es安全认证search-guard配置

大数据安全系列的其它文章

https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos

https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证

https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证

一、安装es

1、解压重命名安装包

tar -zxvf elasticsearch-6.4.3.tar.gz -C /usr/local/

mv elasticsearch-6.4.3/ elasticsearch

2、创建es组和es用户

[root@cluster1_host1 elasticsearch]# groupadd es

[root@cluster1_host1 elasticsearch]# useradd es -g es

[root@cluster1_host1 elasticsearch]# passwd es

3、修改es目录的属组

chown -R es:es /usr/local/elasticsearch/

4、分发配置到其他节点

scp -r /usr/local/elasticsearch/ root@10.87.18.33:/usr/local/

5、修改 /etc/security/limits.conf

* soft nofile 65536

* hard nofile 65536

* soft nproc 65536

* hard nproc 65536

6、修改/etc/sysctl.conf

vm.max_map_count=262144

7、启动es

[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'

ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name

10.87.18.32           27          12   6    0.59    0.25     0.10 mdi       *      cluster1_host2

10.87.18.33           24          13   7    0.31    0.16     0.07 mdi       -      cluster1_host1

10.87.18.31           28          13   6    0.41    0.24     0.11 mdi       -      cluster1_host1

二、配置er的search-guard插件

1、下载 search-guard插件

https://repo1.maven.org/maven2/com/floragunn/search-guard-6/6.4.3-25.5/search-guard-6-6.4.3-25.5.zip

2、下载tsltools插件，生成证书

https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.7/search-guard-tlstool-1.7.tar.gz

3、每个节点执行如下命令，标红的设置为每个节点的hostname

curl -Ss -XPUT 'http://cluster1_host3:9200/_cluster/settings?pretty' \

-H 'Content-Type: application/json' -d'

{

  "persistent": {

    "cluster.routing.allocation.enable": "none"

  }

}

'

然后关闭es

4、安装search-guard插件，每个节点都需要安装

[es@cluster1_host1 bin]$ ./elasticsearch-plugin install -b file:///es/search-guard-6-6.4.3-25.5.zip

-> Downloading file:///es/search-guard-6-6.4.3-25.5.zip

5、tsltools生成证书，解压安装包

tar -zxvf search-guard-tlstool-1.7.tar.gz -C /usr/local/search-guard-tlstool/

6、复制模板的配置文件

[es@cluster1_host1 config]$ cp example.yml tlsconfig.yml

[es@cluster1_host1 config]$ ll

total 24

-rw-r--r--. 1 es es 4731 Jun  5  2019 example.yml

-rw-r--r--. 1 es es 5634 Jun  5  2019 template.yml

-rw-r--r--. 1 es es 4731 Feb 29 02:43 tlsconfig.yml

[es@cluster1_host1 config]$ pwd

/usr/local/search-guard-tlstool/config

[es@cluster1_host1 config]$

7、修改配置文件

[es@cluster1_host1 config]$ cat tlsconfig.yml

###

### Self-generated certificate authority

###

#

# If you want to create a new certificate authority, you must specify its parameters here.

# You can skip this section if you only want to create CSRs

#

ca:

   root:

      # The distinguished name of this CA. You must specify a distinguished name.

      dn: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

      # The size of the generated key in bits

      keysize: 2048

      # The validity of the generated certificate in days from now

      validityDays: 3650

      # Password for private key

      #   Possible values:

      #   - auto: automatically generated password, returned in config output;

      #   - none: unencrypted private key;

      #   - other values: other values are used directly as password

      pkPassword: teststt 

      # The name of the generated files can be changed here

      file: root-ca.pem

   # If you want to use an intermediate certificate as signing certificate,

   # please specify its parameters here. This is optional. If you remove this section,

   # the root certificate will be used for signing.

   intermediate:

      # The distinguished name of this CA. You must specify a distinguished name.

      dn: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

      # The size of the generated key in bits

      keysize: 2048

      # The validity of the generated certificate in days from now

      validityDays: 3650

      pkPassword: teststt

      # If you have a certificate revocation list, you can specify its distribution points here

      crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

###

### Default values and global settings

###

defaults:

      # The validity of the generated certificate in days from now

      validityDays: 3650 

      # Password for private key

      #   Possible values:

      #   - auto: automatically generated password, returned in config output;

      #   - none: unencrypted private key;

      #   - other values: other values are used directly as password

      pkPassword: teststt      

      # Specifies to recognize legitimate nodes by the distinguished names

      # of the certificates. This can be a list of DNs, which can contain wildcards.

      # Furthermore, it is possible to specify regular expressions by

      # enclosing the DN in //.

      # Specification of this is optional. The tool will always include

      # the DNs of the nodes specified in the nodes section.

      #nodesDn:

