search-guard 在 Elasticsearch 2.3 上的运用
生活随笔
收集整理的這篇文章主要介紹了
search-guard 在 Elasticsearch 2.3 上的运用
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
uni3orns · 2016/06/23 11:09
Author:uni3orns
參考內(nèi)容:
- kibana.logstash.es/content/ela…
- groups.google.com/forum/#!for…
- github.com/floragunnco…
此文章基于以下軟件版本,不同版本可能略有差異:
- elasticsearch 2.3.3
- search-guard 2.3.3 RC1
0x00 背景
Elasticsearch是一個(gè)基于Lucene構(gòu)建的開(kāi)源,分布式,RESTful搜索引擎,大量使用于各種場(chǎng)景,隨著不斷的發(fā)展,不可避免的會(huì)產(chǎn)生安全問(wèn)題,一些危害比較大的漏洞比如CVE-2015-3337、CVE-2015-5531。面對(duì)這些漏洞(包括0day)的威脅,以及多業(yè)務(wù)使用使用同一套es集群的情況,使用一套認(rèn)證授權(quán)系統(tǒng)就顯得尤為必要。
經(jīng)過(guò)es1代到2代產(chǎn)品的過(guò)度,目前主流的方案就只有官方的shield以及開(kāi)源search-guard,然而我廠(chǎng)比較扣。
0x01 search-guard
search-guard 更新到2.x后跟 shield 配置上很相似,相比1.x的版本邏輯上更加松散。
searchguard 優(yōu)點(diǎn)有:
- 節(jié)點(diǎn)之間通過(guò) SSL/TLS 傳輸
- 支持 JDK SSL 和 Open SSL
- 支持熱載入,不需要重啟服務(wù)
- 支持 kibana4 及 logstash 的配置
- 可以控制不同的用戶(hù)訪(fǎng)問(wèn)不同的權(quán)限
- 配置簡(jiǎn)單
0x02 安裝
安裝search-guard-ssl
#!bash sudo bin/plugin install -b com.floragunn/search-guard-ssl/2.3.3.11 復(fù)制代碼安裝search-guard-2
#!bash sudo bin/plugin install -b com.floragunn/search-guard-2/2.3.3.0-rc1 復(fù)制代碼0x03 證書(shū)
根據(jù)自身情況修改官方腳本生成admin證書(shū)、node證書(shū)、根證書(shū),將 node 證書(shū)和根證書(shū)放在 elasticsearch 配置文件目錄下,同時(shí)將admin證書(shū)和根證書(shū)放到search-guard 配置文件目錄下
tips:證書(shū)需要統(tǒng)一生成
0x04 配置 elasticsearch 支持 ssl
elasticsearch.yml增加以下配置:
#!bash ############################################################################################# # SEARCH GUARD # # Configuration # ############################################################################################# # Add the following properties to your standard elasticsearch.yml # (alongside with the SG SSL settings) # This settings must always be the same on all nodes in the cluster# This defines the DNs (distinguished names) of certificates # to which admin privileges should be assigned security.manager.enabled: false searchguard.authcz.admin_dn:- "CN=kirk,OU=client,O=client,l=tEst, C=De" # kirk是administrator,可以自行修改 # This is optional # Only needed when impersonation is used # Allow DNs (distinguished names) to impersonate as other users #searchguard.authcz.impersonation_dn: # "CN=spock,OU=client,O=client,L=Test,C=DE": # - worf # "cn=webuser,ou=IT,ou=IT,dc=company,dc=com": # - user2 # - user1# Auditlog configuration:searchguard.audit.type: internal_elasticsearch #searchguard.audit.type: external_elasticsearch #searchguard.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']" #searchguard.audit.config.index: auditlog # make sure you secure this index properly #searchguard.audit.config.type: auditlog #searchguard.audit.config.username: auditloguser #searchguard.audit.config.password: auditlogpassword #searchguard.audit.config.enable_ssl: false #searchguard.audit.config.verify_hostnames: false #searchguard.audit.config.enable_ssl_client_auth: false# If Kerberos authentication should be used you have to configure this:# The absolute path or relative path to config/ directory # to krb5.conf file #searchguard.kerberos.krb5_filepath: '/etc/krb5.conf'# The absolute path or relative path to config/ directory # to the keytab where the acceptor_principal credentials are stored. #searchguard.kerberos.acceptor_keytab_filepath: 'eskeytab.tab'############################################################################################# # SEARCH GUARD SSL # # Configuration # ########################################################################################################################################################################################## # Transport layer SSL # # # ############################################################################################# # Enable or disable node-to-node ssl encryption (default: true) searchguard.ssl.transport.enabled: true # JKS or PKCS12 (default: JKS) searchguard.ssl.transport.keystore_type: JKS # Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks # 當(dāng)前節(jié)點(diǎn)的證書(shū),根據(jù)節(jié)點(diǎn)名字生成 # Alias name (default: first alias which could be found) #searchguard.ssl.transport.keystore_alias: my_alias # Keystore password (default: changeit) #searchguard.ssl.transport.keystore_password: changeit# JKS or PKCS12 (default: JKS) searchguard.ssl.transport.truststore_type: JKS # Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir searchguard.ssl.transport.truststore_filepath: truststore.jks # Alias name (default: first alias which could be found) #searchguard.ssl.transport.truststore_alias: my_alias # Truststore password (default: changeit) searchguard.ssl.transport.truststore_password: changeit # Enforce hostname verification (default: true) searchguard.ssl.transport.enforce_hostname_verification: true # 如果沒(méi)有證書(shū)服務(wù)器,需要設(shè)置為false,否則無(wú)法加入集群 # If hostname verification specify if hostname should be resolved (default: true) searchguard.ssl.transport.resolve_hostname: true # Use native Open SSL instead of JDK SSL if available (default: true) searchguard.ssl.transport.enable_openssl_if_available: false# Enabled SSL cipher suites for transport protocol (only Java