Elasticsearch-29.管理Elasticsearch集群 he 集群内部安全通信 he 集群与外部间的安全通信

weednoah

 关注

阅读 75

2022-04-14

Elasticsearch

管理Elasticsearch 集群

集群身份认证与用户鉴权

在这里插入图片描述

原因分析

  • Elasticsearch在默认安装后,不提供任何形式的安全防护
  • 错 误的配置信息导致公网可以访问ES集群
    • 在 elasticsearch. yml文件中,server. host被错误的配置为0. 0.0.0.

数据安全性的基本需求

在这里插入图片描述

一些免费的方案

  • 设置Nginx反向代理
  • 安装免费的Security 插件
    • Search Guard - https://search- guard. com/
      - Read0nly REST - https://gi thub. com/ sscarduz io/elas ticsearch-readonlyrest-plugin
  • X-Pack 的Basic 版
    • 从 ES 6.8& ES 7.0开始,Security纳入x-pack 的Basic 版本中,免费使用一些基本的功能
    • https://www. elastic. co/what-is/elastic-s tack- security

Authentication -身份认证

  • 认证体 系的几种类型
    • 提供用户名和密码
    • 提供秘钥或Kerberos 票据
  • Realms: X-Pack 中的认证服务
    • 内置Realms (免费)
      • File / Native (用户名密码保存在Elasticsearch )
    • 外部 Realms (收费)
      • LDAP / Active Directory / PKI / SAML / Kerberos

RBAC -用户鉴权

  • 什么是RBAC: Role Based Access Control,定 义一个角色,并分配- -组权限。权限包括索引
    级,字段级,集群级的不同的操作。然后通过将角色分配给用户,使得用户拥有这些权限
    • User: The authenticated User
    • Role: A named set of permiss ions
    • Permission - A set of one or more privileges against a secured resource
    • Privilege - A named group of 1 or more actions that user may execute against a secured
      resource

Privilege

  • Cluster Privileges
    • all / monitor / manager / manage_ index / manage_ index_ template / manage_ _rollup
  • Indices Privileges
    • all / create / create_ index / delete / delete_ index / index / manage / read /write / view_ index_metadata

创建内置的用户和角色

  • 内置的角色与用户
用户角色
elasticSupper User
kibanaThe user that is used by Kibana to connect and communicate with Elasticsearch.
logstash_ systemThe user that is used by Logstash when storing monitoring information in Elasticsearch.
beats_ systemThe user that the different Beats use when storing monitoring information in Elastics earch.
apm_ systemThe user that the APM server uses when storing monitoring information in Elasticsearch. .
Remote_ moni toring _userThe user that is used by Metricbeat when collecting and storing monitoring information in Elasticsearch.

使用Security API创建用户

在这里插入图片描述

开启并配置X-Pack的认证与鉴权

  • 修改配置文件, 打开认证与授权

    • bin/elasticsearch -E node. name=node0 -E cluster. name=geektime -E path. data=node0_ _data -E http. port=9200 -E xpack. security. enab led=true

  • 创建默认的用户和分组.

    • bin/elasticsearch-password interactive

  • 当集群开启身份认证之后,配置Kibana .

  • Demo

    • 创建-一个Role, 配置为对某个索引只读权限/创建-一个用户,把用户加入Role

配置Kibana

  • 修改kibana. yml

    • elasticsearch.username : "kibana”
    • elasticsearch. password: "changeme’

创建Role

在这里插入图片描述

创建用户

在这里插入图片描述

删除索引失败

在这里插入图片描述

demoAPI

#启动单节点
bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true

#使用Curl访问ES,或者浏览器访问 “localhost:9200/_cat/nodes?pretty”。返回401错误
curl 'localhost:9200/_cat/nodes?pretty'

#运行密码设定的命令,设置ES内置用户及其初始密码。
bin/elasticsearch-setup-passwords interactive

curl -u elastic 'localhost:9200/_cat/nodes?pretty'


# 修改 kibana.yml
elasticsearch.username: "kibana"
elasticsearch.password: "changeme"

#启动。使用用户名,elastic,密码elastic
./bin/kibana


POST orders/_bulk
{"index":{}}
{"product" : "1","price" : 18,"payment" : "master","card" : "9876543210123456","name" : "jack"}
{"index":{}}
{"product" : "2","price" : 99,"payment" : "visa","card" : "1234567890123456","name" : "bob"}


#create a new role named read_only_orders, that satisfies the following criteria:
#The role has no cluster privileges
#The role only has access to indices that match the pattern sales_record
#The index privileges are read, and view_index_metadata


#create sales_user that satisfies the following criteria:
# Use your own email address
# Assign the user to two roles: read_only_orders and kibana_user


#验证读权限,可以执行
POST orders/_search
{}

#验证写权限,报错
POST orders/_bulk
{"index":{}}
{"product" : "1","price" : 18,"payment" : "master","card" : "9876543210123456","name" : "jack"}
{"index":{}}
{"product" : "2","price" : 99,"payment" : "visa","card" : "1234567890123456","name" : "bob"}

相关配置链接

https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-security.html

本节知识点

  • 为什么 需要保护ES中的数据.