      #- "CN=*.example.com,OU=Ops,O=Example Com\\, Inc.,DC=example,DC=com"

      # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'

      # - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'

      # - 'CN=elk-devcluster*'

      # - '/CN=.*regex/' 

      # If you want to use OIDs to mark legitimate node certificates,

      # the OID can be included in the certificates by specifying the following

      # attribute

      # nodeOid: "1.2.3.4.5.5"

      # The length of auto generated passwords

      generatedPasswordLength: 12

      # Set this to true in order to generate config and certificates for

      # the HTTP interface of nodes

      httpsEnabled: true

      # Set this to true in order to re-use the node transport certificates

      # for the HTTP interfaces. Only recognized if httpsEnabled is true

      # reuseTransportCertificatesForHttp: false

      # Set this to true to enable hostname verification

      #verifyHostnames: false

      # Set this to true to resolve hostnames

      #resolveHostnames: false

###

### Nodes

###

#

# Specify the nodes of your ES cluster here

#

nodes:

  - name: cluster1_host1

    dn: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

    dns: cluster1_host1

    ip: 10.87.18.31

  - name: cluster1_host2

    dn: CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

    dns: cluster1_host2

    ip: 10.87.18.32

  - name: cluster1_host3

    dn: CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

    dns: cluster1_host3

    ip: 10.87.18.33

###

### Clients

###

#

# Specify the clients that shall access your ES cluster with certificate authentication here

#

# At least one client must be an admin user (i.e., a super-user). Admin users can

# be specified with the attribute admin: true

#

clients:

  - name: spock

    dn: CN=spock.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

  - name: kirk

    dn: CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

    admin: true

8、将安装目录拷贝到节点，并修改属组为es

[root@cluster1_host1 data]# scp -r /usr/local/search-guard-tlstool/ root@10.87.18.33:/usr/local/

9、生成证书文件

创建证书文件生成目录

[es@cluster1_host1 config]$ cd /usr/local/elasticsearch/config

[es@cluster1_host1 config]$ mkdir out

10、生成证书的命令

[es@cluster1_host1 tools]$ ./sgtlstool.sh -c /usr/local/search-guard-tlstool/config/tlsconfig.yml -ca -crt -t /usr/local/elasticsearch/config/out/

Root certificate and signing certificate have been sucessfully created.

Created 6 node certificates.

Created 2 client certificates.

11、生成的证书文件如下

[es@cluster1_host1 out]$ cd /usr/local/elasticsearch/config/out/

[es@cluster1_host1 out]$ ll

total 96

-rw-rw-r--. 1 es es  294 Feb 29 02:59 client-certificates.readme

-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host1_elasticsearch_config_snippet.yml

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem

-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml

-rw-rw-r--. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host2.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem

-rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host3_elasticsearch_config_snippet.yml

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3.key

-rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 kirk.key

-rw-rw-r--. 1 es es 3144 Feb 29 02:59 kirk.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 root-ca.key

-rw-rw-r--. 1 es es 1371 Feb 29 02:59 root-ca.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 signing-ca.key

-rw-rw-r--. 1 es es 1558 Feb 29 02:59 signing-ca.pem

-rw-rw-r--. 1 es es 1801 Feb 29 02:59 spock.key

-rw-rw-r--. 1 es es 3144 Feb 29 02:59 spock.pem

12、验证证书

[es@cluster1_host1 out]$ /usr/local/search-guard-tlstool/tools/sgtlsdiag.sh -ca /usr/local/elasticsearch/config/out/root-ca.pem -crt /usr/local/elasticsearch/config/out/cluster1_host1.pem 

========================================================================

/usr/local/elasticsearch/config/out/cluster1_host1.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05

             MD5 FPR: 1565fb2741046769feb128d2e98e3923

Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 1582963131135

 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature nonRepudiation keyEncipherment

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth

  Basic Constraints: -1

                SAN:

                  dNSName: cluster1_host1

                  iPAddress: 10.87.18.31

------------------------------------------------------------------------

Certificate 2

------------------------------------------------------------------------

            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b

             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307

Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 2

 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature keyCertSign cRLSign

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 0

                SAN: (none)

------------------------------------------------------------------------

Trust anchor:

DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com

13、修改es的配置文件

进入证书文件目录

[es@cluster1_host1 out]$ pwd

/usr/local/elasticsearch/config/out

[es@cluster1_host1 out]$ ll

total 96

-rwxrwxr-x. 1 es es  294 Feb 29 02:59 client-certificates.readme

-rwxrwxr-x. 1 es es 1388 Feb 29 03:30 cluster1_host1_elasticsearch_config_snippet.yml

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem

-rwxrwxr-x. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml

-rwxrwxr-x. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host2.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem

-rwxrwxr-x. 1 es es 1388 Feb 29 03:26 cluster1_host3_elasticsearch_config_snippet.yml

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3.key

-rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 kirk.key

-rwxrwxr-x. 1 es es 3144 Feb 29 02:59 kirk.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 root-ca.key

-rwxrwxr-x. 1 es es 1371 Feb 29 02:59 root-ca.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 signing-ca.key

-rwxrwxr-x. 1 es es 1558 Feb 29 02:59 signing-ca.pem

-rwxrwxr-x. 1 es es 1801 Feb 29 02:59 spock.key

-rwxrwxr-x. 1 es es 3144 Feb 29 02:59 spock.pem

将cluster1_host1_elasticsearch_config_snippet.yml中的内容追加到节点的es配置文件中

[es@cluster1_host1 config]$ ll

total 36

-rw-rw----. 1 es es  207 Feb 28 01:15 elasticsearch.keystore

-rw-rw----. 1 es es 3895 Feb 29 03:33 elasticsearch.yml

-rw-rw----. 1 es es 2937 Feb 28 03:33 elasticsearch.yml.bak

-rw-rw----. 1 es es 2937 Feb 28 01:10 jvm.options

-rw-rw----. 1 es es 6380 Oct 30  2018 log4j2.properties

drwxrwxr-x. 2 es es 4096 Feb 29 03:30 out

-rw-rw----. 1 es es  473 Oct 30  2018 role_mapping.yml

-rw-rw----. 1 es es  197 Oct 30  2018 roles.yml

-rw-rw----. 1 es es    0 Oct 30  2018 users

-rw-rw----. 1 es es    0 Oct 30  2018 users_roles

[es@cluster1_host1 config]$ pwd

/usr/local/elasticsearch/config

修改内容如下，主要里要指定证书文件的相对路径

searchguard.ssl.transport.pemcert_filepath: out/cluster1_host1.pem

searchguard.ssl.transport.pemkey_filepath: out/cluster1_host1.key

searchguard.ssl.transport.pemkey_password: teststt

searchguard.ssl.transport.pemtrustedcas_filepath: out/root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: out/cluster1_host1_http.pem

searchguard.ssl.http.pemkey_filepath: out/cluster1_host1_http.key

searchguard.ssl.http.pemkey_password: teststt

searchguard.ssl.http.pemtrustedcas_filepath: out/root-ca.pem

searchguard.nodes_dn:

- CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

- CN=cluster1_host2,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

- CN=cluster1_host3,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

searchguard.authcz.admin_dn:

- CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

校验一下配置文件

[es@cluster1_host1 tools]$ ./sgtlsdiag.sh -es /usr/local/elasticsearch/config/elasticsearch.yml

Reading node config file /usr/local/elasticsearch/config/elasticsearch.yml

========================================================================

/usr/local/elasticsearch/config/out/cluster1_host1.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05

             MD5 FPR: 1565fb2741046769feb128d2e98e3923

Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 1582963131135

 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature nonRepudiation keyEncipherment

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth

  Basic Constraints: -1

                SAN:

                  dNSName: cluster1_host1

                  iPAddress: 10.87.18.31

------------------------------------------------------------------------

Certificate 2

------------------------------------------------------------------------

            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b

             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307

Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 2

 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature keyCertSign cRLSign

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 0

                SAN: (none)

------------------------------------------------------------------------

Trust anchor:

DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com

========================================================================

/usr/local/elasticsearch/config/out/cluster1_host1_http.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: 998fdf16628aeb9da3d9ef741f8d87318f44bf87

             MD5 FPR: bfb40c178312f63af1bf5d83cd7a1021

Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 1582963131136

 Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:55 EST 2020

           Not After: Tue Feb 26 02:58:55 EST 2030

           Key Usage: digitalSignature nonRepudiation keyEncipherment

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth

  Basic Constraints: -1

                SAN:

                  dNSName: cluster1_host1

                  iPAddress: 10.87.18.31

------------------------------------------------------------------------

Certificate 2

------------------------------------------------------------------------

            SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b

             MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307

Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 2

 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:53 EST 2020

           Not After: Tue Feb 26 02:58:53 EST 2030

           Key Usage: digitalSignature keyCertSign cRLSign

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 0

                SAN: (none)

