Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Installation and configuration steps of Shield

2025-01-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "Shield installation and configuration steps". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

I. brief introduction

Shield is a plug-in to Elasticsearch that can easily guarantee the security of your Elasticsearch cluster.

Functions of Shield:

1. User authentication

Encrypted authentication of 2.SSL/TLS

3. Audit

II. Installation

The version of shield-1.3 that I use

Install Elasticsearch cluster

Shield needs licese, so we can only install and use it on offline machines.

a. Download license https://download.elastic.co/elasticsearch/license/license-latest.zip

[root@hftclclw0001 usr] # pwd/usr [root@hftclclw0001 usr] # wget https://download.elastic.co/elasticsearch/license/license-latest.zip......

b. Download shield https://download.elastic.co/elasticsearch/shield/shield-latest.zip

[root@hftclclw0001 usr] # pwd/usr [root@hftclclw0001 usr] # wget https://download.elastic.co/elasticsearch/shield/shield-latest.zip......

c. Install license and shield

Note that / usr/share/elasticsearch/ is the installation directory of elasticsearch is the protocol prefix of local files [root@hftclclw0001 usr] # / usr/share/elasticsearch/bin/plugin-I license-u file:///usr/license-latest.zip......[root@hftclclw0001 usr] # / usr/share/elasticsearch/bin/plugin-I license-u file:///usr/shield-latest.zip...... Verification: [root@hftclclw0001 usr] # ll / usr/share/elasticsearch/plugins/.licenseshield... [root@hftclclw0001 usr] # curl-XGET'= > is inaccessible at this time and authentication is required. First create an administrator [root@hftclclw0001 plugins] # / usr/share/elasticsearch/bin/shield/esusers useradd es_admin-r admin... [root@hftclclw0001 usr] # curl-XGET-u es_admin: {passwd} 'http://{ip}:9200/'

3. Message authentication (enable message authentication)

Https://www.elastic.co/guide/en/shield/shield-1.3/enable-message-authentication.html

Message verification verifies whether the message has been tampered with during transmission, etc.

1. Generate key [root@hftclclw0001 shield] # / usr/share/elasticsearch/bin/shield/syskeygen... ES_HOME/config/shield/system_key is generated and then shield.system_key.file=2 is configured in elasticsearch.yml. Copy key to each other node, each node must be the same

4. User authentication configuration (setting up user authentication)

In order to obtain restricted resource permissions, the user must provide authentication information. Such as passwords, etc.

1.esusers

It's a built-in way for shield

Https://www.elastic.co/guide/en/shield/shield-1.3/esusers.html

Https://www.elastic.co/guide/en/shield/shield-1.3/_managing_users_in_an_esusers_realm.html

Add user (Adding User) [root@hftclclw0001 plugins] # / usr/share/elasticsearch/bin/shield/esusers useradd test_1 will prompt you to enter your password [root@hftclclw0001 plugins] # / usr/share/elasticsearch/bin/shield/esusers useradd test-1-p test_1 this creates a user whose test_1 password is test_1 [root@hftclclw0001 plugins] # / usr/share/elasticsearch/bin/shield/esusers list# [userid]: [roleid]. Test_1: -. The default role is-and there are no permissions. Roles and permissions will be explained later to modify the user's password (Managing User Passwords) [root@hftclclw0001 plugins] # / usr/share/elasticsearch/bin/shield/esusers passwd test-1-p test_1

two。 Role-based access control

Https://www.elastic.co/guide/en/shield/shield-1.3/configuring-rbac.html

Define roles (Defining Roles) roles.yml [root@hftclclw0001 shield] # pwd/etc/elasticsearch/shield [root@hftclclw0001 shield] # lltotal 36-rwxr-xr-x 1 elasticsearch elasticsearch 1119 Nov 9 05:21 logging.yml-rw- 1 elasticsearch elasticsearch 1119 Nov 9 06:28 logging.yml.new-rwxr-xr-x 1 elasticsearch elasticsearch 473 Nov 9 05:21 role_mapping.yml-rw- 1 elasticsearch elasticsearch 473 Nov 9 06:28 role_mapping.yml.new -rwxr-xr-x 1 elasticsearch elasticsearch 2634 Nov 12 09:06 roles.yml = > role and permission Mapping-rw- 1 elasticsearch elasticsearch 2699 Nov 9 06:28 roles.yml.new-rw- 1 elasticsearch elasticsearch 128 Nov 12 08:24 system_key.new-rwxr-xr-x 1 elasticsearch elasticsearch 410 Nov 12 09:02 users = > user Information-rw- 1 elasticsearch elasticsearch 0 Nov 9 06:28 users.new-rwxr-xr-x 1 elasticsearch elasticsearch 85 Nov 12 09:02 users_roles = > user-to-role mapping-rw- 1 elasticsearch elasticsearch 0 Nov 9 06:28 users_ roles.new [root @ hftclclw0001 shield] # the default roles are: adminpower_useruser...eg1: we create a user test_logstash that can only access logstash-* 's indices1. Create role [root@hftclclw0001 shield] # vi / etc/elasticsearch/shield/roles.yml.logstash_user: cluster: all indices: 'logstash-*': indices:data/read/search, indices:data/read/get, indices:admin/get = > read permission .2. Create a user and execute the role [root@hftclclw0001 shield] # / usr/share/elasticsearch/bin/shield/esusers useradd test_logstash-p test_logstash-r logstash_user.3. Check on WEB UI or Terminate, whether you can access the logstash-* index, whether you can access write, and whether you can access other "Shield installation and configuration steps". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report