Fork me on GitHub

ES内置账号密码修改、自定义角色自定义账号、ldap及AD认证

自定义内置账号

  • 账户elastic为elasticsearch超级管理员,拥有所有权限
  • 账户kibana用于kibana组件获取相关信息用于web展示
  • 账户logstash_system用于logstash服务获取elasticsearch的监控数据
  • 注意:此步骤需先启动elasticsearch服务

es_user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ ./bin/x-pack/setup-passwords interactive
Initiating the setup of reserved user elastic,kibana,logstash_system passwords.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [elastic]
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

验证内置账户访问

  • 若不提供用户名密码则返回401
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/indices?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
}
],
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/indices?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
},
"status" : 401
}
  • 提供相应用户信息后可访问,若用户权限不足则返回403

    使用logstash_system用户访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty' -u logstash_system:logstash_system
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [indices:monitor/stats] is unauthorized for user [logstash_system]"
}
],
"type" : "security_exception",
"reason" : "action [indices:monitor/stats] is unauthorized for user [logstash_system]"
},
"status" : 403
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$
  • 使用kibana用户访问
1
2
3
4
5
6
7
8
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty' -u kibana:kibana
yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1
yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1
green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0
yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1
yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1
yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

添加自定义角色

  • 添加角色接口为 POST /_xpack/security/role/

    下述示例为添加超级管理员角色的方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role/admin?pretty' -d '{
> "run_as": [ "elastic" ],
> "cluster": [ "all" ],
> "indices": [
> {
> "names": [ "*" ],
> "privileges": [ "all" ]
> }
> ]
> }'
{
"role" : {
"created" : true
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role/admin?pretty'
{
"admin" : {
"cluster" : [
"all"
],
"indices" : [
{
"names" : [
"*"
],
"privileges" : [
"all"
]
}
],
"run_as" : [
"elastic"
],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

添加自定义账户

  • 添加用户接口为 POST /_xpack/security/user/

    下述为添加martin账户并添加至admin角色操作方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/user/martin?pretty' -d '{
> "password" : "123456",
> "full_name" : "Martin Lei",
> "roles" : ["admin"],
> "email" : "martin@martin.com"
> }'
{
"user" : {
"created" : true
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/user/martin?pretty'
{
"rocshen" : {
"username" : "martin",
"roles" : [
"admin"
],
"full_name" : "Martin Lei",
"email" : "martin@martin.com",
"metadata" : { },
"enabled" : true
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u martin:123456 'http://10.59.30.96:9200/_cat/indices?pretty'
yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1 4883 88 2.5mb 2.5mb
yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1 0 0 24.2kb 24.2kb
green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0
yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1 630 0 703.3kb 703.3kb
yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1 5 0 33.3kb 33.3kb
yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1 1 0 6.5kb 6.5kb
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

修改账户密码

  1. 修改密码需使用超级管理员权限即elastic账户,接口为POST _xpack/security/user//_password

curl参数含义如下

  • -XPOST 使用post方法传递参数
  • -H 指定http协议的header信息
  • -u 指定用于认证的用户信息用户名与密码使用冒号分隔
  • -d 指定具体要传递的参数信息
1
2
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/user/kibana/_password?pretty' -d '{"password": "123456"}'
{ }
  1. 密码修改后使用老密码访问则返回401,使用更新后的密码则正常
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty' -u kibana:kibana
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "failed to authenticate user [kibana]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
}
],
"type" : "security_exception",
"reason" : "failed to authenticate user [kibana]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
},
"status" : 401
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl 'http://10.59.30.96:9200/_cat/indices?pretty' -u kibana:123456
yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1
yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1
green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0
yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1
yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1
yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

配置ldap帐号认证

ldap服务安装可参考:https://segmentfault.com/a/11...

添加下述ldap相关述配置 bind_dn为ldap的管理DN

  • bind_password为管理dn的密码
  • user_search.base_dn为linux系统账户信息导入ldap的信息
  • user_search.attribute为账户在ldap中的标识信息
  • group_search.base_dn为linux系统组信息导入ldap的信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ vim config/elasticsearch.yml 

......

network.host: 10.59.30.96
bootstrap.system_call_filter: false

xpack.ssl.key: elasticsearch/elasticsearch.key
xpack.ssl.certificate: elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: ca/ca.crt
xpack.security.transport.ssl.enabled: true

xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://10.59.30.95"
bind_dn: "cn=Manager, dc=martin, dc=com"
bind_password: 123456
user_search:
base_dn: "ou=People,dc=martin,dc=com"
attribute: uid
group_search:
base_dn: "ou=Group,dc=martin,dc=com"
unmapped_groups_as_roles: false

配置AD域帐号认证

添加下ldap相关述配置至elasticsearch.yml,此处为接着上述LDAP配置添加,如果只需配置AD认证请将ldap相关配置删除即可;

