Elasticsearch之数据安全
ES安全问题分析
1. ES在默认安装后不提供任何形式的安全防护
2. 将l⽂件中的server.host配置成0.0.0.0, 公⽹⽤户可以任意访问
数据安全性的基本要求
1. ⾝份认证:鉴定⽤户是否合法
2. ⽤户鉴权:指定⽤户才能访问,细粒度到索引
3. 传输加密
4. ⽇志审计
免费⽅案
设置Nginx反向代理
安装免费的Security插件
Search Guard -
ReadOnly REST -
X-Pack的Basic版
从ES6.8 & ES7.0开始,Security纳⼊x-pack的Basic版本中,免费试⽤⼀些功能
Authentication - ⾝份认证
认证体系的⼏种类型
提供⽤户名和密码
提供秘钥或Kerberos票据
Realms:X-Pack中的认证服务
内置Realms(免费)
File / Native(⽤户名和密码保存在Elasticsearch)
外部Realms(收费)
LDAP / Active Directory / PKI / SAML / Kerberos
RBAC - ⽤户鉴权
什么是RBAC?
Role Based Access Control,定义⼀个⾓⾊,并分配⼀组权限,然后通过将⾓⾊分配给⽤户,使得⽤户拥有⾓⾊的所有权限。权限包括索引级、字段级、集级的不同的操作。
User:The authenticated User
Role:A named set of permissions
Permission:A set of one or more privileges against a secured resource
Privilege: A named group of one or more actions that user may execute against a secured resource
Privilege
Cluster Privileges: all、monitor、manager、manage_index、manage_index_template、manage_rollup
Indices Privileges:all、create、create_index、delete、delete_index、index、manage、read、write、view_index_metadata
内置的⾓⾊与⽤户
内置⽤户有:apm_system, beats_system, elastic, kibana, logstash_system, remote_monitoring_user
开启并配置X-Pack的认证与鉴权
通过命令⾏配置
> bin/elasticsearch -E node.name=node1 -E cluster.name=my-application -E path.data=node1_data -E http.port:9200 -E abled=true -E xp abled=true
或修改配置⽂件 l
abled: true  # 表⽰开启xpack认证机制。
abled: true
如果不配置abled: true则ES会启动失败,错误信息如下:
[2020-11-20T13:44:14,454][INFO ][o.e.b.BootstrapChecks    ] [node-prd2] bound or publishing to a non-loopback address, enforcing bootstrap checks ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [abled] to [true] or disable security by setting [abled] to [false]
[2020-11-20T13:44:14,486][INFO ][Node              ] [node-prd2] stopping ...
[2020-11-20T13:44:14,519][INFO ][Node              ] [node-prd2] stopped
[2020-11-20T13:44:14,520][INFO ][Node              ] [node-prd2] closing ...
[2020-11-20T13:44:14,529][INFO ][Node              ] [node-prd2] closed
[2020-11-20T13:44:14,531][INFO ][p.NativeController] [node-prd2] Native controller process has stopped - no new native processes can be started
创建默认的⽤户与分组,并设置密码
interactive:给⽤户⼀⼀设置密码。
auto:⾃动⽣成密码。
> [es@iZuf6cc5ecqw elasticsearch-7.1.0]$ ./bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
配置Kibana连接
开启了安全认证之后,kibana连接es以及访问es都需要认证,变更kibana的配置,⼀共有两种⽅法,⼀种明⽂的,⼀种密⽂的。
编辑kibana的配置⽂件l
kibana的参数解释:
elasticsearch.username: "kibana"                                    # 连接ES的⽤户名
elasticsearch.password: "上述设置给kibana这个内置⽤户的密码"          # 连接ES的密码
ptionKey: "something_at_least_32_characters"
遇到以下问题:暂时未解决!!⽤账号kibana登录后,显⽰如下:
ES内部数据加密
为节点创建证书
TLS:协议要求Trusted Certificate Authority(CA)签发的X.509的证书
证书认证的级别
Certificate - 节点加⼊需要使⽤相同的CA签发的证书
Full Verification - 节点加⼊集需要相同的CA签发的证书,并且需要验证Host name或IP地址
No Verification - 任何节点都可以加⼊,开发环境中⽤于诊断⽬的
ES⼯具⽣成CA
第⼀步:
.
/bin/elasticsearch-certutil ca
⽣成⽂件elastic-stack-ca.p12
第⼆步:
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
查看⽣成的⽂件elastic-certificates.p12
[es@iZuf6cc5ecqwtujyw10rg3Z elasticsearch-7.1.0]$ ll
total 508
drwxr-xr-x  2 es root  4096 May 16  2019 bin
drwxr-xr-x  4 es root  4096 Nov 20 15:38 config
nginx ssl证书配置
-rw-------  1 es es    3448 Nov 20 15:37 elastic-certificates.p12
-rw-------  1 es es    2524 Nov 20 15:32 elastic-stack-ca.p12
.
.. 略
第三步:
在ES的config⽂件夹下新建certs⽂件夹
mkdir config/certs
拷贝第⼆步⽣成的⽂件elastic-certificates.p12到⽂件夹certs中
cp elastic-certificates.p12 config/certs/
第四步:
将SSL配置加⼊到l⽂件中
abled: true
ansport.ssl.verification_mode: certificate
ansport.ssl.keystore.path: certs/elastic-certificates.p12
uststore.path: certs/elastic-certificates.p12
第五步:
重启ES
验证
启动未配置证书的节点,验证是否会加⼊到集,未配置证书的节点⽆法加⼊到集中,说明鉴权⽣效!
[2020-11-20T16:36:04,276][WARN ][r.suppressed ] [node-prd3] path: /.reporting-*/_search, params: {index=.reporting-*} org.elasticsearch.cluster.block.ClusterBlockException: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。