Elasticsearch+Kibana权限控制

前两天做实验的ES居然被人meow攻击了… type中的mapping被人无故删除，想想ES也是数据库，怎么能没有权限控制？所以想着给ES和Kibana都加个权限管理。好在ES本身就已经提供了xpack插件，直接撸。

ES + Kibana版本：5.6.16（实验限制，并非6.x不好..）环境：docker

Elasticsearch

docker配置

直接使用docker-compose.yml来配置，该镜像已自带xpack插件：

# docker-compose.yml
# Containers' name can't contain _ (underscore) because scrapy is not able to handle it.
version: '2'

services:
  elasticsearch:
    #image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.3.0
    image: elastic/elasticsearch:5.6.16
    environment:
      - discovery.type=single-node
      - cluster.name=tor-elasticsearch
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms2g -Xmx2g -Xmn1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /etc/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - /etc/elasticsearch/data:/usr/share/elasticsearch/data
    ports:
      - 9200:9200
      - 9300:9300
    container_name: "tor-elasticsearch"

bootstrap.memory_lock代表是否锁住内存，避免jvm交换(swapped)带来的性能损失，这对节点健康极其重要。

打开bootstrap.memory_lock后出现ES启动失败？

1. max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
   先要切换到root用户； 然后可以执行以下命令，设置 vm.max_map_count ，但是重启后又会恢复为原值。
   sysctl -w vm.max_map_count=262144
   持久性的做法是在 /etc/sysctl.conf 文件中修改 vm.max_map_count 参数：

   echo "vm.max_map_count=262144" > /etc/sysctl.conf
   sysctl -p

2. memory locking requested for elasticsearch process but memory is not locked
   我是直接在配置文件中加入如下字段就好了：

   ulimits:
   memlock:
       soft: -1
       hard: -1

   如果加入以上字段还不行，可能需要打开系统层面锁内存的支持，根据系统去找方法。

"ES_JAVA_OPTS=-Xms2g -Xmx2g -Xmn1g"代表分配个JVM的堆内存，官方推荐-Xms和-Xmx一般设置为系统物理内存的一半，此处物理内存就是分配给该docker容器的限制内存，请自行调整，我的ES容器内存限制如下：

elasticsearch.yml初始配置如下：

network.host: 0.0.0.0
# xpack
xpack.security.enabled: true
xpack.security.authc.accept_default_password: false

配置x-pack账号密码

因为版本关系，ES5.x不具备elasticsearch-setup-passwords工具，所以需要手动设置三个账户（elastic、kibana、logstash_system）的密码：

这里首先要将elasticsearch.yml中的accept_default_password打开，改完再关闭：

xpack.security.authc.accept_default_password: true

然后进行密码重置（elastic默认密码：changeme）：

curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{ 
    "password" : "yourpassword"
}'

curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -H "Content-Type: application/json" -d '{
  "password" : "yourpassword"
}'

curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/logstash_system/_password' -H "Content-Type: application/json" -d '{
  "password" : "yourpassword"
}'

Kibana

• 镜像（已自带xpack插件）：elastic/kibana:5.6.16

• volume：/etc/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml

  # kibana.yml
  server.name: kibana
  server.host: "0"
  # es地址
  elasticsearch.url: http://elasticsearch_host:9200
  # 打开xpack插件
  xpack.monitoring.ui.container.elasticsearch.enabled: true
  
  # Elasticsearch xpack username and password
  elasticsearch.username: "kibana"
  elasticsearch.password: "yourpassword"

ok，启动两个镜像就大功告成，可以看到权限控制xpack已经生效。

注意这里最好使用elastic账号登录，kibana账号登录会只有monitor权限。

解决Elasticsearch license失效问题

 警告
此方法并不能解决xpack license失效问题，目前解决方法有二：
1. （失效）重新部署docker容器，会自动开启30天试用
2. （建议）反编译xpack包，破解试用时间，请直接跳转到下文

如果打开Kibana出现Login is disabled because your license has expired错误，说明需要更新相应的许可证。
这里仅提供低于ES6.2版本的解决方案，因为其实X-Pack对于ES6.3及后续的版本已内置。

1. 首先登陆https://register.elastic.co/，填写信息下载Basic License，有效期一年。
2. 应用许可证(注意替换你自己的es地址和端口)：

   curl -XPUT -u elastic 'http://0.0.0.0:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json

3. 填写elastic账户密码，默认为changeme。
4. 请求会返回如下信息：

   {
   "acknowledged": false,
   "license_status": "valid",
   "acknowledge": {
       "message": "This license update requires acknowledgement. To acknowledge the license, please read the following messages and update the license again, this time with the \"acknowledge=true\" parameter:",
       "watcher": ["Watcher will be disabled"],
       "security": ["The following X-Pack security functionality will be disabled: authentication, authorization, ip filtering, and auditing. Please restart your node after applying the license.", "Field and document level access control will be disabled.", "Custom realms will be ignored."],
       "monitoring": ["Multi-cluster support is disabled for clusters with [BASIC] license. If you are\nrunning multiple clusters, users won't be able to access the clusters with\n[BASIC] licenses from within a single X-Pack Kibana instance. You will have to deploy a\nseparate and dedicated X-pack Kibana instance for each [BASIC] cluster you wish to monitor.", "Automatic index cleanup is locked to 7 days for clusters with [BASIC] license."],
       "graph": ["Graph will be disabled"]
   }
   }

   在这种情况下，必须再次发送许可证，但这一次使用参数acknowledge=true。

   curl -XPUT -u elastic 'http://0.0.0.0:9200/_xpack/license?acknowledge=true' -H "Content-Type: application/json" -d @license.json

5. 当收到如下返回，则更新Basic License成功：

   {"acknowledged":true,"license_status":"valid"}