Uni3orns · 2016/06/23 11:09
Author: uni3orns
Reference content:
- Kibana. Logstash. Es/content/ela…
- groups.google.com/forum/#! The for…
- Github.com/floragunnco…
This article is based on the following software versions, which may vary slightly:
- Elasticsearch 2.3.3
- Search – guard 2.3.3 RC1
0 x00 background
Elasticsearch is an open source, distributed, and RESTful search engine based on Lucene. It is widely used in various scenarios. As the search engine develops, security problems are inevitable, such as CVE-2015-3337 and CVE-2015-5531. Faced with the threat of these vulnerabilities (including 0day), and the situation of multi-business using the same SET of ES cluster, it is particularly necessary to use a set of authentication and authorization system. After the transition from es1 generation to ES2 generation products, the current mainstream solutions are only the official Shield and the open source Search-guard, but our factory is relatively weak.
0x01 search-guard
The search-Guard update to 2.x followed by a shield configuration is very similar and logically looser than the 1.x version.
The advantages of SearchGuard are:
- Data is transmitted between nodes through SSL/TLS
- Support JDK SSL and Open SSL
- Support hot loading, no need to restart the service
- Supports kibanA4 and Logstash configurations
- You can control different users to access different permissions
- Configuration is simple
0 x02 installation
Install the search – guard – SSL
#! Bash sudo bin/plugin install -b com.floragunn/search-guard-ssl/2.3.3.11Copy the codeInstall the search – guard – 2
#! Bash sudo bin/plugin install -b com.floragunn/search-guard-2/2.3.3.0-rc1Copy the code0 x03 certificate
Modify the official script to generate the admin certificate, node certificate, and root certificate. Place the node certificate and root certificate in the directory of elasticSearch configuration file, and place the admin certificate and root certificate in the directory of search-Guard configuration file
Tips: Certificates need to be uniformly generated
0x04 Configuring ElasticSearch to support SSL
Elasticsearch. yml adds the following configuration:
#!bash
#############################################################################################
# SEARCH GUARD #
# Configuration #
#############################################################################################
# Add the following properties to your standard elasticsearch.yml
# (alongside with the SG SSL settings)
# This settings must always be the same on all nodes in the cluster
# This defines the DNs (distinguished names) of certificates
# to which admin privileges should be assigned
security.manager.enabled: false
searchguard.authcz.admin_dn:
- "CN=kirk,OU=client,O=client,l=tEst, C=De"
# kirk是administrator,可以自行修改
# This is optional
# Only needed when impersonation is used
# Allow DNs (distinguished names) to impersonate as other users
#searchguard.authcz.impersonation_dn:
# "CN=spock,OU=client,O=client,L=Test,C=DE":
# - worf
# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
# - user2
# - user1
# Auditlog configuration:
searchguard.audit.type: internal_elasticsearch
#searchguard.audit.type: external_elasticsearch
#searchguard.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']"
#searchguard.audit.config.index: auditlog # make sure you secure this index properly
#searchguard.audit.config.type: auditlog
#searchguard.audit.config.username: auditloguser
#searchguard.audit.config.password: auditlogpassword
#searchguard.audit.config.enable_ssl: false
#searchguard.audit.config.verify_hostnames: false
#searchguard.audit.config.enable_ssl_client_auth: false
# If Kerberos authentication should be used you have to configure this:
# The absolute path or relative path to config/ directory
# to krb5.conf file
#searchguard.kerberos.krb5_filepath: '/etc/krb5.conf'
