<ruby id="bdb3f"></ruby>

    <p id="bdb3f"><cite id="bdb3f"></cite></p>

      <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
        <p id="bdb3f"><cite id="bdb3f"></cite></p>

          <pre id="bdb3f"></pre>
          <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>

          <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
          <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>

          <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>

                <ruby id="bdb3f"></ruby>

                合規國際互聯網加速 OSASE為企業客戶提供高速穩定SD-WAN國際加速解決方案。 廣告
                ### 本節講解內容如下 1.Search Guard的權限設置 2.searchguard索引的管理 3.Kibana、Logstash的設置 #### Search Guard的基本原理 Search Guard的基本組成 - 用戶 - 角色 - 權限(權限組) - 全局配置 #### 配置文件(權限管理) 這里我饒了很久才明白相互之間的關系,最難的就是角色、用戶和權限的關系 - ##### sg_internal_users.yml(重點) 定義用戶名、密碼、**所屬角色**,如果沒有LDAP等外部外部身份驗證系統,則使用此數據庫 注意,該文件中的role不是定義用戶和權限的關系,是給這個用戶定義一個角色,可以理解為把這個用戶劃分到了某個部門(分組)里 用戶和權限的定義是在sg_roles_mapping.yml中,一個用戶可以有多個角色(讀角色,寫角色) - ##### sg_roles_mapping.yml(重點) 作用一、為某個用戶指定權限,這類用戶一般就是需要定制權限(比如只能訪問某個索引) 作用二、為某個角色(分組)指定權限,ELKStack權威指南中(第二版)中,定義基層角色 - ##### sg_roles.yml 設置權限名稱及該名稱所設置權限,引用sg_action_groups.yml中設置的權限分組 - ##### sg_action_groups.yml 定義權限組,多個權限組成一個權限分組 - ##### sg_config.yml 全局設置(我沒有配置) ##### 腳本 sgadmin.sh ```shell 創建和更新searchguard索引片的配置 ``` hash.sh ```shell 生成加密邏輯用戶(登錄ES和Kibana)的密碼 用法 hash.sh -p 123456 ``` install_demo_configuration.sh ```shell 生成Demo數據,不推薦使用 ``` #### 默認用戶 默認已經有了用戶和權限配置,都是弱口令,將Example的數據全部刪除,保留測試用戶,出于演示目的,下面這些用戶先統一設置 JnKtaCb1zKdr13I7,生產請自行修改 |Username|Password|Description| | :------------: | :------------: | ------------| |admin|admin|Full access to the cluster and all indices, but no access to the Search Guard configuration. Use an admin certificate for that.| |kibanaserver|kibanaserver|Internal Kibana server user, for configuring elasticsearch.username and elasticsearch.passwordin kibana.yml. Has all permissions on the .kibana index.| |kibanaro|kibanaro|Regular Kibana user, has READ access to all indices and all permissions on the .kibana index.| |logstash|logstash|Logstash and Beats user, has CRUD and CREATE_INDEXpermissions on all logstash and beats indices| |readall|readall|Has read access to all indices| ##### 默認權限 |Role name|Description| | :------------: | ------------ | |sg_all_access|All cluster permissions and all index permissions on all indices| |sg_readall|Read permissions on all indices, but no write permissions| |sg_readonly_and_monitor|Read and monitor permissions on all indices, but no write permissions| |sg_kibana_server|Role for the internal Kibana server user, please refer to the Kibana setup chapter for explanation| |sg_kibana|Role for regular Kibana users, full access to the .kibana index and read permissions on all other indices.| |sg_logstash|Role for logstash and beats users, grants full access to all logstash and beats indices.| |sg_manage_snapshots|Grants full permissions on snapshots and repositories.| |sg_own_index|Grants full permissions on an index named after the authenticated user’s username.| |sg_monitor|Role for X-Pack Monitoring. Users who wish to use X-Pack Monitoring need this role in addition to the sg_kibana role| |sg_alerting|Role for X-Pack Alerting. Users who wish to use X-Pack Alerting need this role in addition to the sg_kibana role| #### 修改默認密碼,并新建用戶 ##### 自定義用戶 |Username|Password|Description| | :------------: | :------------: | ------------| |dinghe|VpsnrgU5mrvQFLtK|只可以查看logstash-iislog的索引片| 生成強密碼 ```shell #生成默認用戶密碼 sh /usr/share/elasticsearch/plugins/search-guard-5/tools/hash.sh -p JnKtaCb1zKdr13I7 $2a$12$HOTSUMRfL1FBa68Z8opIQu.J43GlOoWZ1lu14hACRZkcc.TsRGatu #生成自定義用戶密碼 sh /usr/share/elasticsearch/plugins/search-guard-5/tools/hash.sh -p VpsnrgU5mrvQFLtK $2a$12$gWI0A0YZYY56Gccl5Cv1KOcpNrSodyCKgvDtxAN9N09iBE8d7guwG ``` 修改sg_internal_users.yml,并設置dinghe的角色為ops ```shell admin: hash: $2a$12$HOTSUMRfL1FBa68Z8opIQu.J43GlOoWZ1lu14hACRZkcc.TsRGatu logstash: hash: $2a$12$HOTSUMRfL1FBa68Z8opIQu.J43GlOoWZ1lu14hACRZkcc.TsRGatu kibanaserver: hash: $2a$12$HOTSUMRfL1FBa68Z8opIQu.J43GlOoWZ1lu14hACRZkcc.TsRGatu kibanaro: hash: $2a$12$HOTSUMRfL1FBa68Z8opIQu.J43GlOoWZ1lu14hACRZkcc.TsRGatu roles: - kibanarole readall: hash: $2a$12$HOTSUMRfL1FBa68Z8opIQu.J43GlOoWZ1lu14hACRZkcc.TsRGatu dinghe: hash:$2a$12$gWI0A0YZYY56Gccl5Cv1KOcpNrSodyCKgvDtxAN9N09iBE8d7guwG roles: - ops ``` 關于admin用戶的權限這里多說一下,雖然是admin,對索引有全部控制權限,雖然他可以刪除searchguard索引分片,但是,不可以維護和修改searchguard索引內的數據。 ##### 為不同規則名稱配置權限sg_roles.yml 添加需要的權限 ```yaml sg_kibana_iisindex: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: 'logstash-iislog-*': '*': - READ - indices:admin/mappings/fields/get* '?kibana': '*': - INDICES_ALL ``` 由于Elasticsearch內部原理復雜,所以我現在還是先設置的比較寬,比如默認給出的readall權限,就可以給查看用戶使用,后期了解Elasticsearch后,再來補充。 ##### 修改sg_roles_mapping.yml 刪除Example,增加 ```shell #sg_own_index: # users: # - '*' sg_kibana_iisindex: backendroles: - ops #sg_kibana_iisindex: # user: # -dinghe ``` 上文兩種授權方式均可,自行理解一下 sg_own_index我認為權限很大,注釋掉 ##### (示例)設置分組權限sg_action_groups.yml 這個只是一個示例,僅供參考,由于還不是很理解Elasticsearch的內部原理和操作,就先不設置了。 ```shell KIBANA_SERVER: - "indices:admin/exists*" - "indices:admin/mapping/put*" - "indices:admin/mappings/fields/get*" - "indices:admin/refresh*" - "indices:admin/validate/query*" - "indices:data/read/get*" - "indices:data/read/mget*" - "indices:data/read/field_caps" - "indices:data/read/search*" - "indices:data/write/delete*" - "indices:data/write/index*" - "indices:data/write/update*" ``` sg_roles.yml ```yaml sg_kibana: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ '?kibana': '*': - KIBANA_SERVER ``` Elasticsearch并不公布所有權限的更新列表了。最后一個已知的發布列表是[shield 2.1](https://www.elastic.co/guide/en/shield/2.1/reference.html#ref-actions-list "shield 2.1") ##### 修改后,更新searchguard索引分片 ```shell sh /usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -h 192.168.0.230 -p 9300 -tspass siCPVLDYN2BwuYKo -kspass CNByuENniEtkHRfs -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/admin-keystore.jks -ts /etc/elasticsearch/truststore.jks -nhnv -cn es-cluster ``` #### 配置Logstash ```yaml output { if [type] == "iislog" { elasticsearch { hosts => ["192.168.0.231:9200"] index => "logstash-iislog-%{+YYYY.MM.dd}" user => "logstash" password => "JnKtaCb1zKdr13I7" } } } ``` 配置后,可以測試寫入了 #### 配置Kibana ```yaml elasticsearch.url: "http://192.168.0.230:9200" elasticsearch.username: "kibanaserver" elasticsearch.password: "JnKtaCb1zKdr13I7" ``` [Kibana用戶相關信息](http://floragunncom.github.io/search-guard-docs/kibana.html "Kibana用戶相關") 這里要多說兩句了,這里配置了kibanaserver用戶,Kibana并沒有用戶登錄驗證功能,這個用戶是Search Guard內置的用戶,是為了你可以正常使用kibana前端的功能。 ##### 為Kibana增加用戶登錄功能 [search-guard-kibana-plugin對應版本下載](https://github.com/floragunncom/search-guard-kibana-plugin/releases) ```shell /usr/share/kibana/bin/kibana-plugin install file:///opt/searchguard-kibana-5.6.4-5.zip ``` 安裝完成后,重啟Kibana,就能夠實現用戶登錄功能了,如果ES集群不被Search Guard所保護,Kibana將無法登陸ES集群 ### 總結 截至到現在,Search Guard已經初步部署完成,通過2天的研究,主要還是在于原理的理解,配置上比較簡單 #### 后續可研究的東西 1. Kibana和Logstash,使用SSL/TLS加密與ES之間的通訊 2. 備份和恢復 3. Search Guard對性能的影響 4. Kibana多租戶 search-guard-module-kibana-multitenancy 5. 關聯LDAP
                  <ruby id="bdb3f"></ruby>

                  <p id="bdb3f"><cite id="bdb3f"></cite></p>

                    <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
                      <p id="bdb3f"><cite id="bdb3f"></cite></p>

                        <pre id="bdb3f"></pre>
                        <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>

                        <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
                        <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>

                        <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>

                              <ruby id="bdb3f"></ruby>

                              哎呀哎呀视频在线观看