ELK之ElasticSearch 6.4.x安全認證Search Guard6
今天的重點是記錄ELK的安全認證,ELK安裝好後,ElasticSearch是可以直接瀏覽訪問的,非常不安全,Kibana也是一樣直接訪問web界面無需密碼。
這裏使用的是開源免費社區版:Search Guard 6插件來做安全認證。
- 軟件版本與環境
ElasticSearch集群3臺
10.1.1.195 elasticsearch logstash
10.1.1.196 elasticsearch
10.1.1.197 elasticsearch kibana
ELK版本:
elasticsearch-6.4.0
kibana-6.4.0
JDK1.8
下載地址:https://www.elastic.co/downloads
E:https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.0.tar.gz
L:https://artifacts.elastic.co/downloads/logstash/logstash-6.4.0.zip
K:https://artifacts.elastic.co/downloads/kibana/kibana-6.4.0-linux-x86_64.tar.gz
JDK1.8:https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Search Guard版本必須要和elasticsearch,kibana版本對應 :https://docs.search-guard.com/latest/search-guard-versions
Search Guard 6-6.4.0
elasticsearch安裝的Search Guard版本:search-guard-6-6.4.0-23.1
https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/search-guard-6/6.4.0-23.1/search-guard-6-6.4.0-23.1.zip
kibana安裝的Search Guard版本:search-guard-kibana-plugin-6.4.0-15
- 在線生成Search Guard證書
Search Guard需要證書才可以,生成證書有兩種方式,一個是人工手動生成,這個復雜麻煩,另一種就是官網提供了在線生成,這裏使用了後面一種在線生成
官網在線生成證書連接:https://search-guard.com/tls-certificate-generator/
Email用來接收密鑰,
Organization Name可以隨便填寫,
Hostname填寫ElasticSearch集群中每個節點的node name,這是一一對應的,這裏我有三個節點,
node name為填節點IP
將郵箱中收到的密鑰文件上傳至服務器/tmp路徑,再解壓,會得到search-guard-certificates文件夾。
結構如下:
# tree /tmp/search-guard-certificates
/tmp/search-guard-certificates
├── chain-ca.pem
├── client-certificates
│ ├── CN=demouser.all.pem
│ ├── CN=demouser.crtfull.pem
│ ├── CN=demouser.crt.pem
│ ├── CN=demouser.csr
│ ├── CN=demouser.key.pem
│ ├── CN=demouser.key.pkcs12
│ ├── CN=demouser-keystore.jks
│ ├── CN=demouser-keystore.p12
│ ├── CN=demouser-signed.pem
│ ├── CN=sgadmin.all.pem
│ ├── CN=sgadmin.crtfull.pem
│ ├── CN=sgadmin.crt.pem
│ ├── CN=sgadmin.csr
│ ├── CN=sgadmin.key.pem
│ ├── CN=sgadmin.key.pkcs12
│ ├── CN=sgadmin-keystore.jks
│ ├── CN=sgadmin-keystore.p12
│ └── CN=sgadmin-signed.pem
├── node-certificates
│ ├── CN=IP-10.1.1.195.crtfull.pem
│ ├── CN=IP-10.1.1.195.csr
│ ├── CN=IP-10.1.1.195.key.pem
│ ├── CN=IP-10.1.1.195.key.pkcs12
│ ├── CN=IP-10.1.1.195-keystore.jks
│ ├── CN=IP-10.1.1.195-keystore.p12
│ ├── CN=IP-10.1.1.195-signed.pem
│ ├── CN=IP-10.1.1.196.crtfull.pem
│ ├── CN=IP-10.1.1.196.csr
│ ├── CN=IP-10.1.1.196.key.pem
│ ├── CN=IP-10.1.1.196.key.pkcs12
│ ├── CN=IP-10.1.1.196-keystore.jks
│ ├── CN=IP-10.1.1.196-keystore.p12
│ ├── CN=IP-10.1.1.196-signed.pem
│ ├── CN=IP-10.1.1.197.crtfull.pem
│ ├── CN=IP-10.1.1.197.csr
│ ├── CN=IP-10.1.1.197.key.pem
│ ├── CN=IP-10.1.1.197.key.pkcs12
│ ├── CN=IP-10.1.1.197-keystore.jks
│ ├── CN=IP-10.1.1.197-keystore.p12
│ └── CN=IP-10.1.1.197-signed.pem
├── README.txt
├── root-ca
│ ├── root-ca.crt
│ ├── root-ca.key
│ └── root-ca.pem
├── root-ca.pem
├── signing-ca
│ ├── signing-ca.crt
│ ├── signing-ca.key
│ └── signing-ca.pem
├── truststore.jks
└── truststore.p12
4 directories, 50 files
- 安裝配置search集群和Search Guard插件
將前面下載的elasticsearch-6.4.0.tar.gz,和search-guard-6-6.4.0-23.1.zip上傳至服務器/tmp目錄
1)先安裝elasticsearch
# tar zxvf elasticsearch-6.4.0.tar.gz -C /usr/local
# cd /usr/local/
# mv elasticsearch-6.4.0 ./elasticsearch
2)安裝search-guard插件
官方提供的文檔:https://docs.search-guard.com/latest/search-guard-installation
