Elasticsearch 权限控制
来源:互联网 发布:cntv live2是什么软件 编辑:程序博客网 时间:2024/05/22 10:01
随着ES的广泛使用,其安全问题也备受关注,虽然ES集群一般部署于公司内网,但多个业务部门使用同一套ES集群的情况非常多,如何做好数据共享、访问隔离,防止用户误操作、数据泄露等,这需要一套良好的权限控制机制。
1.方案调研
目前官方的安全模块Shield需要收费,所以普及率并不高,下面调研了以下几种方案:
1)elasticsearch-http-basic
https://github.com/Asquera/elasticsearch-http-basic
支持版本:目前最高支持elasticsearch.1.7.0
特点:部署简单,实现了账号认证和IP白名单认证功能,功能单一。
2)kibana-authentication-proxy
https://github.com/fangli/kibana-authentication-proxy
支持版本:Kibana 3 ,代码最后一次更新是2年前。
特点:针对kibana实现的认证,支持Google OAuth2,Basic Authentication, CAS Auth。
3)Shield
https://www.elastic.co/downloads/shield
支持版本:支持到Elaticsearch 2.x
特点:功能丰富,文档齐全,30天试用;
4)search-guard
https://github.com/floragunncom/search-guard
2.编译打包
mvn package -DskipTests
如果报以下错误:
[ERROR][com.floragunn.searchguard.SearchGuardPlugin] Class enhancements for DLS/FLS not successful due to javassist.CannotCompileException: [source error] no such field: context
修改SearchGuardPlugin类源码,并重新编译:
//me.insertAt(559, "if(callback != null) {callback.onCreateContext(context, request);}");me.insertAt(574, "if(callback != null) {callback.onCreateContext(context, request);}");
pom文件:
<build><plugins> <plugin> <artifactId>maven-assembly-plugin</artifactId> <configuration> <descriptorRefs> <descriptorRef>jar-with-dependencies</descriptorRef> </descriptorRefs> </configuration> <executions> <execution> <id>make-assembly</id> <phase>package</phase> <goals> <goal>single</goal> </goals> </execution> </executions> </plugin> <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>exec-maven-plugin</artifactId> <version>1.2.1</version> <executions> <execution> <goals> <goal>exec</goal> </goals> </execution> </executions> </plugin></plugins>
拷贝jar包到elastic search/plusgin/search-guard,注意目录target/releases/:
target/releases/search-guard-0.6-SNAPSHOT.jar
否则报错:
Caused by: java.lang.ClassNotFoundException: javassist.ClassPool [2015-11-19 18:37:24,287][INFO ][watcher.trigger.schedule ] [idc] using [ticker] schedule trigger engine{1.7.1}: Initialization Failed ...- NoClassDefFoundError[waffle/windows/auth/IWindowsAuthProvider]
3.手动安装
../bin/plugin -u file:./search-guard-0.6-SNAPSHOT.jar -i search-guard
日志:
-> Installing search-guard...Trying file:./search-guard-0.6-SNAPSHOT-jar-with-dependencies.jar...Downloading.........................................................................DONEInstalled search-guard into /usr/local/webserver/elasticsearch/plugins/search-guard
4.权限测试
{ "error": "ClassCastException[com.petalmd.armor.http.netty.SessionAwareNettyHttpChannel cannot be cast to org.elasticsearch.http.HttpChannel]", "status": 500
}
权限修改
curl -XPUT 'http://***.***.***.***:9200/armor/ac/ac' -d '{"acl": [{ "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.", "hosts": ["*"], "indices": ["*"], "filters_bypass": [], "filters_execute": ["actionrequestfilter.readonly"] }, { "__Comment__": "For role *root* all filters are bypassed (so none will be executed). This means unrestricted access.", "hosts": ["*"], "roles": [ "root" ],"indices": ["*"], "filters_bypass": ["*"], "filters_execute": [] } ]
