一、安裝shield
1、安裝好ElasticSearch集羣,比如10個節點;
2、安裝es的license插件,shield是商業軟件,需要用它,不然沒法啓用: bin/plugin install license
3、安裝shield插件:bin/plugin install shield
4、離線安裝,就是下載插件,然後:bin/plugin install file:///path/to/file/license-2.3.4.zip
軟件安裝完畢,很簡單。
二、配置文件和本地認證方式,統一集羣支持shield
1、使用bin/shield/syskeygen 生成Systemkey文件在默認路徑:CONFIG_DIR/shield/system_key
2、拷貝system_key文件到其它所有節點的以上路徑下,如果修改該路徑,需要在elasticsearch.yml裏面指定路徑:shield.system_key.file:/path/system_key
3、配置認證類型爲本地和文件方式: 配置文件elasticsearch.yml 增加配置:
shield:
authc:
realms:
native1:
type: native
order: 0
shield:
authc:
realms:
file1:
type: file
order: 0shield還支持LDAP,ActiveDirectory,PKI等方式,詳細參考手冊,作者不建議這些方式,因爲認證會降低性能,認證方式越複雜,降低的越多,大數據嘛,性能第一。
4、增加認證日誌:可以記錄所有用戶的操作記錄,比較實用,但是當然也會降低性能,謹慎選擇該功能。
shield.audit.enabled: true
shield.audit.outputs: [index, logfile]輸出方式:index表示在集羣建立.shield_audit_log-2016.07.12 類似的庫,每天一個,好惡心 :sweat:
logfile: 在es的logs目錄建立access log 文件,還可以自定義日誌格式,自己參考手冊了,一般默認就足夠了。
5、重新啓動elasticsearch,shield安裝完畢了,下面設置他的用戶和角色,權限等。
三、增加用戶,角色等
1、增加本地用戶:
系統默認有3個用戶角色可用:
(1)admin
Can perform any cluster or index action.
(2)power_user
Can monitor the cluster and perform any index action.
(3)user
Can perform read actions on any index.bin/shield/esusers useradd es_admin -r admin
然後用改用戶訪問:
curl -u es_admin -XGET ‘http://localhost:9200/’
每個節點都增加本地用戶用於basic認證。
2、增加集羣用戶和角色:
增加用戶:
POST /_shield/user/ironman
{
"password" : "j@rV1s",
"roles" : [ "admin", "other_role1" ],
"full_name" : "Tony Stark",
"email" : "tony@starkcorp.co",
"metadata" : {
"intelligence" : 7
}
}查看用戶:
get /_shield/user/ironman
GET _shield/authenticate
刪除用戶:
delete /_shield/user/ironman
增加角色:
POST /_shield/role/my_admin_role
{
"cluster": ["all"],
"indices": [
{
"names": [ "index1", "index2" ],
"privileges": ["all"],
"fields": [ "title", "body" ], // optional
"query": "{\"match\": {\"title\": \"foo\"}}" // optional
}
],
"run_as": [ "other_user" ] // optional
}查看角色:
GET /_shield/role
刪除角色:
DELETE /_shield/role/my_admin_role
四、權限說明
Cluster Privileges
all
All cluster operations, like snapshotting, node shutdown/restart, settings update, rerouting, or managing security
monitor
All cluster read-ony operations, like cluster health & state, hot threads, node info, node & cluster stats, snapshot/restore status, pending cluster tasks
manage
Builds on monitor and adds cluster operations that change values in the cluster. This includes snapshotting, updating settings, and rerouting. This privilege does not include the ability to manage security.
manage_security
All security related operations such as CRUD operations on users and roles and cache clearing
manage_index_templates
All operations on index templates
transport_client
All privileges necessary for a transport client to connect
Indices Privileges
all
Any action on an index
manage
All monitor privileges plus index administration (aliases, analyze, cache clear, close, delete, exists, flush, mapping, open, force merge, refresh, settings, search shards, templates, validate, warmers)
monitor
All actions, that are required for monitoring and read-only (recovery, segments info, index stats & status)
read
Read only access to actions (count, explain, get, mget, get indexed scripts, more like this, multi percolate/search/termvector), percolate, scroll, clear_scroll, search, suggest, tv)
index
Privilege to index and update documents
create
Privilege to index documents
delete
Privilege to delete documents
write
Privilege to perform all write operations on documents, including the ability to index, update, and delete documents as well as perform bulk operations. If write is granted on the .scripts index, it includes the ability to put and delete indexed scripts.
delete_index
Privilege to delete an index
create_index
Privilege to create an index. A create index request may contain aliases to be added to the index once created. In that case the request requires the manage privilege as well, on both the index and the aliases names.五、破解license限制
**shield是商業版本,據說1600美刀/集羣/每年.好貴啊,對於土豪來說無所謂。
**
如果license過期,只會 Cluster health, cluster stats and indices stats \noperations are blocked on shield license expiration.
還好,代碼簡單也沒有混淆編譯,看了下代碼,去掉過期驗證,不僅破解,還大大提高性能。
具體修改類 :org.elasticsearch.shield.action.ShieldActionFilter
修改方法:
public void apply(Task task, String action, ActionRequest request, ActionListener listener,
ActionFilterChain chain)
// if ((!(this.licenseState.statsAndHealthEnabled())) && (LICENSE_EXPIRATION_ACTION_MATCHER.apply(action))) {
// this.logger.error(
// "blocking [{}] operation due to expired license. Cluster health, cluster stats and indices stats \noperations are blocked on shield license expiration. All data operations (read and write) continue to work. \nIf you have a new license, please update it. Otherwise, please reach out to your support contact.",
// new Object[] { action });
//
// throw LicenseUtils.newComplianceException("shield");
// }
註釋以上代碼
如果感覺還不夠快,希望在bulk的時候不要驗證,還可以增加如下語句,跳過bulk請求的時候跳過驗證以提高性能:
try {
if (this.licenseState.securityEnabled()) {
if (action.indexOf("bulk")>=0){
chain.proceed(task, action, request, new SigningListener(this, listener));
return;
}