# cd /usr/local/elasticsearch
# ./bin/elasticsearch-plugin install -b file:///tmp/search-guard-6-6.4.0-23.1.zip
-> Downloading com.floragunn:search-guard-6:6.4.0-23.0 from maven central
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.io.FilePermission /proc/sys/net/core/somaxconn read
* java.lang.RuntimePermission accessClassInPackage.com.sun.jndi.ldap
* java.lang.RuntimePermission accessClassInPackage.sun.misc
* java.lang.RuntimePermission accessClassInPackage.sun.nio.ch
* java.lang.RuntimePermission accessClassInPackage.sun.security.x509
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission accessUserInformation
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission shutdownHooks
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.net.NetPermission getNetworkInformation
* java.net.NetPermission getProxySelector
* java.net.SocketPermission * connect,accept,resolve
* java.security.SecurityPermission getProperty.ssl.KeyManagerFactory.algorithm
* java.security.SecurityPermission insertProvider.BC
* java.security.SecurityPermission org.apache.xml.security.register
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setProperty.ocsp.enable
* java.util.PropertyPermission * read,write
* java.util.PropertyPermission org.apache.xml.security.ignoreLineBreaks write
* javax.security.auth.AuthPermission doAs
* javax.security.auth.AuthPermission modifyPrivateCredentials
* javax.security.auth.kerberos.ServicePermission * accept
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
-> Installed search-guard-6
3)將search-guard語言配置在elasticsearch.yml
# cd /usr/local/elasticsearch
--將第2步解壓的證書文件夾/tmp/search-guard-certificates 復制到/usr/local/elasticsearch/config目錄下
# cp -ar /tmp/search-guard-certificates /usr/local/elasticsearch/config/key
--配置elasticsearch.yml
# egrep -v "^#|^$" ./config/elasticsearch.yml
cluster.name: CLU-ELK --集群名稱
node.name: 10.1.1.195 --節點名稱
path.data: /data/elasticsearch/data --數據存放路徑
path.logs: /data/elasticsearch/logs --日誌存放路徑
network.host: 0.0.0.0 --監聽ip
http.port: 9200 --監聽端口
discovery.zen.ping.unicast.hosts: ["10.1.1.195", "10.1.1.196", "10.1.1.197"] --集群節點
discovery.zen.minimum_master_nodes: 2 --最多幾個有效節點
bootstrap.system_call_filter: false
searchguard.ssl.transport.pemcert_filepath: key/node-certificates/CN=IP-10.1.1.195.crtfull.pem --search-guard節點證書,不同的節點填寫成對應的證書
searchguard.ssl.transport.pemkey_filepath: key/node-certificates/CN=IP-10.1.1.195.key.pem --search-guard節點key
searchguard.ssl.transport.pemkey_password: 701159a9c1a77ffd008d --該密鑰可在解壓的證書文件夾下的README.txt裏可查到
searchguard.ssl.transport.pemtrustedcas_filepath: key/chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: key/node-certificates/CN=IP-10.1.1..195.crtfull.pem
searchguard.ssl.http.pemkey_filepath: key/node-certificates/CN=IP-10.1.1..195.key.pem
searchguard.ssl.http.pemkey_password: 701159a9c1a77ffd008d
searchguard.ssl.http.pemtrustedcas_filepath: key/chain-ca.pem
searchguard.authcz.admin_dn:
- CN=sgadmin
searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
xpack.security.enabled: false
備:上面pemkey_password屬性可以在下載的密鑰包中README.txt文件中查看到
# tail -30 /usr/local/elasticsearch/key/README.txt
## Passwords
### Common passwords
Root CA password: fbb188de616ae59b17b424c4339b8333f0bdd8b6
