-guard-ssl/archive/v2.3.5.15.zip
unzip v2.3.5.15.zip
cd search-guard-ssl-2.3.5.15/example-pki-scripts/

有三個指令碼

gen_client_node_cert.sh 建立客戶端證書
gen_node_cert.sh        建立節點證書
gen_root_ca.sh          建立根證書

修改指令碼：

vim gen_client_node_cert.sh
找到這行：-dname "CN=$CLIENT_NAME, OU=client, O=client, L=Test, C=DE"
修改為：-dname "CN=$CLIENT_NAME"

vim gen_node_cert.sh
找到這行：-dname "CN=$NODE_NAME.example.com, OU=SSL, O=Test, L=Test, C=DE" \
修改為：-dname "CN=$NODE_NAME" \

編輯指令碼 vim example.sh

#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh password password 
./gen_node_cert.sh node-0 password  password 
./gen_node_cert.sh node-1 password  password 
./gen_client_node_cert.sh admin password password 
cp truststore.jks node-0-keystore.jks /usr/local/elk/elasticsearch-2.3.5/config/
cp truststore.jks admin-keystore.jks /usr/local/elk/elasticsearch-2.3.5/plugins/search-guard-2/sgconfig/

此時在當前目錄下，會生成這麼幾個檔案

node-0-keystore.jks
node-1-keystore.jks
admin-keystore.jks
truststore.jks

上面只列出了node-0節點，需要拷貝哪些檔案，node-1節點，需要和上面類似處理。

接下來配置 ES 的 config/elasticsearch.yml

#############################################################################################
#                                     SEARCH GUARD                                          #
#                                     Configuration                                         #
#############################################################################################
 searchguard.enable: true
 searchguard.authcz.admin_dn:
  - CN=admin

#############################################################################################
#                                     SEARCH GUARD SSL                                      #
#                                       Configuration                                       #
#############################################################################################


#############################################################################################
# Transport layer SSL                                                                       #
#                                                                                           #
#############################################################################################
# Enable or disable node-to-node ssl encryption (default: true)
 searchguard.ssl.transport.enabled: true
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.keystore_type: PKCS12
# Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir
 searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.keystore_alias: my_alias
# Keystore password (default: changeit)
 searchguard.ssl.transport.keystore_password: password
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.transport.truststore_type: PKCS12
# Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir
 searchguard.ssl.transport.truststore_filepath: truststore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.truststore_alias: my_alias
# Truststore password (default: changeit)
 searchguard.ssl.transport.truststore_password: password
# Enforce hostname verification (default: true)
 searchguard.ssl.transport.enforce_hostname_verification: false
# If hostname verification specify if hostname should be resolved (default: true)
 searchguard.ssl.transport.resolve_hostname: false
# Use native Open SSL instead of JDK SSL if available (default: true)
 searchguard.ssl.transport.enable_openssl_if_available: false
 

啟動 ES 叢集

./plugins/search-guard-2/tools/sgadmin.sh -cn 叢集名稱 -h hostname -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass password -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass password -nhnv

hostname：指的是 network.host 設定的值

執行指令碼的結果如下：

Will connect to YourIP:9300 ... done
Contacting elasticsearch cluster 'YourCluster' and wait for YELLOW clusterstate ...
Clustername: YourCluster
Clusterstate: GREEN
Number of nodes: 4
Number of data nodes: 4
Search Guard index already exists, so we do not need to create one.
Populate config from /usr/local/elk/elasticsearch-2.3.5/plugins/search-guard-2/sgconfig
Will update 'config' with plugins/search-guard-2/sgconfig/sg_config.yml
   SUCC: Configuration for 'config' created or updated
Will update 'roles' with plugins/search-guard-2/sgconfig/sg_roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update 'rolesmapping' with plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'internalusers' with plugins/search-guard-2/sgconfig/sg_internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update 'actiongroups' with plugins/search-guard-2/sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

然後訪問 ES 時，就輸入使用者名稱和密碼就可以了。