小强哥博客

小强哥,小强哥博客,技术大咖

在ElasticSearch6中配置Search Guard6(一)

项目上最近上了ES,提供给业务方做数据存储、查询,项目上使用Search Guard做了权限管理,Search Guard提供了用户帐号管理、索引权限管理、审计管理等限制管理。

Search Guard是一个插件,专门为Elasticsearch提供安全加密、权限认证、权限隔离功能,Elasticsearch自身有一个Manage的功能,但是这个功能并不免费。

Search Guard是一个开源项目,项目地址:https://github.com/floragunncom/search-guard ,在线文档地址:https://docs.search-guard.com/latest/index 。

经过我这一段时间的研究,记录下快整合Search Guard和Elasticsearch的过程(不得不说Search Guard的官方文档写的却是不是太好)。

Search Guard在权限上主要提供以下几个功能:

  • 用户管理
  • 权限管理
  • 审计管理

首先下载Elasticsearch,这里下载Elasticsearch的版本为Elasticsearch 6.3.2,下载地址为:https://www.elastic.co/downloads/past-releases/elasticsearch-6-3-2, 可以选择RPM或者TAR安装方式,我选择RPM安装方式。

执行rpm -ivh elasticsearch-6.3.2.rpm命令进行elasticsearch安装,如果在Elasticsearch安装过程中有疑问可以自行百度,我就不总结了。

安装完成以后进入到/usr/share/elasticsearch/bin目录,然后执行

sh elasticsearch-plugin install -b com.floragunn:search-guard-6:6.3.2-23.0

com.floragunn:search-guard-6:6.3.2-23.0插件一定要选择对应版本的,版本说明可以查看https://docs.search-guard.com/latest/search-guard-version

执行结果如:

[root@826650101f41 bin]# sh elasticsearch-plugin install -b com.floragunn:search-guard-6:6.3.2-23.0
-> Downloading com.floragunn:search-guard-6:6.3.2-23.0 from maven central
[=================================================] 100%?? 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.io.FilePermission /proc/sys/net/core/somaxconn read
* java.lang.RuntimePermission accessClassInPackage.com.sun.jndi.ldap
* java.lang.RuntimePermission accessClassInPackage.sun.misc
* java.lang.RuntimePermission accessClassInPackage.sun.nio.ch
* java.lang.RuntimePermission accessClassInPackage.sun.security.x509
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission accessUserInformation
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission shutdownHooks
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.net.NetPermission getNetworkInformation
* java.net.NetPermission getProxySelector
* java.net.SocketPermission * connect,accept,resolve
* java.security.SecurityPermission getProperty.ssl.KeyManagerFactory.algorithm
* java.security.SecurityPermission insertProvider.BC
* java.security.SecurityPermission org.apache.xml.security.register
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setProperty.ocsp.enable
* java.util.PropertyPermission * read,write
* java.util.PropertyPermission org.apache.xml.security.ignoreLineBreaks write
* javax.security.auth.AuthPermission doAs
* javax.security.auth.AuthPermission modifyPrivateCredentials
* javax.security.auth.kerberos.ServicePermission * accept
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
-> Installed search-guard-6

过程中会提一个警告,直接忽略。

接着,配置ssl,由于ElasticSearch节点之间通讯默值非加密,造成数据不安全,Search Guard强制ElasticSearch节点之间通讯为加密方式。可以在 https://search-guard.com/tls-certificate-generator/上申请密钥。Email用来接收密钥,Organization Name可以随便填写,Hostname填写ElasticSearch集群中每个节点的node name,这是一一对应的,这里我只有一个节点,node name为esnode1。

将邮箱中收到的密钥文件解压,然后得到search-guard-certificates文件夹,结构如,

[root@826650101f41 search-guard-certificates]# tree -L 2
.
|-- README.txt
|-- chain-ca.pem
|-- client-certificates
|   |-- CN=demouser-keystore.jks
|   |-- CN=demouser-keystore.p12
|   |-- CN=demouser-signed.pem
|   |-- CN=demouser.all.pem
|   |-- CN=demouser.crt.pem
|   |-- CN=demouser.crtfull.pem
|   |-- CN=demouser.csr
|   |-- CN=demouser.key.pem
|   |-- CN=demouser.key.pkcs12
|   |-- CN=sgadmin-keystore.jks
|   |-- CN=sgadmin-keystore.p12
|   |-- CN=sgadmin-signed.pem
|   |-- CN=sgadmin.all.pem
|   |-- CN=sgadmin.crt.pem
|   |-- CN=sgadmin.crtfull.pem
|   |-- CN=sgadmin.csr
|   |-- CN=sgadmin.key.pem
|   `-- CN=sgadmin.key.pkcs12
|-- node-certificates
|   |-- CN=esnode1-keystore.jks
|   |-- CN=esnode1-keystore.p12
|   |-- CN=esnode1-signed.pem
|   |-- CN=esnode1.crtfull.pem
|   |-- CN=esnode1.csr
|   |-- CN=esnode1.key.pem
|   `-- CN=esnode1.key.pkcs12
|-- root-ca
|   |-- root-ca.crt
|   |-- root-ca.key
|   `-- root-ca.pem
|-- root-ca.pem
|-- signing-ca
|   |-- signing-ca.crt
|   |-- signing-ca.key
|   `-- signing-ca.pem
|-- truststore.jks
`-- truststore.p12

