云樾
踏浪而来
云樾
Elasticsearch+Kibana权限控制

前两天做实验的ES居然被人meow攻击了… type中的mapping被人无故删除,想想ES也是数据库,怎么能没有权限控制?所以想着给ES和Kibana都加个权限管理。好在ES本身就已经提供了xpack插件,直接撸。

ES + Kibana版本:5.6.16(实验限制,并非6.x不好..)环境:docker

Elasticsearch

docker配置

直接使用docker-compose.yml来配置,该镜像已自带xpack插件:

# docker-compose.yml
# Containers' name can't contain _ (underscore) because scrapy is not able to handle it.
version: '2'

services:
  elasticsearch:
    #image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.3.0
    image: elastic/elasticsearch:5.6.16
    environment:
      - discovery.type=single-node
      - cluster.name=tor-elasticsearch
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms2g -Xmx2g -Xmn1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /etc/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - /etc/elasticsearch/data:/usr/share/elasticsearch/data
    ports:
      - 9200:9200
      - 9300:9300
    container_name: "tor-elasticsearch"

bootstrap.memory_lock代表是否锁住内存,避免jvm交换(swapped)带来的性能损失,这对节点健康极其重要。

打开bootstrap.memory_lock后出现ES启动失败?

  1. max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
    先要切换到root用户; 然后可以执行以下命令,设置 vm.max_map_count ,但是重启后又会恢复为原值。
    sysctl -w vm.max_map_count=262144
    持久性的做法是在 /etc/sysctl.conf 文件中修改 vm.max_map_count 参数:

    echo "vm.max_map_count=262144" > /etc/sysctl.conf
    sysctl -p
  2. memory locking requested for elasticsearch process but memory is not locked
    我是直接在配置文件中加入如下字段就好了:

    ulimits:
    memlock:
        soft: -1
        hard: -1

    如果加入以上字段还不行,可能需要打开系统层面锁内存的支持,根据系统去找方法。

"ES_JAVA_OPTS=-Xms2g -Xmx2g -Xmn1g"代表分配个JVM的堆内存,官方推荐-Xms-Xmx一般设置为系统物理内存的一半,此处物理内存就是分配给该docker容器的限制内存,请自行调整,我的ES容器内存限制如下:

ES容器内存限制

elasticsearch.yml初始配置如下:

network.host: 0.0.0.0
# xpack
xpack.security.enabled: true
xpack.security.authc.accept_default_password: false

配置x-pack账号密码

因为版本关系,ES5.x不具备elasticsearch-setup-passwords工具,所以需要手动设置三个账户(elastickibanalogstash_system)的密码:

这里首先要将elasticsearch.yml中的accept_default_password打开,改完再关闭:

xpack.security.authc.accept_default_password: true

然后进行密码重置:

curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{ 
    "password" : "yourpassword"
}'

curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -H "Content-Type: application/json" -d '{
  "password" : "yourpassword"
}'

curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/logstash_system/_password' -H "Content-Type: application/json" -d '{
  "password" : "yourpassword"
}'

Kibana

  • 镜像(已自带xpack插件):elastic/kibana:5.6.16
  • volume:/etc/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml

    # kibana.yml
    server.name: kibana
    server.host: "0"
    # es地址
    elasticsearch.url: http://elasticsearch_host:9200
    # 打开xpack插件
    xpack.monitoring.ui.container.elasticsearch.enabled: true
    
    # Elasticsearch xpack username and password
    elasticsearch.username: "kibana"
    elasticsearch.password: "yourpassword"

ok,启动两个镜像就大功告成,可以看到权限控制xpack已经生效。

image-20201008114414481

注意这里最好使用elastic账号登录,kibana账号登录会只有monitor权限。

image-20201008114636933

解决Elasticsearch X-Pack license失效问题

如果打开Kibana出现Login is disabled because your license has expired错误,说明需要更新相应的许可证。
这里仅提供低于ES6.2版本的解决方案,因为其实X-Pack对于ES6.3及后续的版本已内置。

  1. 首先登陆https://register.elastic.co/,填写信息下载Basic License,有效期一年
  2. 应用许可证(注意替换你自己的es地址和端口):
    curl -XPUT -u elastic 'http://0.0.0.0:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
  3. 填写elastic账户密码,默认为changeme
  4. 请求会返回如下信息:
    {
    "acknowledged": false,
    "license_status": "valid",
    "acknowledge": {
        "message": "This license update requires acknowledgement. To acknowledge the license, please read the following messages and update the license again, this time with the \"acknowledge=true\" parameter:",
        "watcher": ["Watcher will be disabled"],
        "security": ["The following X-Pack security functionality will be disabled: authentication, authorization, ip filtering, and auditing. Please restart your node after applying the license.", "Field and document level access control will be disabled.", "Custom realms will be ignored."],
        "monitoring": ["Multi-cluster support is disabled for clusters with [BASIC] license. If you are\nrunning multiple clusters, users won't be able to access the clusters with\n[BASIC] licenses from within a single X-Pack Kibana instance. You will have to deploy a\nseparate and dedicated X-pack Kibana instance for each [BASIC] cluster you wish to monitor.", "Automatic index cleanup is locked to 7 days for clusters with [BASIC] license."],
        "graph": ["Graph will be disabled"]
    }
    }

    在这种情况下,必须再次发送许可证,但这一次使用参数acknowledge=true

    curl -XPUT -u elastic 'http://0.0.0.0:9200/_xpack/license?acknowledge=true' -H "Content-Type: application/json" -d @license.json
  5. 当收到如下返回,则更新Basic License成功:
    {"acknowledged":true,"license_status":"valid"}

云樾

文章作者

发表评论

textsms
account_circle
email

云樾

Elasticsearch+Kibana权限控制
前两天做实验的ES居然被人meow攻击了... type中的mapping被人无故删除,想想ES也是数据库,怎么能没有权限控制?所以想着给ES和Kibana都加个权限管理。好在ES本身就已经提供了xpack插件,…
扫描二维码继续阅读
2020-10-08