Elasticsearch 利用search-guard添加权限控制

1、添加权限认证步骤,安装对应版本的插件：（1）Install latest version of search-guard-ssl pluginsudobin/plugin install -b com.floragunn/search-guard-ssl/2.3.4.14

2、（2）Install search-guard-2 pluginsudobin/plugin install -b com.floragunn/search-guard-2/2.3.4.3

3、（3）elasti罕铞泱殳csearch.yml添加配置searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackendsearchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizatorsearchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticatorsearchguard.actionrequestfilter.names: ["none"]searchguard.actionrequestfilter.none.allowed_actions: []searchguard.transport_auth.enabled: truemarvel.agent.exporter.es.hosts: [ "http://用户名:密码@192.168.8.107:9200"]searchguard.authentication.authorization.settingsdb.roles.admin: ["root"]searchguard.authentication.settingsdb.user.admin:密码security.manager.enabled: falsesearchguard.audit.type: internal_elasticsearch##############################################################################################SEARCH GUARD##Configuration##############################################################################################searchguard.enable: truesearchguard.authcz.admin_dn:- CN=admin##############################################################################################SEARCH GUARD SSL##Configuration############################################################################################################################################################################################ Transport layer SSL################################################################################################# Enable or disable node-to-node ssl encryption (default: true)searchguard.ssl.transport.enabled: true# JKS or PKCS12 (default: JKS)#searchguard.ssl.transport.keystore_type: PKCS12# Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dirsearchguard.ssl.transport.keystore_filepath: node-0-keystore.jks# Alias name (default: first alias which could be found)#searchguard.ssl.transport.keystore_alias: my_alias# Keystore password (default: changeit)searchguard.ssl.transport.keystore_password:密码# JKS or PKCS12 (default: JKS)searchguard.ssl.transport.keystore_type: JKS#searchguard.ssl.transport.truststore_type: PKCS12# Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dirsearchguard.ssl.transport.truststore_filepath: truststore.jks# Alias name (default: first alias which could be found)#searchguard.ssl.transport.truststore_alias: my_alias# Truststore password (default: changeit)searchguard.ssl.transport.truststore_password:密码#Enforcehostname verification (default: true)searchguard.ssl.transport.enforce_hostname_verification: false#Ifhostname verification specify if hostname should be resolved (default: true)searchguard.ssl.transport.resolve_hostname: false# Use native Open SSL instead of JDK SSL if available (default: true)searchguard.ssl.transport.enable_openssl_if_available: false

4、（4）下载sear罕铞泱殳ch-guard-ssl-2.3.4源码利用/home/elasticsearch/s髫潋啜缅earch-guard-ssl-2.3.4/example-pki-scripts生成根证书，节点密码，客户端密码,文件名称node-0-keystore.jks，truststore.jks复制到：/home/elasticsearch/elasticsearch-2.3.4/config/node-0-keystore.jks/home/elasticsearch/elasticsearch-2.3.4/config/truststore.jks/home/elasticsearch/elasticsearch-2.3.4/plugins/search-guard-2/sgconfig/truststore.jks/home/elasticsearch/elasticsearch-2.3.4/plugins/search-guard-2/sgconfig/admin-keystore.jks

5、（5）启动elasticsearch（6）执行以下代码完成插件初始化./plugins/search-guard-2/tools/sgadmin.sh -cn密码-h 192.168.8.107 –p 9982 -cd plugins/search-guard-2/sgconfig -ks plugins/search-guard-2/sgconfig/admin-keystore.jks -kspass密码-ts plugins/search-guard-2/sgconfig/truststore.jks -tspass密码–nhnv