Shield Installation and Configuration
Https://www.elastic.co/guide/en/shield/shield-1.3/introduction.html
First, Introduction
Shield is a plugin of elasticsearch, it can easily guarantee the security of your Elasticsearch cluster.
Features of the Shield:
1. User authentication
Cryptographic authentication for 2.SSL/TLS
3. Audit
Second, installation
The version of shield-1.3 I'm using
Installing the Elasticsearch Cluster
Shield need to be licese, we only have to install and use it on the offline machine.
A. Download License Https://download.elastic.co/elasticsearch/license/license-latest.zip
[[email protected] usr]# pwd/usr[[email protected] usr]# wget https://download.elastic.co/elasticsearch/license/license-latest.zip......
B. Download Shield Https://download.elastic.co/elasticsearch/shield/shield-latest.zip
[[email protected] usr]# pwd/usr[[email protected] usr]# wget https://download.elastic.co/elasticsearch/shield/shield-latest.zip......
C. installing license and shield
Note/usr/share/elasticsearch/is the protocol prefix for the local file for the Elasticsearch installation directory [[email protected] usr]#/usr/share/elasticsearch/bin/plugin-i License-u File:///usr/license-latest.zip...... [[email protected] usr]#/usr/share/elasticsearch/bin/plugin-i License-u File:///usr/shield-latest.zip... ... check: [[email protected] usr]# ll/usr/share/elasticsearch/plugins/... ..... Licenseshield... [[email protected] usr] # curl-xget ' = is inaccessible at this time and requires authentication ... First create an admin [[email protected] plugins]#/usr/share/elasticsearch/bin/shield/esusers useradd es_admin-r admin ... [[email protected] usr] # curl-xget-u es_admin:{passwd} ' http://{ip}:9200/'
Third, message authentication (enable messages authentication)
Https://www.elastic.co/guide/en/shield/shield-1.3/enable-message-authentication.html
Message validation verifies that a message is being tampered with during transmission, etc.
1.生成key[[email protected] shield]# /usr/share/elasticsearch/bin/shield/syskeygen...会生成 ES_HOME/config/shield/system_key然后再elasticsearch.yml 中配置shield.system_key.file=2.复制key到其他各个节点上,各个节点必须相同
Iv. User authentication configuration (setting up user authentication)
In order to obtain restricted resource permissions, the user must provide the identity verification information. such as passwords.
1.esusers
is shield built in a way
Https://www.elastic.co/guide/en/shield/shield-1.3/esusers.html
Https://www.elastic.co/guide/en/shield/shield-1.3/_managing_users_in_an_esusers_realm.html
Add Users (Adding user) [[email protected] plugins]#/usr/share/elasticsearch/bin/shield/esusers Useradd test_1 will prompt you to enter the password, [[email protected] plugins]#/usr/share/elasticsearch/bin/shield/esusers useradd test-1-p test_1 This will create a user test_1 password is test_1[[ Email protected] plugins]# /usr/share/elasticsearch/bin/shield/esusers list# "userid": "Roleid" ... test_1 : -... The default role is-and does not have permissions, and later explains the role and permissions to modify the user password (managing user passwords) [[email protected] plugins]# /usr/share/elasticsearch /bin/shield/esusers passwd test-1-p test_1
2. Role-based access control
Https://www.elastic.co/guide/en/shield/shield-1.3/configuring-rbac.html
Define roles (defining Roles) Roles.yml[[email protected] shield]# pwd/etc/elasticsearch/shield[[email protected] shield]# lltotal 36-Rwxr-xr-x1Elasticsearch Elasticsearch1119Nov905:21stlogging.yml-RW-------1Elasticsearch Elasticsearch1119Nov906:28logging.yml.new-Rwxr-xr-x1Elasticsearch Elasticsearch473Nov905:21strole_mapping.yml-RW-------1Elasticsearch Elasticsearch473Nov906:28role_mapping.yml.new-Rwxr-xr-x1Elasticsearch Elasticsearch2634Nov1209:06Roles.yml = mappings of roles and permissions-RW-------1Elasticsearch Elasticsearch2699Nov906:28roles.yml.new-RW-------1Elasticsearch Elasticsearch128Nov1208:24system_key.new-Rwxr-xr-x1Elasticsearch Elasticsearch410Nov1209:02Users = User Information-RW-------1Elasticsearch Elasticsearch0Nov906:28users.new-Rwxr-xr-x1Elasticsearch Elasticsearch85Nov1209:02Users_roles = user-to-role mapping-rw------- 1 elasticsearch elasticsearch 0 Nov 9 : users_roles.ne W[[email protected] shield]# The default role is: Adminpower_useruser ...
EG1: We create a user Test_logstash it can only access logstash-* indices1. Creating a role [[Email protected] shield]# vi /etc/elasticsearch/shield/roles.yml ... ...logstash_user: cluster: all indices: ' logstash-* ': indices:data/read/search, indices:data/read/get, indices:admin/get => Read Permissions ... ... 2. Create user and execute role [[Email protected] shield]# / Usr/share/elasticsearch/bin/shield/esusers useradd test_logstash -p test_logstash -r logstash_user ... ... 3. web ui or terminate colonel, whether access to the logstash-* index, access to write, access to other
3. LDAP Authentication
Shield Installation and Configuration