Kerberos를 사용해 Elasticsearch 클러스터의 보안을 유지하는 방법 | Elastic Blog
엔지니어링

Kerberos를 사용해 Elasticsearch 클러스터의 보안을 유지하는 방법

Elasticsearch 6.4 Kerberos . Kerberized Elastic Stack . Kerberos . Kerberos (SSO) . HTTP Kerberos Elasticsearch .

" Elasticsearch . Kerberos demo.local Kerberos Elasticsearch . Kerberos , . MIT Kerberos . MIT Kerberos .

.

  • -1(kdc.demo.local): Kerberos (Key Distribution Center, KDC) .
  • -2(es.demo.local): Elasticsearch .
  • -3(client.demo.local): Elasticsearch .

SimpleESKerberosDeployment

Kerberos .

  1. (alice@DEMO.LOCAL) (client.demo.local) .
  2. KDC (kdc.demo.local) (Ticket Granting Ticket, TGT) .
  3. Elasticsearch https://es.demo.local:9200 Unauthorized(401) HTTP WWW-Authenticate: Negotiate .
  4. Elasticsearch HTTP/es.demo.local@DEMO.LOCAL (Ticket Granting Server, TGS) . URL Elasticsearch .
  5. Elasticsearch .
  6. Elasticsearch Kerberos ( ).

Kerberos

Elasticsearch Kerberos Kerberos .

  • DNS
  • KDC
  • Kerberos kinit, klist

Kerberos .

  • Kerberos krb5.conf --- , KDC , Kerberos . Linux /etc . JVM java.security.krb5.conf . JVM .
  • Elasticsearch HTTP keytab --- . Elasticsearch HTTP . HTTP/es.demo.local@DEMO.LOCAL . HTTP es.demo.local Elasticsearch DEMO.LOCAL Kerberos . Elasticsearch . Elasticsearch . Kerberos .

Elasticsearch Kerberos .

1. JVM

, JVM (jvm.options) Kerberos JVM .

# Kerberos configuration
-Djava.security.krb5.conf=/etc/krb5.conf

2. Kerberos Elasticsearch

, elasticsearch.yml Kerberos .

# Kerberos realm
xpack.security.authc.realms.kerb1:
type: kerberos
    order: 1
    keytab.path: es.keytab

kerberos , 1, Elasticsearch (es.keytab) keytab.path Kerberos (kerb1) . kerberos .

3. Elasticsearch

Elasticsearch .

4. Kerberos

Kerberos . , API . kerbrolemapping , monitoring_user alice@DEMO.LOCAL .

$ curl -u elastic -H "Content-Type: application/json" -XPOST http://es.demo.local:9200/_xpack/security/role_mapping/kerbrolemapping -d 

{
    "roles" : [ "monitoring_user" ],
    "enabled": true,
    "rules" : {
    "field" : { "username" : "alice@DEMO.LOCAL" }
    }
}

.

!

, kinit .

$ kinit alice@DEMO.LOCAL  
Password for alice@DEMO.LOCAL:  
$ klist  
Ticket cache: KEYRING:persistent:1000:krb_ccache_NvNtNgS  
Default principal: alice@DEMO.LOCAL  

Valid starting      Expires             Service principal
31/08/18 02:20:07   01/09/18 02:20:04   krbtgt/DEMO.LOCAL@DEMO.LOCAL

, negotiate curl HTTP Kerberos .

$ curl --negotiate -u : -XGET http://es.demo.local:9200/

and Voila!

{
    "name" : "Lw7K29R",
    "cluster_name" : "elasticsearch",
    "cluster_uuid" : "qd3iafXORLy0VCfVD_Hp9w",
    "version" : {
    "number" : "6.4.0",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "595516e",
    "build_date" : "2018-08-17T23:18:47.308994Z",
    "build_snapshot" : true,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
    },
    "tagline" : "You Know, for Search"
}

kerberos Kerberos . Elasticsearch Kerberos . Elasticsearch Kerberos . Elastic Stack , !