Truststore password: 88e0e8b9fe8029ef7e07
Admin keystore and private key password: 00fb1075cf84c333f1cc
Demouser keystore and private key password: 4682ae98bd089f0be252
## Host/Node specific passwords
Host: 10.1.1.195
10.1.1.195 keystore and private key password: 43ccf85767e1232f6336 --每個節點的密鑰
10.1.1.195 keystore: node-certificates/CN=10.88.6.195-keystore.jks
10.1.1.195 PEM certificate: node-certificates/CN=10.88.6.195.crtfull.pem
10.1.1.195 PEM private key: node-certificates/CN=10.88.6.195.key.pem
Host: 10.1.1.196
10.1.1.196 keystore and private key password: 712aae762adca2b981eb
10.1.1.196 keystore: node-certificates/CN=10.88.6.196-keystore.jks
10.1.1.196 PEM certificate: node-certificates/CN=10.88.6.196.crtfull.pem
10.1.1.196 PEM private key: node-certificates/CN=10.88.6.196.key.pem
Host: 10.1.1.197
10.1.1.197 keystore and private key password: 701159a9c1a77ffd008d
10.1.1.197 keystore: node-certificates/CN=10.88.6.197-keystore.jks
10.1.1.197 PEM certificate: node-certificates/CN=10.88.6.197.crtfull.pem
10.1.1.197 PEM private key: node-certificates/CN=10.88.6.197.key.pem
至此配置完成
接下來創建普通用戶並啟動elasticsearch
# useradd elk
# echo elk123 | passwd --stdin elk
# chown elk:elk -R /usr/local/elasticsearch
啟動elasticsearch,如果沒有報錯,就繼續往下走,如果報錯,則仔細檢查每一步。
- 設置權限因子
將sgadmin客戶端證書密鑰復制到插件目錄下# cd /usr/local/elasticsearch/config/key # cp root-ca.pem chain-ca.pem client-certificates/CN\=sgadmin.key.pem client-certificates/CN\=sgadmin.crtfull.pem ../../plugins/search-guard-6/tools # chmod 744 sgadmin.sh # ./sgadmin.sh -cacert root-ca.pem -cert CN=sgadmin.crtfull.pem -key CN=sgadmin.key.pem -keypass 00fb1075cf84c333f1cc -nhnv -icl -cd ../sgconfig/ -nhnv -icl -cd ../sgconfig/ Search Guard Admin v6 Will connect to localhost:9300 ... done Elasticsearch Version: 6.4.0 Search Guard Version: 6.4.0-23.1 Connected as CN=sgadmin Contacting elasticsearch cluster ‘elasticsearch‘ and wait for YELLOW clusterstate ... Clustername: GHS-ELK Clusterstate: GREEN Number of nodes: 3 Number of data nodes: 3 searchguard index already exists, so we do not need to create one. Populate config from /usr/local/elasticsearch/plugins/search-guard-6/sgconfig Will update ‘sg/config‘ with ../sgconfig/sg_config.yml SUCC: Configuration for ‘config‘ created or updated Will update ‘sg/roles‘ with ../sgconfig/sg_roles.yml SUCC: Configuration for ‘roles‘ created or updated Will update ‘sg/rolesmapping‘ with ../sgconfig/sg_roles_mapping.yml SUCC: Configuration for ‘rolesmapping‘ created or updated Will update ‘sg/internalusers‘ with ../sgconfig/sg_internal_users.yml SUCC: Configuration for ‘internalusers‘ created or updated Will update ‘sg/actiongroups‘ with ../sgconfig/sg_action_groups.yml SUCC: Configuration for ‘actiongroups‘ created or updated Done with success
備:權限因子執行命令,在下載的key證書目錄下的README.txt裏可以找到
瀏覽器書打開驗證是否生效https://admin:[email protected]:9200
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.1.1.197 37 14 0 0.51 0.23 0.23 mdi - 10.1.1.197
10.1.1.196 29 10 0 0.14 0.09 0.12 mdi * 10.1.1.196
10.1.1.195 33 16 5 0.19 0.30 0.31 mdi - 10.1.1.195
如看到此結果說明賬戶配置成功,其admin:admin是默認管理賬戶。關於帳號,會在後面配置kibana章節說到
這是第一章節,講elasticsearch 6.4.0 部署search-guard 6的方法
下一章節講logstash 配置search-guard 6的方法,以級認證的方法
ELK之ElasticSearch 6.4.x安全認證Search Guard6