Company No.: manong charging station pro
Home page: https://codeshellme.github.io
After installing es, ES does not have any security protection by default.
ES security management It mainly includes the following contents:
- identity authentication : verify whether the access user is legal.
- User authentication User access settings.
- Transmission encryption : data should be encrypted during transmission.
- Log audit : Records cluster operations.
- etc.
Here are some free security solutions:
- Sets the Nginx direction proxy.
- Install free security plug-ins, such as:
- Search Guard : an ES plug-in for security and alarm, which is divided into paid version and free version.
- Readonly REST
- Basic version of X-Pack: refer to here.
1. Identity authentication
The certification provided in ES is called Realms , there are the following ways, which can be divided into two categories:
- Internal: no need to communicate with external parties of ES.
- External: need to communicate with external components of ES.
- ldap (charge)
- active_directory (charge)
- pki (charge)
- saml (charge)
- kerberos (charge)
2. User authentication
User authentication defines a role and assigns a group of permissions; Then assign roles to users so that users have these permissions.
In ES jurisdiction There are different levels, including cluster level (more than 30) and index level (less than 20).
Many are available in ES Built in role (less than 30 kinds) are available.
ES provides many API s for users and roles:
- About users:
- Change passwords : change password.
- Create or update users : create an update user.
- Delete users : delete user.
- Enable users : open user.
- Disable users : disable users.
- Get users : View user information.
- About roles:
- Create or update roles : create and update roles.
- Delete roles : delete role.
- Get roles : View role information.
3. Start ES safety function
The following shows how to use the security function of ES.
Start and pass ES xpack.security.enabled Parameter open safety function:
bin\elasticsearch -E node.name=node0 -E cluster.name=mycluster -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true
use elasticsearch-setup-passwords Command to enable ES built-in user and initial 6-digit password (manual input is required, such as 111111):
bin\elasticsearch-setup-passwords interactive
This command enables the following users:
- elastic: super user.
- Kibana: used for communication between ES and kibana.
- kibana_system: used for communication between ES and Kibana.
- apm_system
- logstash_system
- beats_system
- remote_monitoring_user
After enabling the security function of ES, you need to enter the user name and password to access es:
You can also access ES through curl command (and specify user):
curl -u elastic 'localhost:9200'
For more information, please refer to here.
4. Start Kibana safety function
Open Kibana's configuration file YML, write the following:
elasticsearch.username: "kibana_system" # user name elasticsearch.password: "111111" # password
Then use the bin\kibana command to start Kibana.
User and password are also required to access Kibana (super user is used here):
5. Create roles and users with Kibana
The following shows how to use Kibana to create roles and users. After logging in to Kibana, do the following:
Click Stack Management to enter the following page:
5.1 creating roles
Click Create role to create a role:
To create a role, you need to fill in the following contents:
- Role name
- Which indexes does the role have permissions on and the permission level of the index
- Add a Kibana permission
- Finally, create the role
After the above operations, the created role is called test_role, which is for test_index index has read-only permission; If the operation is out of range, an error will occur.
5.2. Create user
Enter the Create user interface and click Create user to create a user:
Fill in the user name and password, and transfer the role to test_ The role is assigned to the user.
5.3 users
Log in to Kibana with the newly created user:
This user only tests_ Index index has read-only permission; If the operation is out of range, an error will occur.
6. Transmission encryption
Transmission encryption refers to encrypting data during data transmission (preventing data from being captured).
Transmission encryption is divided into intra cluster encryption and inter cluster encryption:
- Intra cluster encryption refers to the encryption of data transmission between nodes in the ES cluster.
- Through TLS protocol.
- Inter cluster encryption refers to the encryption of data transmission when external customers access ES.
- It is completed through HTTPS protocol.
For more information, please refer to here.
6.1. Transmission encryption within the cluster
TLS protocol can be used to encrypt data in ES, and the following steps are required:
- Create CA
- Create certificate and private key for ES node
- Configure certificate
1. Create CA certificate
Create a CA using the following command:
bin\elasticsearch-certutil ca
After success, you can see that there is one more file under the current folder:
elastic-stack-ca.p12
2. Generate certificate and private key
Use the following command to generate the certificate and private key for the node in ES
bin\elasticsearch-certutil cert --ca elastic-stack-ca.p12
After success, you can see that there is one more file under the current folder:
elastic-certificates.p12
3. Configure certificate
The created certificate elastic certificates P12 is placed in the config/certs directory.
4. Start the cluster
# Start the first node bin\elasticsearch -E node.name=node0 -E cluster.name=mycluster -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs\elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs\elastic-certificates.p12 # Start the second node bin\elasticsearch -E node.name=node1 -E cluster.name=mycluster -E path.data=node1_data -E http.port=9201 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs\elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs\elastic-certificates.p12
Nodes that do not provide certificates will not be able to join the cluster:
bin\elasticsearch -E node.name=node2 -E cluster.name=mycluster -E path.data=node2_data -E http.port=9202 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate # Join failed
You can also write the configuration in the configuration file elasticsearch YML, as follows:
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
6.2. Transmission encryption outside the cluster
The ES supports HTTPS by configuring the following three parameters:
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
Start on the command line:
bin\elasticsearch -E node.name=node0 -E cluster.name=mycluster -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs\elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs\elastic-certificates.p12 -E xpack.security.http.ssl.enabled=true -E xpack.security.http.ssl.keystore.path=certs\elastic-certificates.p12 -E xpack.security.http.ssl.truststore.path=certs\elastic-certificates.p12
After successful startup, you can access ES through HTTPS protocol:
https://localhost:5601/
6.3 configure Kibana link ES HTTPS
1. Generate pem file for Kibana
First, use openssl to generate pem for kibana:
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem
After success, the following files will be generated:
elastic-ca.pem
Put the file in the config\certs directory.
2. Configure kibana yml
In Kibana's configuration file Kibana The following parameters are configured in YML:
elasticsearch.hosts: ["https://localhost:9200"] elasticsearch.ssl.certificateAuthorities: ["C:\\elasticsearch-7.10.1\\config\\certs\\elastic-ca.pem"] elasticsearch.ssl.verificationMode: certificate
3. Run Kibana
bin\kibana
6.4. Configure Kibana to support HTTPS
1. Generate pem for Kibana
bin/elasticsearch-certutil ca --pem
After the above command is executed successfully, the following zip file will be generated:
elastic-stack-ca.zip
Unzip the file and there will be two files:
ca.crt ca.key
Put these two files in Kibana's configuration file directory config\certs.
2. Configure kibana yml
In Kibana's configuration file Kibana The following parameters are configured in YML:
server.ssl.enabled: true server.ssl.certificate: config\\certs\\ca.crt server.ssl.key: config\\certs\\ca.key
3. Run Kibana
bin\kibana
After successful startup, Kibana can be accessed through HTTPS protocol:
https://localhost:5601/
(end of this section.)
Recommended reading:
ElasticSearch search search templates and suggestions
ElasticSearch aggregation analysis
ElasticSearch distributed cluster
Welcome to the author's official account for more dry cargo.
