Elasticsearch 免費認證插件Search-guard的部署安裝及策略配置
來自: http://blog.csdn.net//jiao_fuyou/article/details/48435459
背景:
當前es正在被各大互聯網公司大量的使用,但目前安全方面還沒有一個很成熟的方案,大部門都沒有做安全認證或基于自身場景自己開發,沒有一個好的開源方案
es官方推出了shield認證,試用了一番,很是方便,功能強大,文檔也較全面,但最大的問題是收費的,我相信中國很多公司都不愿去花錢使用,所以隨后在github
中找到了search-guard項目,接下來我們一起來了解并部署此項目到我們的ES環境中。
目前此項目只支持到1.6以下的es,1.7 還未支持,所以,我們在ES1.6下來部署此項目
軟件版本:
ES 1.6.0
kibana 4.0.2
CentOS 6.3
官網地址:
http://floragunn.com/searchguard
功能特性:
基于用戶與角色的權限控制
支持SSL/TLS方式安全認證
支持LDAP認證
支持最新的kibana4
更多特性見官網介紹
目標:
實現用戶訪問es中日志需要登陸授權,不同用戶訪問不同索引,不授權的索引無法查看,分組控制不同rd查看各自業務的日志,
部署
#download maven:
tar zxvf apache-maven-3.3.3-bin.tar.gz
cd apache-maven-3.3.3 /
#git search-guard and build
git clone -b es1.6 https: //github.com /floragunncom /search-guard.git
cd search-guard ; /home /work /app /maven /bin /mvn package -DskipTests
#把編譯好的包放到一個下載地址(方便于es集群使用,單臺測試可不使用這種方案):
http://www.elain.org/dl/search-guard-16-0.6-SNAPSHOT.zip
#在es上以插件方式安裝編譯好的包
. /bin /plugin -u http: //www.elain.org /dl /search-guard- 16- 0.6-SNAPSHOT.zip -i search-guard
#elasticsearch.yml 添加
searchguard.enabled: true
searchguard.key_path: /home /work /app /elasticsearch /keys
searchguard.auditlog.enabled: true
searchguard.allow_all_from_loopback: true #本地調試可打開,建議在線上關閉
searchguard.check_for_root: false
searchguard.http.enable_sessions: true
#配置認證方式
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator
#配置用戶名和密碼
searchguard.authentication.settingsdb.user.admin: admin
searchguard.authentication.settingsdb.user.user1: 123
searchguard.authentication.settingsdb.user.user2: 123
#配置用戶角色
searchguard.authentication.authorization.settingsdb.roles.admin: [ "root" ]
searchguard.authentication.authorization.settingsdb.roles.user1: [ "user1" ]
searchguard.authentication.authorization.settingsdb.roles.user2: [ "user2" ]
#配置角色權限(只讀)
searchguard.actionrequestfilter.names: [ "readonly", "deny" ]
searchguard.actionrequestfilter.readonly.allowed_actions: [ "indices:data/read/*", "indices:admin/exists", "indices:admin/mappings/*", "indices:admin/validate/query", "*monitor*" ]
searchguard.actionrequestfilter.readonly.forbidden_actions: [ "indices:data/write/*" ]
#配置角色權限(禁止訪問)
searchguard.actionrequestfilter.deny.allowed_actions: [ ]
searchguard.actionrequestfilter.deny.forbidden_actions: [ "indices:data/write/*" ]
#################search-guard###################
#logging.yml 添加
#創建key
#重啟es
#配置權限策略如下 :
{"acl": [
{
"__Comment__": "Default is to execute all filters",
"filters_bypass": [],
"filters_execute": ["actionrequestfilter.deny"]
}, //默認禁止訪問
{
"__Comment__": "This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything",
"roles": [
"root"
],
"filters_bypass": ["*"],
"filters_execute": []
}, // root角色完全權限
{
"__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
"users": ["user1"],
"indices": ["index1-*","index2-*",".kibana"],
"filters_bypass": ["actionrequestfilter.deny"],
"filters_execute": ["actionrequestfilter.readonly"]
}, //user1 用戶只能訪問index1-*,index2-* 索引,且只有只讀權限
{
"__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
"users": ["user2"],
"indices": ["index3-*",".kibana"],
"filters_bypass": ["actionrequestfilter.deny"],
"filters_execute": ["actionrequestfilter.readonly"]
} //user2 用戶只能訪問index3-* 索引,且只有只讀權限
]}}
#查看策略
#注:里面的中文注釋是我后加上去的,需要在使用時刪除,以上是我自己使用的策略,方便于不同用戶訪問不同索引,不授權的索引無法查看,分組控制不同rd查看各自業務的日志
更多策略見:
https://github.com/floragunncom/search-guard/blob/es1.6/searchguard_config_example_1.yml
更多配置與功能見:
https://github.com/floragunncom/search-guard/blob/es1.6/searchguard_config_template.yml