2023年6月21日发(作者:)
使⽤searchguard解决Elasticsearch未授权访问问题背景:线上es集群,版本6.2.4,尽管其在内⽹,但安全扫描之后发现其存在Elasticseach未授权访问问题,需要进⾏http basic认证⽅案:elasticsearch-http-basic plugin仅⽀持es 1.x版本,且近3年未更新。⽬前我们线上使⽤的是6.x版本,此插件不能⽀持。⽅案1是使⽤search guard插件,使⽤其社区版本,使⽤其提供的基础http basic认证功能,其本质就是es cluster前置search guardfilter。⽅案2是es cluster前置nginx,通过nginx认证来提供基础http basic认证功能⽅案3: X-Pack ElasticSearch Security,收费License选择了⽅案1下载:search-guard-6-6.2.4-23.0search-guard-kibana-plugin-6-6.4.0-19.0安装search guard:安装search guard kibana plugin⽂件⽬录:es安装⽬录/elasticsearch/plugins/search-guard-6/sgconfig这就是⼀个RBAC数据权限sg_internal_ -- ⽤户sg_ -- ⾓⾊sg_roles_ -- ⽤户-⾓⾊对应关系sg_action_ -- 权限(⾓⾊和权限对应关系也在其中)
sg_ -- 模块化配置,可以选择激活哪⼀个配置es安装⽬录/elasticsearch/plugins/search-guard-6/tools其中⽤来⽣成密码install_demo_ ⽤来也可以选择不使⽤执⾏脚本,⼿动把相关的⽂件准备好之后在中配置由于我们不使⽤ssl,所以将: false
脚本This will update the Search Guard configuration with the contents of the files located in:
transport client报错原本只想使⽤其http basic认证功能,并不想使⽤其TLS功能,结果发现,There are two main configuration sections, one for the transport layer, and one for the REST layer. For the REST layer, TLSis optional, while it is mandatory for the transport layer.
For a Transport Client to talk to a Search Guard secured Elasticsearch cluster, the following requirements must be met:The Transport Client needs to authenticate itself against the cluster by sending a trusted TLS certificateA role with appropriate permissions has to be configured in Search Guard, either based on the hostname of the client, orthe DN of the certificate 需要两⽅⾯进⾏配置
1. 中配置了_dn: - "CN=kirk,OU=client,O=client,L=test,C=de"
官⽅参考:AN INTRODUCTION TO TLS CERTIFICATESThe first thing You can check is an issuer of the certificate. The issuer is identified by a DN (distinguished name). DN cancontain following fields:
LDAP中CN-OU-O-L-S-C意义解释CN=commonNameOU=organizationUnitO=organizationNameL=localityNameS=stateNameC=country
这说明,其允许transport client以admin certification,以damin dn of the certificate来访问2. java程序中进⾏修改添加依赖compileOnly group: 'unn', name: 'search-guard-5', version: '5.6.8-19'这⾥有⼀个注意点:使⽤的是spring boot 2.0的startercompile(':spring-boot-starter-data-elasticsearch')其使⽤的elasticsearch相关包版本为5.6.8当使⽤search-guard-6版本依赖时,发现不兼容,改为search-guard-5,OK修改TransportClient注意,其路径需要为绝对路径,并且是及如果使⽤及,访问会报错No user found for [indices:data/read/search]参考:
这⾥我们使⽤的是第⼀种认证⽅式,使⽤certificate authentication⽅式并没有使⽤username和password⽅式效果重启es后,search guard会创建⼀个searchguard的index最后的效果是,加⼊search gurad后transport client不受影响http 请求会进⾏http basic authentication集群环境集群中每台机器都要执⾏解压,执⾏对应脚本
2023年6月21日发(作者:)
使⽤searchguard解决Elasticsearch未授权访问问题背景:线上es集群,版本6.2.4,尽管其在内⽹,但安全扫描之后发现其存在Elasticseach未授权访问问题,需要进⾏http basic认证⽅案:elasticsearch-http-basic plugin仅⽀持es 1.x版本,且近3年未更新。⽬前我们线上使⽤的是6.x版本,此插件不能⽀持。⽅案1是使⽤search guard插件,使⽤其社区版本,使⽤其提供的基础http basic认证功能,其本质就是es cluster前置search guardfilter。⽅案2是es cluster前置nginx,通过nginx认证来提供基础http basic认证功能⽅案3: X-Pack ElasticSearch Security,收费License选择了⽅案1下载:search-guard-6-6.2.4-23.0search-guard-kibana-plugin-6-6.4.0-19.0安装search guard:安装search guard kibana plugin⽂件⽬录:es安装⽬录/elasticsearch/plugins/search-guard-6/sgconfig这就是⼀个RBAC数据权限sg_internal_ -- ⽤户sg_ -- ⾓⾊sg_roles_ -- ⽤户-⾓⾊对应关系sg_action_ -- 权限(⾓⾊和权限对应关系也在其中)
sg_ -- 模块化配置,可以选择激活哪⼀个配置es安装⽬录/elasticsearch/plugins/search-guard-6/tools其中⽤来⽣成密码install_demo_ ⽤来也可以选择不使⽤执⾏脚本,⼿动把相关的⽂件准备好之后在中配置由于我们不使⽤ssl,所以将: false
脚本This will update the Search Guard configuration with the contents of the files located in:
transport client报错原本只想使⽤其http basic认证功能,并不想使⽤其TLS功能,结果发现,There are two main configuration sections, one for the transport layer, and one for the REST layer. For the REST layer, TLSis optional, while it is mandatory for the transport layer.
For a Transport Client to talk to a Search Guard secured Elasticsearch cluster, the following requirements must be met:The Transport Client needs to authenticate itself against the cluster by sending a trusted TLS certificateA role with appropriate permissions has to be configured in Search Guard, either based on the hostname of the client, orthe DN of the certificate 需要两⽅⾯进⾏配置
1. 中配置了_dn: - "CN=kirk,OU=client,O=client,L=test,C=de"
官⽅参考:AN INTRODUCTION TO TLS CERTIFICATESThe first thing You can check is an issuer of the certificate. The issuer is identified by a DN (distinguished name). DN cancontain following fields:
LDAP中CN-OU-O-L-S-C意义解释CN=commonNameOU=organizationUnitO=organizationNameL=localityNameS=stateNameC=country
这说明,其允许transport client以admin certification,以damin dn of the certificate来访问2. java程序中进⾏修改添加依赖compileOnly group: 'unn', name: 'search-guard-5', version: '5.6.8-19'这⾥有⼀个注意点:使⽤的是spring boot 2.0的startercompile(':spring-boot-starter-data-elasticsearch')其使⽤的elasticsearch相关包版本为5.6.8当使⽤search-guard-6版本依赖时,发现不兼容,改为search-guard-5,OK修改TransportClient注意,其路径需要为绝对路径,并且是及如果使⽤及,访问会报错No user found for [indices:data/read/search]参考:
这⾥我们使⽤的是第⼀种认证⽅式,使⽤certificate authentication⽅式并没有使⽤username和password⽅式效果重启es后,search guard会创建⼀个searchguard的index最后的效果是,加⼊search gurad后transport client不受影响http 请求会进⾏http basic authentication集群环境集群中每台机器都要执⾏解压,执⾏对应脚本
发布评论