}’
armor 索引只允许在部署elasticsearch的机器上访问,否则会报错:
[2015-11-30 15:49:39,610][ERROR][com.petalmd.armor.filter.ArmorActionFilter] Forbidden while apply() due to com.petalmd.armor.authorization.ForbiddenException: Only allowed from localhost (loopback) for action indices:data/read/searchcom.petalmd.armor.authorization.ForbiddenException: Only allowed from localhost (loopback)
user1用户只有只读权限,在head界面创建索引时,会报如下错:
[2015-11-30 15:25:21,565][ERROR][com.petalmd.armor.filter.ArmorActionFilter] Forbidden while apply() due to com.petalmd.armor.authorization.ForbiddenException: Action 'indices:admin/create' is forbidden due to DEFAULT for action indices:admin/createcom.petalmd.armor.authorization.ForbiddenException: Action 'indices:admin/create' is forbidden due to DEFAULT
通过admin用户则成功创建test-log索引。
在添加权限后,往测试索引中添加数据无响应:
curl -XPOST 'http://***.***.***.***:9200/test-log/order' -d '{"date":"2015-11-20 15:39:00","customerID":"user1”}’,
需要加上具有写权限的用户名/密码:
curl -v --user admin:admin -XPOST 'http://***.***.***.***:9200/test-log/order' -d '{"date":"2015-11-20 15:39:00","customerID":"user1”}’* Hostname was NOT found in DNS cache* Trying 10.1.***.***...* Connected to 10.1.***.*** (10.1.***.***) port 9200 (#0)* Server auth using Basic with user 'admin'> POST /test-log/order HTTP/1.1> Authorization: Basic YWRtaW46YWRtaW4=> User-Agent: curl/7.37.1> Host: 10.1.***.***:9200> Accept: */*> Content-Length: 51> Content-Type: application/x-www-form-urlencoded> * upload completely sent off: 51 out of 51 bytes< HTTP/1.1 201 Created< Content-Type: application/json; charset=UTF-8< Content-Length: 94< * Connection #0 to host 10.1.***.*** left intact
返回结果:
{"_index":"test-log","_type":"order","_id":"AVFXVBQXMJgnGjM0BUcq","_version":1,"created":true}
此时在head界面,就能看到刚插入的数据了:
如果user1用户试图删除它没权限的索引:
curl -v --user user1:123 -XDELETE http://10.1.***.***:9200/armor
将返回:
{"error":"ForbiddenException[Only allowed from localhost (loopback)]","status":403}
- Elasticsearch 权限控制
- Elasticsearch、Kibana权限控制
- Elasticsearch、Kibana权限控制
- elasticsearch-jetty权限控制插件
- 【入门篇】Elasticsearch、Kibana权限控制
- elasticsearch+kibana实现权限控制-search-guard
- 【入门篇】Elasticsearch、Kibana权限控制
- elasticsearch使用jetty进行简单的权限控制
- 使用Shield保护ElasticSearch平台--兼权限控制
- 使用Shield保护ElasticSearch平台--兼权限控制
- 给Elasticsearch 和Kibana添加基于角色的访问权限控制
- elasticsearch 并发控制
- Elasticsearch分片控制
- Elasticsearch并发控制
- Elasticsearch 版本控制
- 权限控制
- 权限控制
- 权限控制
- 教你如何阅读Oracle数据库官方文档
- 数据库 datatime类型默认值 0000-00-00 00:00:00 错误
- 团体程序设计天梯赛L2-014 列车调度
- ListView中的Adaper传递监听事件到Actviity(事件监听)
- 如何解决在ie下,Echarts多次使用setOption更改数据时,数据错乱问题
- Elasticsearch 权限控制
- Android 通过动态代理设置事件监听
- PAT甲级1063. Set Similarity (25)
- RHLE7 系统进程管理
- android studio 怎么查看keystore
- 修改mysql数据库编码格式
- 用通俗易懂的话让你明白电容—储存电的东西
- 简单理解Socket 协议
- sql 之like 和通配符%,_(mysql)