# The absolute path or relative path to config/ directory
# to the keytab where the acceptor_principal credentials are stored.
#searchguard.kerberos.acceptor_keytab_filepath: 'eskeytab.tab'
#############################################################################################
# SEARCH GUARD SSL #
# Configuration #
#############################################################################################
#############################################################################################
# Transport layer SSL #
# #
#############################################################################################
# Enable or disable node-to-node ssl encryption (default: true)
searchguard.ssl.transport.enabled: true
# JKS or PKCS12 (default: JKS)
searchguard.ssl.transport.keystore_type: JKS
# Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
# 当前节点的证书,根据节点名字生成
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.keystore_alias: my_alias
# Keystore password (default: changeit)
#searchguard.ssl.transport.keystore_password: changeit
# JKS or PKCS12 (default: JKS)
searchguard.ssl.transport.truststore_type: JKS
# Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir
searchguard.ssl.transport.truststore_filepath: truststore.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.truststore_alias: my_alias
# Truststore password (default: changeit)
searchguard.ssl.transport.truststore_password: changeit
# Enforce hostname verification (default: true)
searchguard.ssl.transport.enforce_hostname_verification: true
# 如果没有证书服务器,需要设置为false,否则无法加入集群
# If hostname verification specify if hostname should be resolved (default: true)
searchguard.ssl.transport.resolve_hostname: true
# Use native Open SSL instead of JDK SSL if available (default: true)
searchguard.ssl.transport.enable_openssl_if_available: false
# Enabled SSL cipher suites for transport protocol (only Java format is supported)
# WARNING: Expert setting, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
#searchguard.ssl.transport.enabled_ciphers:
# - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
# - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
# Enabled SSL protocols for transport protocol (only Java format is supported)
# WARNING: Expert setting, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
#searchguard.ssl.transport.enabled_protocols:
# - "TLSv1.2"
#############################################################################################
# HTTP/REST layer SSL #
# #
#############################################################################################
# Enable or disable rest layer security - https, (default: false)
#searchguard.ssl.http.enabled: true
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.http.keystore_type: PKCS12
# Relative path to the keystore file (this stores the server certificates), must be placed under the config/ dir
#searchguard.ssl.http.keystore_filepath: keystore_https_node1.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.http.keystore_alias: my_alias
# Keystore password (default: changeit)
#searchguard.ssl.http.keystore_password: changeit
# Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is OPTIONAL
# To enforce authentication use REQUIRE, to completely disable client certificates use NONE
#searchguard.ssl.http.clientauth_mode: REQUIRE
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.http.truststore_type: PKCS12
# Relative path to the truststore file (this stores the client certificates), must be placed under the config/ dir
#searchguard.ssl.http.truststore_filepath: truststore_https.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.http.truststore_alias: my_alias
# Truststore password (default: changeit)
#searchguard.ssl.http.truststore_password: changeit
# Use native Open SSL instead of JDK SSL if available (default: true)
#searchguard.ssl.http.enable_openssl_if_available: false
# Enabled SSL cipher suites for http protocol (only Java format is supported)
# WARNING: Expert setting, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
#searchguard.ssl.http.enabled_ciphers:
# - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
# - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
# Enabled SSL protocols for http protocol (only Java format is supported)
# WARNING: Expert setting, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
#searchguard.ssl.http.enabled_protocols:
# - “TLSv1.2"
Copy the codeRestart the elasticsearch
Note: Any modification of ElasticSearch. yml will require a restart of ElasticSearch to take effect
Configuration File Introduction
Searchguard has five main configuration files under plugins/search-guard-2/sgconfig:
sg_config.yml:
- The master configuration file does not need to be changed
sg_internal_users.yml:
-
Local user file that defines user passwords and corresponding permissions. For example: for ELK we need a Kibana login user and a Logstash user:
#! bash kibana4: hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO #password is: kirk roles: - kibana4 logstash: hash: $2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO roles: - logstashCopy the code
The password can be generated using plugins/search-guard-2/tools/hash.sh
sg_roles.yml:
-
Permission profile, which provides sample permissions for kibana4 and Logstash
#! bash #<sg_role_name>: # cluster: # - '<permission>' # indices: # '<indexname or alias>': # '<type>': # - '<permission>' # _dls_: '<querydsl query>' # _fls_: # - '<field>' # - '<field>' sg_kibana4: cluster: - cluster:monitor/nodes/info - cluster:monitor/health indices: '*': '*': - indices:admin/mappings/fields/get - indices:admin/validate/query - indices:data/read/search - indices:data/read/msearch - indices:admin/get - indices:data/read/field_stats '? kibana': '*': - indices:admin/exists - indices:admin/mapping/put - indices:admin/mappings/fields/get - indices:admin/refresh - indices:admin/validate/query - indices:data/read/get sg_logstash: cluster: - indices:admin/template/get - indices:admin/template/put indices: 'logstash-*': '*': - WRITE - indices:data/write/bulk - indices:data/write/delete - indices:data/write/update - indices:data/read/search - indices:data/read/scroll - CREATE_INDEXCopy the code
sg_roles_mapping.yml:
-
Define user mapping and add mapping for Kibana and Logstash users:
#! bash sg_logstash: users: - logstash sg_kibana4: backendroles: - kibana users: - kibana4Copy the code
sg_action_groups.yml:
- Define the permissions
Load the configuration and enable it
#! Bash sh plugins/search-guard-2/tools/sgadmin.sh -cn Cluster name (default: elasticSearch, -h 127.0.0.1 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/kirk-keystore.jks -kspass kspass -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass tspass -nhnvCopy the codeIf you modify the SearchGuard, you need to reload the configuration execution
Note: Changes to the Searchguard configuration do not require a restart of ElasticSearch, the configuration is actually stored under the Indice of the SearchGuard
Now you can safely use ElasticSearch
The configuration of LDAP and HTTPS will be described in the next article