format is supported) # WARNING: Expert setting, do only use if you know what you are doing # If you set wrong values here this this could be a security risk #searchguard.ssl.transport.enabled_ciphers: # - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" # - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"# Enabled SSL protocols for transport protocol (only Java format is supported) # WARNING: Expert setting, do only use if you know what you are doing # If you set wrong values here this this could be a security risk #searchguard.ssl.transport.enabled_protocols: # - "TLSv1.2"############################################################################################# # HTTP/REST layer SSL # # # ############################################################################################# # Enable or disable rest layer security - https, (default: false) #searchguard.ssl.http.enabled: true # JKS or PKCS12 (default: JKS) #searchguard.ssl.http.keystore_type: PKCS12 # Relative path to the keystore file (this stores the server certificates), must be placed under the config/ dir #searchguard.ssl.http.keystore_filepath: keystore_https_node1.jks # Alias name (default: first alias which could be found) #searchguard.ssl.http.keystore_alias: my_alias # Keystore password (default: changeit) #searchguard.ssl.http.keystore_password: changeit # Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is OPTIONAL # To enforce authentication use REQUIRE, to completely disable client certificates use NONE #searchguard.ssl.http.clientauth_mode: REQUIRE # JKS or PKCS12 (default: JKS) #searchguard.ssl.http.truststore_type: PKCS12 # Relative path to the truststore file (this stores the client certificates), must be placed under the config/ dir #searchguard.ssl.http.truststore_filepath: truststore_https.jks # Alias name (default: first alias which could be found) #searchguard.ssl.http.truststore_alias: my_alias # Truststore password (default: changeit) #searchguard.ssl.http.truststore_password: changeit # Use native Open SSL instead of JDK SSL if available (default: true) #searchguard.ssl.http.enable_openssl_if_available: false# Enabled SSL cipher suites for http protocol (only Java format is supported) # WARNING: Expert setting, do only use if you know what you are doing # If you set wrong values here this this could be a security risk #searchguard.ssl.http.enabled_ciphers: # - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" # - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"# Enabled SSL protocols for http protocol (only Java format is supported) # WARNING: Expert setting, do only use if you know what you are doing # If you set wrong values here this this could be a security risk #searchguard.ssl.http.enabled_protocols: # - “TLSv1.2" 復(fù)制代碼重啟 elasticsearch
注意:任何修改elasticsearch.yml的操作都需要重啟elasticsearch才能生效
配置文件介紹
searchguard 主要有5個(gè)配置文件在 plugins/search-guard-2/sgconfig 下:
sg_config.yml:
- 主配置文件不需要做改動(dòng)
sg_internal_users.yml:
本地用戶(hù)文件,定義用戶(hù)密碼以及對(duì)應(yīng)的權(quán)限。例如:對(duì)于 ELK 我們需要一個(gè) kibana 登錄用戶(hù)和一個(gè) logstash 用戶(hù):
#!bash kibana4:hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO#password is: kirkroles:- kibana4 logstash:hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtOroles:- logstash 復(fù)制代碼
密碼可用plugins/search-guard-2/tools/hash.sh生成
sg_roles.yml:
權(quán)限配置文件,這里提供 kibana4 和 logstash 的權(quán)限樣例
#!bash #<sg_role_name>: # cluster: # - '<permission>' # indices: # '<indexname or alias>': # '<type>': # - '<permission>' # _dls_: '<querydsl query>' # _fls_: # - '<field>' # - '<field>' sg_kibana4:cluster:- cluster:monitor/nodes/info- cluster:monitor/healthindices:'*':'*':- indices:admin/mappings/fields/get- indices:admin/validate/query- indices:data/read/search- indices:data/read/msearch- indices:admin/get- indices:data/read/field_stats'?kibana':'*':- indices:admin/exists- indices:admin/mapping/put- indices:admin/mappings/fields/get- indices:admin/refresh- indices:admin/validate/query- indices:data/read/get sg_logstash:cluster:- indices:admin/template/get- indices:admin/template/putindices:'logstash-*':'*':- WRITE- indices:data/write/bulk- indices:data/write/delete- indices:data/write/update- indices:data/read/search- indices:data/read/scroll- CREATE_INDEX 復(fù)制代碼
sg_roles_mapping.yml:
定義用戶(hù)的映射關(guān)系,添加 kibana 及 logstash 用戶(hù)對(duì)應(yīng)的映射:
#!bash sg_logstash:users:- logstash sg_kibana4:backendroles:- kibanausers:- kibana4 復(fù)制代碼
sg_action_groups.yml:
- 定義權(quán)限
加載配置并啟用
#!bash sh plugins/search-guard-2/tools/sgadmin.sh -cn 集群名稱(chēng)(默認(rèn)為elasticsearch,修改名稱(chēng)必須添加此參數(shù)) -h 127.0.0.1 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/kirk-keystore.jks -kspass kspass -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass tspass -nhnv 復(fù)制代碼如修改了searchguard,則需要重新加載配置執(zhí)行
注意:search-guard配置的相關(guān)改動(dòng)不需要重啟elasticsearch,相關(guān)的配置實(shí)際上存儲(chǔ)在searchguard 的indice下了
至此大家就可以安全的使用elasticsearch
關(guān)于ldap以及https的配置將在下一篇給出
總結(jié)
以上是生活随笔為你收集整理的search-guard 在 Elasticsearch 2.3 上的运用的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: python get post请求_使用
- 下一篇: 中间件 东方通TongWeb运维|精选整