如何使用 Kerberos 确保您 Elasticsearch 集群的安全 | Elastic Blog
工程

如何使用 Kerberos 确保您 Elasticsearch 集群的安全

Elasticsearch 6.4 Kerberos Kerberos Elastic Stack Kerberos Kerberos 访 Elasticsearch HTTP Kerberos

Alice Elasticsearch Alice Kerberos Realm (demo.local) Kerberos Elasticsearch Kerberos Realm 使 MIT Kerberos MIT Kerberos

  • 1 (kdc.demo.local) Kerberos (KDC)
  • 2 (es.demo.local)Elasticsearch 便
  • 3 (client.demo.local)Elasticsearch 便

SimpleESKerberosDeployment

Kerberos

1.Alice (alice@DEMO.LOCAL) 使 (client.demo.local) 2. KDC (kdc.demo.local) (TGT) 3.访 Elasticsearch https://es.demo.local:9200 HTTP Unauthorized(401) WWW-Authenticate: Negotiate 4. Elasticsearch HTTP/es.demo.local@DEMO.LOCAL (TGS) Elasticsearch 访 URL 5. Elasticsearch 6.Elasticsearch Kerberos 访

Kerberos Realm

Elasticsearch Kerberos Realm Kerberos

  • DNS
  • KDC
  • Kerberos kinitklist

Kerberos

  • Kerberos krb5.conf --- Kerberos RealmKDC Kerberos Realm Linux /etc JVM java.security.krb5.conf JVM
  • Elasticsearch HTTP keytab --- (keytab) Elasticsearch HTTP 使HTTP/es.demo.local@DEMO.LOCAL HTTPes.demo.local Elasticsearch DEMO.LOCAL Kerberos Realm Elasticsearch Elasticsearch Kerberos

便 Elasticsearch Kerberos Realm

1. JVM

JVM (jvm.options) Kerberos JVM

# Kerberos configuration
-Djava.security.krb5.conf=/etc/krb5.conf

2. Kerberos Elasticsearch

elasticsearch.yml Kerberos Realm

# Kerberos realm
xpack.security.authc.realms.kerb1:
type: kerberos
    order: 1
    keytab.path: es.keytab

Kerberos Realm (kerb1) kerberos Realm 1 keytab.path Elasticsearch (es.keytab) Kerberos Realm

3. Elasticsearch

Elasticsearch

4. Kerberos

Kerberos 使 API 便 kerbrolemapping monitoring_user alice@DEMO.LOCAL

$ curl -u elastic -H "Content-Type: application/json" -XPOST http://es.demo.local:9200/_xpack/security/role_mapping/kerbrolemapping -d 

{
    "roles" : [ "monitoring_user" ],
    "enabled": true,
    "rules" : {
    "field" : { "username" : "alice@DEMO.LOCAL" }
    }
}

kinit

$ kinit alice@DEMO.LOCAL  
Password for alice@DEMO.LOCAL:  
$ klist  
Ticket cache: KEYRING:persistent:1000:krb_ccache_NvNtNgS  
Default principal: alice@DEMO.LOCAL  

Valid starting      Expires             Service principal
31/08/18 02:20:07   01/09/18 02:20:04   krbtgt/DEMO.LOCAL@DEMO.LOCAL

Then invoke curl with the negotiate parameter so that Kerberos authentication over HTTP can be performed:

$ curl --negotiate -u : -XGET http://es.demo.local:9200/

{
    "name" : "Lw7K29R",
    "cluster_name" : "elasticsearch",
    "cluster_uuid" : "qd3iafXORLy0VCfVD_Hp9w",
    "version" : {
    "number" : "6.4.0",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "595516e",
    "build_date" : "2018-08-17T23:18:47.308994Z",
    "build_snapshot" : true,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
    },
    "tagline" : "You Know, for Search"
}

访 Kerberos Kerberos Realm Elasticsearch Kerberos Realm Elasticsearch Kerberos Elastic Stack