ElasticSearch&Search-guard 5 权限配置

ElasricSearch &Search_guard5配置

saber-sky@hotmail.com

-- elasticSearch版本5.6.3

-- search-guard版本5.6.3

一. ElasticSearch安装Search-guard

cd 至elasticsearch 的bin目录：cd /data/elasticsearch-5.6.3/bin

安装search-guard : ./elasticsearch-plugin install -bcom.floragunn:search-guard-5:5.6.3-18

Search-guard 版本要和elasticsearch一致，查询网址：https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-5/

安装成功如下图

二．快速启动：

切换至elasticsearch/plugins 目录看到search-guard已经安装成功

运行:./search-guard-5/tools/install_demo_configuration.sh

运行开发这已经配置好的权限安装至elasticsearch

(这一步已经帮你配置好elasticsearch,http访问已经不可用,要是有https访问)

启动elasticSearch : 切换至elasticseach/bin运行./ elasticseach

浏览器访问 https://admin:admin@localhost:9200/_searchguard/authinfo?pretty

成功则显示

三、权限配置

下载search-guard-ssl这里提供官方下载地址：https://github.com/floragunncom/search-guard-ssl.git

etc目录下的两个文件，就只是修改公司信息，两个一直即可

两个文件要一样，公司信息

下面修改证书生成信息

example.sh

运行后会生成证书

把服务端证书.jks+truststore.jks复制到elasticsearch/config目录下

把客户端证书.jks+ truststore.jks 复制到elasticsearch/ plugins/search-guard-5/sgconfig目录下

修改elasticsearch配置文件

修改用户权限

（1）sg_config.yml

Configure

authenticators and authorization backends。主配置文件不需要做改动。

（2）sg_internal_users.yml

本地用户文件，定义用户密码以及对应的权限。例如：对于我们需要一个 kibana 登录用户和一个 logstash 用户：

kibana4:

hash:$2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO

#password is: kirk

roles:

- kibana4

logstash:

hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO

#password is: kirk

roles:

- logstash

密码可用plugins/search-guard-5/tools/hash.sh生成。

（3）sg_roles.yml

权限配置文件，这里提供 kibana4 和 logstash 的权限样例。

sg_kibana4:

cluster:

- cluster:monitor/nodes/info

- cluster:monitor/health

indices:

'*':

- indices:admin/mappings/fields/get

- indices:admin/validate/query

- indices:data/read/search

- indices:data/read/msearch

- indices:admin/get

- indices:data/read/field_stats

'?kibana':

'*':

- indices:admin/exists

- indices:admin/mapping/put

- indices:admin/mappings/fields/get

- indices:admin/refresh

- indices:admin/validate/query

- indices:data/read/get

sg_logstash:

cluster:

- indices:admin/template/get

- indices:admin/template/put

indices:

'logstash-*':

'*':

- WRITE

- indices:data/write/bulk

- indices:data/write/delete

- indices:data/write/update

- indices:data/read/search

- indices:data/read/scroll

- CREATE_INDEX

（4）sg_roles_mapping.yml

定义用户的映射关系，添加 kibana 及 logstash 用户对应的映射：

sg_logstash:

users:

- logstash

sg_kibana4:

backendroles:

- kibana

users:

- kibana4

（5）sg_action_groups.yml

定义权限

3、启动

（1）到Elasticsearch的bin目录下，重启Elasticsearch。

（2）通过下面命令启动search-guard。

新增用户配置成功显示

四．Java SSL连接

public static void main(String[] args) throws UnknownHostException{

Settings settings = Settings.builder()

.put("searchguard.ssl.transport.enabled", true)

.put("searchguard.ssl.transport.keystore_filepath", "D:\\William\\Projects\\searchGuardTest\\src\\main\\resources\\test-keystore.jks")

.put("searchguard.ssl.transport.truststore_filepath",

"D:\\William\\Projects\\searchGuardTest\\src\\main\\resources\\truststore.jks")

.put("searchguard.ssl.transport.keystore_password", "12345678")

.put("searchguard.ssl.transport.truststore_password", "12345678")

.put("searchguard.ssl.transport.enforce_hostname_verification", false)

.put("client.transport.ignore_cluster_name", true)

.build();

TransportClient client =new PreBuiltTransportClient(settings,SearchGuardSSLPlugin.class)

.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("127.0.0.1"),9300));

client.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet();

//搜索数据

GetResponse response = client.prepareGet("agin", "log_bet_rcd_agin_live", "171212226218993").execute().actionGet();

//输出结果

System.out.println(response.getSourceAsString());

//关闭client

client.close();

}