Elasticsearchクラスターをケルベロス認証で安全に保つ | Elastic Blog
エンジニアリング

Elasticsearchクラスターをケルベロス認証で安全に保つ

3

Elasticsearch 6.4ElasticsearchHTTP

"Alice"Elasticsearch使Alicedemo.local使ElasticsearchMIT使MIT

3

  • Host-1kdc.demo.localKDCKey Distribution CenterASAuthentication ServerTGSTicket Granting Server
  • Host-2es.demo.localElasticsearch
  • Host-3client.demo.localElasticsearch

SimpleESKerberosDeployment

1.Alicealice@DEMO.LOCAL使client.demo.local 2.KDCkdc.demo.localTGTTicket Granting Ticket 3.Elasticsearch Servicehttps://es.demo.local:9200es.demo.localUnauthorized(401)HTTPWWW-Authenticate: Negotiate 4.TGSTicket Granting ServerElasticsearch Service principalHTTP/es.demo.local@DEMO.LOCALElasticsearch Service principal使URL 5.Elasticsearch Service 6.Elasticsearch Service

Elasticsearch

  • DNS1
  • KDC1
  • kinitklist

  • krb5.conf --- KDCLinux/etcJVMjava.security.krb5.confJVM使
  • Elasticsearch HTTP servicekeytab --- keytabprincipalElasticsearch HTTP service使keytabservice principalHTTP/es.demo.local@DEMO.LOCALservice classHTTPes.demo.localElasticsearchDEMO.LOCALElasticsearchconfigElasticsearchread onlykeytab

2Elasticsearch

1.JVM

JVMjvm.optionsJVM

# Kerberos configuration
-Djava.security.krb5.conf=/etc/krb5.conf

2.Elasticsearch

elasticsearch.yml

# Kerberos realm
xpack.security.authc.realms.kerb1:
type: kerberos
    order: 1
    keytab.path: es.keytab

typekerberos1kerb1keytab.pathconfigurationElasticsearch service keytabes.keytab

3.Elasticsearch

Elasticsearch

4.

API使kerbrolemappingalice@DEMO.LOCALmonitoring_user

$ curl -u elastic -H "Content-Type: application/json" -XPOST http://es.demo.local:9200/_xpack/security/role_mapping/kerbrolemapping -d 

{
    "roles" : [ "monitoring_user" ],
    "enabled": true,
    "rules" : {
    "field" : { "username" : "alice@DEMO.LOCAL" }
    }
}

kinitTicket Granting Ticket

$ kinit alice@DEMO.LOCAL  
Password for alice@DEMO.LOCAL:  
$ klist  
Ticket cache: KEYRING:persistent:1000:krb_ccache_NvNtNgS  
Default principal: alice@DEMO.LOCAL  

Valid starting      Expires             Service principal
31/08/18 02:20:07   01/09/18 02:20:04   krbtgt/DEMO.LOCAL@DEMO.LOCAL

curlnegotiateHTTP

$ curl --negotiate -u : -XGET http://es.demo.local:9200/

OK

{
    "name" : "Lw7K29R",
    "cluster_name" : "elasticsearch",
    "cluster_uuid" : "qd3iafXORLy0VCfVD_Hp9w",
    "version" : {
    "number" : "6.4.0",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "595516e",
    "build_date" : "2018-08-17T23:18:47.308994Z",
    "build_snapshot" : true,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
    },
    "tagline" : "You Know, for Search"
}

principal keytabElasticsearchElasticsearchElastic Stack