官方文檔
https://docs.search-guard.com/v5/index
其實安裝插件和sql,ik類似,將解壓後目錄考到plugins中即可,之前一直不成功主要時因爲證書生產有問題,導致節點之間不嫩通信或者guard索引不能創建
官網TLS Setup章節有在線生產、離線生產、PKI腳本生產。目前使用在線生產可以成功,但是缺點是最多只能有10個node證書。
在線生產
不同node使用相同證書時可以的
選擇對應的版本
在線安裝
bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.4.0-15
離線安裝
下載環境包
1.安裝(file後面要跟絕對路徑)
bin/elasticsearch-plugin install -b file:///home/acer/文檔/search-guard-5-5.4.0-15.zip
2.安裝
如ik分詞器,將環境包解壓後移動到plugins目錄並改名
在線生產證書
我用的這種方式,非常簡單,輸入郵箱和公司名,選擇所在國家後證書會發送到郵箱中,拿來直接用就可以
離線生產證書
truststore.jks 到config
truststore.jks 到plugins/search-guard-5/tools
client-certificates/CN=sgadmin-keystore.jks
配置elasticsearch.yml
searchguard.ssl.transport.keystore_filepath: CN=esnode1-keystore.jks
searchguard.ssl.transport.keystore_password: 5ce632ba362ee2a5ac3b
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: 15dcc23ef5dd7480af83
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: CN=esnode1-keystore.jks
searchguard.ssl.http.keystore_password: 5ce632ba362ee2a5ac3b
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: 15dcc23ef5dd7480af83
searchguard.authcz.admin_dn:
- CN=sgadmin
初始化
重啓集羣
任意節點執行初始化操作
cd plugins/search-guard-5/tools/
./sgadmin.sh -ts truststore.jks -tspass 15dcc23ef5dd7480af83 -ks CN=sgadmin-keystore.jks -kspass 0b32aeaedda173bc9870 -cn es-cluster -nhnv -cd ../sgconfig/ -h esnode1 -cn clustername
- cn 集羣名
- h 節點名
驗證
https:ip:9200
用戶名:admin 密碼:admin
head調整
配置elasticsearch.yml
http.cors.allow-headers:Authorization,X-Requested-With,Content-Length,Content-Type
請求方式
ip:12316/?auth_user=admin&auth_password=admin
https://ip:9200
客戶端調整
下載jar包
https://search-guard.com/searchguard-elasicsearch-transport-clients/
public static void main(String[] args) throws UnknownHostException {
Settings settings = Settings.builder()
.put("path.home", ".")
.put("path.conf", "E:\\workspace_idea\\es_test\\src\\main\\resources")
.put("cluster.name", "es-cluster")
.put("searchguard.ssl.transport.enabled", true)
.put("searchguard.ssl.transport.keystore_filepath", "sgadmin-keystore.jks")
.put("searchguard.ssl.transport.truststore_filepath", "truststore.jks")
.put("searchguard.ssl.http.keystore_password", "password")
.put("searchguard.ssl.http.truststore_password", "password")
.put("searchguard.ssl.transport.keystore_password", "password")
.put("searchguard.ssl.transport.truststore_password", "password")
.put("searchguard.ssl.transport.enforce_hostname_verification", false)
.build();
TransportClient client = new PreBuiltTransportClient(settings, SearchGuardSSLPlugin.class)
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("esnode1"), 9300))
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("esnode2"), 9300))
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("esnode3"), 9300));
client.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet();
//搜索數據
GetResponse response = client.prepareGet("test", "name", "1").execute().actionGet();
//輸出結果
System.out.println(response.getSourceAsString());
//關閉client
client.close();
}
查看證書dn
keytool -printcert -file spock.crt.pem