  • 如何使用 X-Pack Security保护你的数据

  • Elasticsearch中RBAC的机制和默认创建的用户和角色

  • 配置Elasticsearch 和Kibana 开启身份认证和用户鉴权

  • 使用Native Realm,通过API和Kibana管理用户分组和权限

集群内部安全通信

为什么要加密通讯

在这里插入图片描述

为节点创建证书

  • TLS

    • TLS协议要求Trusted Certificate Authority (CA) 签发的X. 509的证书.

  • 证书认证的不同级别

    • Certificate -节点加入需要使用相同CA签发的证书

    • Full Verification -节点加入集群需要相同CA签发的证书,还需要验证Host name或IP 地址

    • No Verification -任何节点都可以加入,开发环境中用于诊断目的

生成节点证书

  • bin/elasticsearch-certutil ca
  • bin/elasti csearch-certutil cert --ca elastic-stack-ca. p12
  • https://www. elastic. co/ guide/en/elasticsearch/reference/7.1/configuring-tls. html

配置节点间通讯

xpack. security. transport.ssl.enabled: true
xpack. security. transport.ssl.verification mode: certificate
xpack. security. transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack. security. transport.ssl. truststore.path: certs/elastic-certificates.p12

在这里插入图片描述

demoAPI

# 生成证书
# 为您的Elasticearch集群创建一个证书颁发机构。例如,使用elasticsearch-certutil ca命令:
bin/elasticsearch-certutil ca

#为群集中的每个节点生成证书和私钥。例如,使用elasticsearch-certutil cert 命令:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

#将证书拷贝到 config/certs目录下
elastic-certificates.p12


bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12

bin/elasticsearch -E node.name=node1 -E cluster.name=geektime -E path.data=node1_data -E http.port=9201 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12


#不提供证书的节点,无法加入
bin/elasticsearch -E node.name=node2 -E cluster.name=geektime -E path.data=node2_data -E http.port=9202 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate



## elasticsearch.yml 配置

#xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate

#xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
#xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

本节知识点

  • 为什么内部通信需要加密
  • 创建Certificate Authority (CA) 和节点的Certificates
  • 配置Elasticsearch节点间通信加密

集群与外部间的安全通信

本节知识点

  • 使用HTTPS 的重要性
  • 配置Elasticsearch
  • 配置Kibana
  • Kibana to Elasticsearch
  • Browser to Kibana .

为什么需要HTTPS

在这里插入图片描述

配置Elasticsearch for HTTPS

xpack. security.http.ssl.enabled: true
xpack. security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack. security.http .ss1.truststore.path: certs/elastic-certificates.p12

在这里插入图片描述

# ES 启用 https
bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.http.ssl.enabled=true -E xpack.security.http.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.http.ssl.truststore.path=certs/elastic-certificates.p12

配置Kibana 连接ES HTTPS

在这里插入图片描述

elasticsearch.hosts: ["https://<your_ elasticsearch host>:9200"]
elasticsearch. ssl . certificateAuthorities: /path/to/your/ca.crt

配置使用HTTPS 访问Kibana

在这里插入图片描述

bin/elasticsearch-certutil cert --ca /path/to/your/ca --pem

在这里插入图片描述

server.ssl.enabled: true
server.ssl.key: /path/to/your/key
server .ssl.certificate: /path/to/your/crt


#Kibana 连接 ES https



# 为kibana生成pem
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem


elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.ssl.certificateAuthorities: [ "/Users/yiruan/geektime/kibana-7.1.0/config/certs/elastic-ca.pem" ]
elasticsearch.ssl.verificationMode: certificate



# 为 Kibna 配置 HTTPS
# 生成后解压,包含了instance.crt 和 instance.key
bin/elasticsearch-certutil ca --pem

server.ssl.enabled: true
server.ssl.certificate: config/certs/instance.crt
server.ssl.key: config/certs/instance.key

相关推荐

Elasticsearch-32.生产环境常用配置与上线清单 he 集群写性能优化 he 集群读性能优化

sullay 101 0 0

Elasticsearch-33.诊断集群的潜在问题 he 解决集群Yellow与Red的问题

Alex富贵 50 0 0

Elasticsearch-35.缓存及使用Circuit Breaker 限制内存使用 he 监控Elasticsearch 集群

诗与泡面 44 0 0

Elasticsearch-31.分片设定及管理 he 如何对集群进行容量规划

幸福的无所谓 97 0 0

elasticsearch集群内部原理总结

jjt二向箔 93 0 0

Elasticsearch8.0 安全认证 集群搭建

编程练习生J 68 0 0

Elasticsearch 集群管理与运维

幸甚至哉歌以咏志 14 0 0

Elasticsearch-34.集群压力测试 he 段合并优化及注意事项

勇敢的趙迦禾 54 0 0

Elasticsearch集群

落拓尘嚣 93 0 0

elasticsearch集群

四月Ren间 29 0 0

精彩评论(0)

0 0 举报