Elasticsearch集成Search Guard

前提

•      准备证书
•      下载插件
•       已经安装了Elasticsearch

关于路径说明及版本信息

     Elasticsearch路径是     /opt/elasticsearch-7.8.0

     插件位置是     /opt/search-guard-suite-plugin-7.8.0-43.2.0.zip

     Elasticsearch版本是   elasticsearch-7.8.0

   

安装插件

      进入 bin目录    

cd /opt/elasticsearch-7.8.0/bin

     安装命令

    

./elasticsearch-plugin install -b file:///opt/search-guard-suite-plugin-7.8.0-43.2.0.zip 

准备证书和密码

   将两个证书放在 config目录，必须放在这个目录下

修改配置文件 elasticsearch.yml  

  关闭x-pack，关闭searchguard收费版功能,使用单纯的TLS方式，不接收客户端证书也不验

xpack.security.enabled: false
searchguard.enterprise_modules_enabled: false
searchguard.ssl.http.clientauth_mode : NONE

   证书和密码按照自己放在config的地方填空

       证书支持两种模式，分别是

          

•      PEM certificates

•           the keystore- and truststore file

   the keystore- and truststore file模式证书的配置

searchguard.ssl.transport.keystore_filepath: CN=[hostname]-keystore.jks
searchguard.ssl.transport.keystore_password: [keystore password for this node]
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: af4e04b5cd4af41c11a2
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: CN=[hostname]-keystore.jks
searchguard.ssl.http.keystore_password: [keystore password for this node]
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: af4e04b5cd4af41c11a2
                                                             
searchguard.authcz.admin_dn:                                
  - CN=sgadmin  

 PEM certificates 模式证书的配置

searchguard.ssl.transport.pemcert_filepath: CN=[hostname].crtfull.pem
searchguard.ssl.transport.pemkey_filepath: CN=[hostname].key.pem
searchguard.ssl.transport.pemkey_password: [private key password for this node]
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: CN=[hostname].crtfull.pem
searchguard.ssl.http.pemkey_filepath: CN=[hostname].key.pem
searchguard.ssl.http.pemkey_password: [private key password for this node]
searchguard.ssl.http.pemtrustedcas_filepath: chain-ca.pem

按照正常的配置走一遍配置项

 javascript:void(0)

 启动成功，运行sgadmin

  在配置文件中加入如下配置

  

searchguard.authcz.admin_dn:                                
  - CN=sgadmin  

  将 证书 都放在如下目录

cd  /opt/elasticsearch-7.8.0/plugins/search-guard-7/tools

授权

  

chmod 755 ./sgadmin.sh

运行，keystore- and truststore file模式

./sgadmin.sh -ts truststore.jks -tspass af4e04b5cd4af41c11a2 -ks CN=sgadmin-keystore.jks -kspass 72ba07ef757174c74b54 -nhnv -icl -cd ../sgconfig/

运行 PEM certificates 模式

./sgadmin.sh -cacert root-ca.pem -cert CN=sgadmin.crtfull.pem -key CN=sgadmin.key.pem -keypass 72ba07ef757174c74b54 -nhnv -icl -cd ../sgconfig/

成功截图