安装SearchGuard插件
集群中每一台设备都需要安装
在线安装
在”/artifact/com.floragunn/search-guard-5“中查找相应版本。
Example(com.floragunn:search-guard-5:5.0.1-12)
$ cd %ES_HOME%$ bin/elasticsearch_plugin install -b com.floragunn:search-guard-"version":"version"
离线安装
在”/artifact/com.floragunn/search-guard-5“下载相应版本的search-guard插件。
Example(file:root/Desktop/search-guard.zip)
$ cd %ES_HOME%$ bin/elasticsearch_plugin install -b file:///path/search-guard.zip
安装SearchGuardSSL
下载地址
/floragunncom/search-guard-ssl
进行安装
1.根据example基本配置详解配置example.sh
$ cd %search-guard%/example-pki-scripts$ vim example.sh
2.运行 example.sh (集群中任意一台设备运行即可)并把 trustore.jks node-x-keystore.jks(x代表node-number,需要放到集群中相应node的设备中) 这两个文件放到ES用户有访问权限的目录下,这里放到config下方便配置
$ ./example.sh$ cp truststore.jks node-1-keystore.jks %ES_HOME%/config/
3.据elasticsearch配置详解配置 config/elasticsearch.yml
$ cd %ES_HOME%$ vim config/elasticsearch.yml
4.重启elasticsearch后,elasticsearch之间的连接已经是加密的了,但因为没有初始化SearchGuard索引,会出现如下报错。
$ Not yet initialized (you may need to run sgadmin)
5.初始化SearchGuard索引, 根据elasticsearch配置详解配置 config/elasticsearch.yml,并运行sgadmin.sh (集群中任意一台设备运行即可)
$ cd %ES_HOME%/$ vim config/elasticsearch.yml$ cd %search-guard%/example-pki-scripts$ cp cn_name-keystore.jks %ES_HOME%/plugins/search-guard-5/sgconfig/$ cd %ES_HOME%/plugins/search-guard-5/sgconfig/$ tools/sgadmin.sh \> -ts %ES_HOME%/config/trustore.jks \> -tspass tspass \> -ks sgconfig/cn_name-keystore.jks \> -kspass kspass \> -cd sgconfig/ \> -icl -nhnv -h localhost
6.配置用户密码,使用hash.sh对新密码进行加密,并将加密的数据更新至sg_internet_users.yml,再次初始化SearchGuard索引
$ cd %ES_HOME%/plugins$ tools/hash.sh$ vim sgconfig/sg_internet_users.yml$ tools/sgadmin.sh \> -ts %ES_HOME%/config/trustore.jks \> -tspass tspass \> -ks sgconfig/cn_name-keystore.jks \> -kspass kspass \> -cd sgconfig/ \> -icl -nhnv -h localhost
example.sh 基本配置详解
./gen_root_ca.sh capass tspass$1 为CA_PASS,即CA密码(根证书密码, 可自定义)$2 为TS_PASS,即TS密码(truststore,信任证书密码, 可自定义)./gen_node_cert.sh 1 kspass capass$1 为node编号,生成证书后的文件名为node-1* $2 为KS_PASS,即KS密码(keystore文件密码,可自定义)$3 为CA_PASS,即CA密码(根证书密码,可自定义)./gen_client_node_cert.sh cn_name kspass capass$1 为客户端节点名称,生成证书后的文件名为test* ,可自定义$2 为KS_PASS,即KS密码(keystore文件密码, 可自定义)$3 为CA_PASS,即CA密码(根证书密码,可自定义)
elasticsearch配置详解
# 配置ssl,让elasticsearch使用tls加密通讯searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: node-0-keystore.jkssearchguard.ssl.transport.keystore_password: kspasssearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: tspasssearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.transport.resolve_hostname: false# 配置 SeachGuard 初始化searchguard.authcz.admin_dn:- CN=cn_name, OU=client, O=client, L=Test, C=DE # 此处的 CN 为 gen_client_node_cert.sh 的 $1# http配置,这里我只是为了测试方便,配置完,应该设置为truesearchguard.ssl.http.enabled: falsesearchguard.ssl.http.keystore_filepath: node-0-keystore.jkssearchguard.ssl.http.keystore_password: kspasssearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: tspasssearchguard.allow_all_from_loopback: true
参考文档
/shifu204/p/6376683.html