------------------------------------------------------------------------

Trust anchor:

DC=com,DC=example,O=Example Com\, Inc.,OU=CA,CN=root.ca.example.com

========================================================================

/usr/local/elasticsearch/config/out/root-ca.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: b66494fa2c05423e64ada2403e09ca6c76ae3936

             MD5 FPR: 5f0834f0acf6dc8f7fa061eb7be0675a

Subject DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

       Serial Number: 1

 Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

          Not Before: Sat Feb 29 02:58:52 EST 2020

           Not After: Tue Feb 26 02:58:52 EST 2030

           Key Usage: digitalSignature keyCertSign cRLSign

 Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 2147483647

                SAN: (none)

14、修改其他节点配置文件

[root@cluster1_host1 data]# scp -r /usr/local/elasticsearch/config/out/ root@10.87.18.33:/usr/local/elasticsearch/config/

15、下面的需要在es的所有节点执行

[es@cluster1_host1 search-guard-6]$ pwd

/usr/local/elasticsearch/plugins/search-guard-6

[es@cluster1_host1 search-guard-6]$

[es@cluster1_host1 search-guard-6]$

[es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -esa -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt

Search Guard Admin v6

Will connect to cluster1_host1:9300 ... done

Elasticsearch Version: 6.4.3

Search Guard Version: 6.4.3-25.5

Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

Persistent and transient shard allocation enabled

16、执行es命令

Unauthorized[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'

Unauthorized[root@cluster1_host1 ~]#

17、打开浏览器访问如下url

http://10.87.18.31:9200/_searchguard/health

{"message":null,"mode":"strict","status":"UP"}

18、携带用户名和密码访问es

[root@cluster1_host1 ~]# curl -u admin:admin '10.87.18.31:9200/_cat/indices?v'

health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size

green  open   searchguard XOWOuXN0SJi_69Yz3BPtmw   1   2          0            6     88.6kb         38.4kb

[root@cluster1_host1 ~]#

es的search-guard插件配置完成

三、问题

1、如果启动es报错

[2020-02-29T03:54:12,266][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [cluster1_host1] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have additional setting [http.type] in plugin [search-guard-6], already added in plugin [x-pack-security]

则需要修改es的配置文件

xpack.security.enabled: false

2、如果启动es有告警

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config has insecure file permissions (should be 0700)

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config/out has insecure file permissions (should be 0700)

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.pem has insecure file permissions (should be 0600)

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.key has insecure file permissions (should be 0600)

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/signing-ca.pem has insecure file permissions (should be 0600)

则修改权限

chmod 0600 /usr/local/elasticsearch/config/out/*

chmod 0700 /usr/local/elasticsearch/config/

3、如果执行es命令有如下报错

[root@cluster1_host1 config]# curl '10.87.18.31:9200/_cat/nodes?v'

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin[root@cluster1_host1 config]

进入如下目录

[es@cluster1_host1 search-guard-6]$ pwd

/usr/local/elasticsearch/plugins/search-guard-6

做如下修改，如果报文件不存在，则重启es在试一次，只需要在一个节点执行即可

[es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -cd ./sgconfig/ -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt

Search Guard Admin v6

Will connect to cluster1_host1:9300 ... done

Elasticsearch Version: 6.4.3

Search Guard Version: 6.4.3-25.5

Connected as CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...

Clustername: my-application

Clusterstate: YELLOW

Number of nodes: 3

Number of data nodes: 3

searchguard index already exists, so we do not need to create one.

INFO: searchguard index state is YELLOW, it seems you miss some replicas

Populate config from /usr/local/elasticsearch/plugins/search-guard-6/sgconfig

Will update 'sg/config' with ./sgconfig/sg_config.yml

   SUCC: Configuration for 'config' created or updated

Will update 'sg/roles' with ./sgconfig/sg_roles.yml

   SUCC: Configuration for 'roles' created or updated

Will update 'sg/rolesmapping' with ./sgconfig/sg_roles_mapping.yml

   SUCC: Configuration for 'rolesmapping' created or updated

Will update 'sg/internalusers' with ./sgconfig/sg_internal_users.yml

   SUCC: Configuration for 'internalusers' created or updated

Will update 'sg/actiongroups' with ./sgconfig/sg_action_groups.yml

   SUCC: Configuration for 'actiongroups' created or updated

Done with success

[es@cluster1_host1 search-guard-6]$ pwd