4 directories, 36 files

首线需要对节点密钥文件进行授权,权限打小为644,否则会出现对密钥文件没有读取权限,如下

chmod 644  root-ca.pem chain-ca.pem node-certificates/CN\=esnode1.key.pem node-certificates/CN\=esnode1.crtfull.pem /etc/elasticsearch/

接着将节点密钥文件复制到ElasticSearch配置文件夹中,如下,

cp root-ca.pem chain-ca.pem node-certificates/CN\=esnode1.key.pem node-certificates/CN\=esnode1.crtfull.pem /etc/elasticsearch/

接着对sgadmin客户端密钥进行授权,如下

chmod 644  root-ca.pem chain-ca.pem client-certificates/CN\=sgadmin.key.pem client-certificates/CN\=sgadmin.crtfull.pem

然后复制sgadmin客户端密钥,如下,

cp root-ca.pem chain-ca.pem client-certificates/CN\=sgadmin.key.pem client-certificates/CN\=sgadmin.crtfull.pem  /usr/share/elasticsearch/plugins/search-guard-6/tools 

打开elasticsearch.yml配置文件,如

vim /etc/elasticsearch/elasticsearch.yml

修改node.name属性,如:node.name: esnode1,可以根据实际情况修改network.host。

ok,到此为止密钥配置已经完成,但是es仍然不能启动。

在elasticsearch.yml追加配置,如下,

http.compression: true
xpack.security.enabled: false

searchguard.ssl.transport.pemcert_filepath: CN=esnode1.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: CN=esnode1.key.pem
searchguard.ssl.transport.pemkey_password: 3816b97cbd40d1a97402
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: CN=esnode1.crtfull.pem
searchguard.ssl.http.pemkey_filepath: CN=esnode1.key.pem
searchguard.ssl.http.pemkey_password: 3816b97cbd40d1a97402
searchguard.ssl.http.pemtrustedcas_filepath: chain-ca.pem

searchguard.authcz.admin_dn:
  - CN=sgadmin

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false

注:pemkey_password属性可以在下载的密钥包中README.txt文件中查看到,

如下,

## Passwords

### Common passwords

Root CA password: 9c5eeb48cee19d1ae6ce0315154f7271ff6f8b8c
Truststore password: 1d6df567841c5e8a7663
Admin keystore and private key password: 83f5fdded6c38208a9ad
Demouser keystore and private key password: e598a7e1684295923d36

## Host/Node specific passwords

Host: esnode1
esnode1 keystore and private key password: 3816b97cbd40d1a97402
esnode1 keystore: node-certificates/CN=esnode1-keystore.jks
esnode1 PEM certificate: node-certificates/CN=esnode1.crtfull.pem
esnode1 PEM private key: node-certificates/CN=esnode1.key.pem

接着,启动es,分别检查状态和日志是否存在错误,如果没有存在错误开始执行最后一步,初始化sgadmin配置,如下,

进入目录
/usr/share/elasticsearch/plugins/search-guard-6/tools
对sgadmin.sh进行授权
chmod 744 sgadmin.sh
执行初始化语句
sh sgadmin.sh -cd ../sgconfig/ -icl -nhnv -cacert root-ca.pem -cert CN=sgadmin.crtfull.pem -key CN=sgadmin.key.pem -h 172.17.0.2 -keypass 83f5fdded6c38208a9ad

其中-keypass可以在密钥包中READMI.TXT中查阅到,执行结果如下,

[root@35ed0ebcb51d tools]# sh sgadmin.sh -cd ../sgconfig/ -icl -nhnv -cacert root-ca.pem -cert CN=sgadmin.crtfull.pem -key CN=sgadmin.key.pem -h 172.17.0.2 -keypass 83f5fdded6c38208a9ad
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to 172.17.0.2:9300 ... done
Elasticsearch Version: 6.3.2
Search Guard Version: 6.3.2-23.0
Connected as CN=sgadmin
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig
Will update 'sg/config' with ../sgconfig/sg_config.yml 
   SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with ../sgconfig/sg_roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with ../sgconfig/sg_internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with ../sgconfig/sg_action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

最后在浏览器书如https://admin:admin@172.17.0.2:9200可以查看结果,如下,

{
  "name" : "esnode1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "f0oorXoGSwes-tsZrad-FQ",
  "version" : {
    "number" : "6.3.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "053779d",
    "build_date" : "2018-07-20T05:20:23.451332Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

看到该结果说明账户配置成功,其admin:admin是默认管理账户。