ES 2.4.0下Search-guard安装配置
- search-guard-2-2.4.0.12.zip 链接:https://pan.baidu.com/s/1tJVbrA2okUoyjXGJl_4yRQ 提取码:7z95
- search-guard-ssl-2.4.0.21.zip 链接:https://pan.baidu.com/s/1Zf1kthO5F1lUFwvAvcnVmw 提取码:5lhe
- search-guard-ssl-2.4.x.zip 链接:https://pan.baidu.com/s/11rudvAx6RTCaoiou-E0rpA 提取码:668u
ES集群中任意节点进行以下操作
一、安装search-guard-ssl及search-guard
1、安装search-guard-ssl
/usr/share/elasticsearch/bin/plugin install file:///root/search-guard-ssl-2.4.0.21.zip
2、安装search-guard
/usr/share/elasticsearch/bin/plugin install file:///root/search-guard-2-2.4.0.12.zip
二、生成**
1、编辑生成**脚本 example.sh
unzip search-guard-ssl-2.4.x.zip
cd search-guard-ssl-2.4.x/example-pki-scripts/
vim example.sh
修改其中所有的密码“changeit”,可通过如下命令批量替换
:%s/changeit/123456/g
2、生成**
sh example.sh
生成之前:
生成之后:
3、拷贝**文件到ES安装目录下
cp kirk-keystore.jks node-0-keystore.jks truststore.jks /etc/elasticsearch/
三、编辑配置文件
1、在ES配置文件(vim /etc/elasticsearch/elasticsearch.yml)中添加search-guard配置,其中,node-0-keystore.jks为当前节点使用的**文件,123456为上文中我们设置的密码,注意对应
searchguard.nodes_dn:
- CN=node-0.example.com,OU=SSL,O=Test,L=Test, C=DE
- CN=node-*.example.com,OU=SSL,O=Test,L=Test, C=DE
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=Test, C=DE
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: 123456
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: 123456
searchguard.ssl.transport.enforce_hostname_verification: false
2、重启当前节点ES
systemctl restart elasticsearch
3、生效search-guard
其中,“-cn”参数后为集群名称;“-h”参数为当前节点IP,如果不写会报一个localhost:9300没有ES服务的错误;“-kspass”与“-tspass”为上文我们设置的密码;并且指定配置文件“kirk-keystore.jks”与“truststore.jks”的路径
cd /usr/share/elasticsearch/plugins/search-guard-2/tools/
sh sgadmin.sh -cn GSUM -h 192.168.0.101 -cd ../sgconfig -ks /etc/elasticsearch/kirk-keystore.jks -kspass 123456 -ts /etc/elasticsearch/truststore.jks -tspass 123456 -nhnv