Elasticsearch Shield Plugin Installation Documentation
By default, Elasticsearch can be unrestricted access, if the external network is not safe, so, elastic officially provided shield plug-ins, you can achieve the rights control, but the downside is that this plug-in is charged, can be free trial for one months. Then let's try it.
The Shield plugin must is installed on every node in the cluster and every node must is restarted after installation. Plan for a complete cluster restart before beginning the installation process.
The Shield plug-in must be installed on every node in the cluster, and each node must be restarted to take effect after the installation is complete.
Schedule a full cluster restart before starting the installation process.
To install Shield 2.4.3, you need:
Before installing shield 2.4.3, you need to ensure that the following conditions
Java 7 or later
Elasticsearch 2.4.3
Elasticsearch License 2.4.3 Plugin
Note:you must run the version of Shield that matches the version of Elasticsearch you is running
Note: You must ensure that the version of Shield is consistent with the version of Elasticsearch you are running.
Installing Shield
1: Install license first
Bin/plugin Install license
2: Install the Shield plugin
Bin/plugin Install Shield
When installed, you will be prompted to enter Y to confirm.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ warning:plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* Java.lang.RuntimePermission Setfactory
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
For descriptions of what these permissions allow and the associated risks.
Continue with installation? [Y/n]y
3: "Default this step does not require action because ES does not disable the auto-create index library feature by default" If you have disabled automatic index creation in Elasticsearch, configure Action.auto_create_index in Elasticsearch.yml to allow Shield to create the. Security Index:
If you disable the ability to automatically create an index library in es. Then you need to configure Action.auto_create_index in Elasticsearch.yml to allow shield to create the. Security Index Library.
Action.auto_create_index:. Security
4: Start/restart ES
Bin/elasticsearch
Create User: User Level
Admin
Can perform any cluster or index action.
Operations can be performed on all clusters or index libraries
Power_user
Can monitor the cluster and perform any index action.
can monitor the cluster and perform operations on all index libraries
User
Can perform read actions on any index. You can perform a read operation on all index libraries
Create user command: "Prompt user to set password after execution"
Bin/shield/esusers useradd es_admin-r Admin
Explain:
Useradd: Indicates adding a user
Es_admin: Represents the user name to be created
-r: Specify permission information
Admin: Give admin permission to new user
Note:when prompted, enter a password for the new user. Passwords must is at least 6 characters long.
Note: When prompted for a password, set a new password for the new user, and the password must contain at least 6 characters
Access to Es:-u es_admin means access using user Es_admin
Curl-u es_admin-xget ' http://localhost:9200/'
The access prompts you to enter the password you just set.
This will require you to enter your username and password when you visit Es again later.
Shield can also be used in Kibana
Https://www.elastic.co/guide/en/shield/current/kibana.html
If Your security requirements is more complex, you can also:
If your security requirements are more complex, you can do this
Https://www.elastic.co/guide/en/shield/current/enable-basic-auth.html
1:define and use Custom Roles for fine-grained access control.
Defining and using fine-grained access control for custom roles
2:integrate with LDAP or Active Directory, or require certificates for authentication.
Use LDAP or Active Directory integration, or use certificates for authentication.
3:use IP Filtering to allow or the deny requests from particular IP addresses or address ranges.
Use IP to filter requests from a specific IP address or range of addresses
Https://www.elastic.co/guide/en/shield/current/ip-filtering.html
After you turn on shield, use the JAVAAPI operation to perform the following steps
Https://www.elastic.co/guide/en/shield/current/_using_elasticsearch_java_clients_with_shield.html
1: Add maven dependencies in the Pom file in the Java project
Elasticsearch-releases
Https://maven.elasticsearch.org/releases
True
False
Org.elasticsearch.plugin
Shield
2.4.3
Note: The Maven dependent version of Shield must be 2.4.3, and the official example is that 2.2.0 is not working properly. Because our shield installed version is also 2.4.3, to keep the version consistent.
2: The code is as follows:
Settings Settings = Settings.settingsbuilder ()
. put ("Cluster.name", "Elasticsearch")
Set the user name and password created by shield
. put ("Shield.user", "es_admin:123456")
. build ();
Transportclient client = Transportclient.builder ()
Add Shield Plugin
. Addplugin (Shieldplugin.class)
. settings (Settings). build ();
Client.addtransportaddress (New Inetsockettransportaddress (Inetaddress.getbyname ("192.168.80.100"), 9300));
Uninstalling Shield
To uninstall Shield:
If you do not want to use shield, you need to remove.
1: Stop ES
2: Remove the shield plugin from es:
Bin/plugin Remove Shield
3: Start es.
For more information on big data, videos and technical exchanges, please Dabigatran:
QQ Group No. 1:295,505,811 (full)
QQ Group No. 2:54,902,210
QQ Group No. 3:555,684,318