  • domain_name为AD域的域名
  • url为AD域的地址
  • bind_dnw为随意的域账户名称(格式为user@domain)
  • bind_password为上述账户的密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://10.59.30.94"
bind_dn: "cn=Manager, dc=martin, dc=com"
bind_password: 123456
user_search:
base_dn: "ou=People,dc=martin,dc=com"
attribute: uid
group_search:
base_dn: "ou=Group,dc=martin,dc=com"
unmapped_groups_as_roles: false
active_directory:
type: active_directory
order: 1
domain_name: martin.com
url: ldap://ad.martin.com
bind_dn: martin@martin.com
bind_password: AD.123456

重启elasticsearch服务并使用ldap域账户user01登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ killall java
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ ./bin/elasticsearch -d
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -u user01:user01 'http://10.59.30.96:9200/_cat?pretty'
=^.^=
/_cat/allocation
/_cat/shards
/_cat/shards/{index}
/_cat/master
/_cat/nodes
/_cat/tasks
/_cat/indices
/_cat/indices/{index}
/_cat/segments
/_cat/segments/{index}
/_cat/count
/_cat/count/{index}
/_cat/recovery
/_cat/recovery/{index}
/_cat/health
/_cat/pending_tasks
/_cat/aliases
/_cat/aliases/{alias}
/_cat/thread_pool
/_cat/thread_pool/{thread_pools}
/_cat/plugins
/_cat/fielddata
/_cat/fielddata/{fields}
/_cat/nodeattrs
/_cat/repositories
/_cat/snapshots/{repository}
/_cat/templates
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

使用AD域账户martin登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl http://10.59.30.96:9200/_cat?pretty -u martin:AD.123456
=^.^=
/_cat/allocation
/_cat/shards
/_cat/shards/{index}
/_cat/master
/_cat/nodes
/_cat/tasks
/_cat/indices
/_cat/indices/{index}
/_cat/segments
/_cat/segments/{index}
/_cat/count
/_cat/count/{index}
/_cat/recovery
/_cat/recovery/{index}
/_cat/health
/_cat/pending_tasks
/_cat/aliases
/_cat/aliases/{alias}
/_cat/thread_pool
/_cat/thread_pool/{thread_pools}
/_cat/plugins
/_cat/fielddata
/_cat/fielddata/{fields}
/_cat/nodeattrs
/_cat/repositories
/_cat/snapshots/{repository}
/_cat/templates
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

为域账户信息映射角色

接口为:POST /_xpack/security/role_mapping/

下述为映射user1*账户为管理员角色的操作步骤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role_mapping/ldap_user_admin?pretty' -d '{
> "roles": [ "admin" ],
> "enabled": true,
> "rules": {
> "any": [
> {
> "field": {
> "username": "/user1*/"
> }
> }
> ]
> }
> }'
{
"role_mapping" : {
"created" : true
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic 'http://10.59.30.96:9200/_xpack/security/role_mapping/ldap_user_admin?pretty'
{
"ldap_user_admin" : {
"enabled" : true,
"roles" : [
"admin"
],
"rules" : {
"any" : [
{
"field" : {
"username" : "/user1*/"
}
}
]
},
"metadata" : { }
}
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

验证域账户权限,使用user01无权访问indices接口,使用user11可以访问;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -u user01:user01 'http://10.59.30.96:9200/_cat/indices?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [cluster:monitor/state] is unauthorized for user [user01]"
}
],
"type" : "security_exception",
"reason" : "action [cluster:monitor/state] is unauthorized for user [user01]"
},
"status" : 403
}
[elasticsearch@elasticsearch elasticsearch-6.0.0]$ curl -XGET -u user11:user11 'http://10.59.30.96:9200/_cat/indices?pretty'
yellow open .monitoring-es-6-2018.01.10 nND6-i_rR5iLEYVccBGj8w 1 1 6178 44 5.9mb 5.9mb
yellow open .triggered_watches BtygGZisSDqiL3Y2TaQGqQ 1 1 0 0 11.7kb 11.7kb
green open .security-6 QVRL1mcFSAilryHGEhen7Q 1 0
yellow open .watcher-history-6-2018.01.10 SBGiHDAnTPiXFoHU65VY_g 1 1 777 0 1.1mb 1.1mb
yellow open .watches kMzN4j5cQySZQQSDVPww8w 1 1 5 0 40.2kb 40.2kb
yellow open .monitoring-alerts-6 VygY6VN9R3S0PR_jrGy50Q 1 1 1 0 12.8kb 12.8kb
[elasticsearch@elasticsearch elasticsearch-6.0.0]$

常见报错

No subject alternative names matching IP address

1
2
3
4
[2018-01-10T19:19:35,483][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [fzP4t-4] exception caught on transport layer [[id: 0x5d97fe48, L:/0:0:0:0:0:0:0:1:49121 ! R:/0:0:0:0:0:0:0:1:9300]], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
......
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 0:0:0:0:0:0:0:1 found

解决方案为一种是关闭IPv6地址,另一种是修改ES_HOME/config/elasticsearch.yml中的network.host值为本机eth0的IP

参考文档

如果文章对您有用请随意打赏,谢谢支持!