第十一章:安全配置
学习 Elasticsearch 安全配置,包括用户认证、权限控制、加密通信和安全最佳实践。
最后更新: 2024-01-15
页面目录
第十一章:安全配置
11.1 安全概述
11.1.1 安全功能(X-Pack)
| 功能 | 说明 | 许可证 |
|---|---|---|
| 用户认证 | 支持多种认证方式 | Basic+ |
| 角色权限 | 基于角色的访问控制 | Basic+ |
| 字段级安全 | 控制字段访问 | Gold+ |
| 文档级安全 | 控制文档访问 | Gold+ |
| 加密通信 | TLS/SSL 加密 | Basic+ |
| 审计日志 | 操作审计 | Gold+ |
11.1.2 安全架构
┌─────────────────────────────────────────────────────────┐
│ Client Application │
│ (Kibana/APP/SDK) │
└─────────────────────────┬───────────────────────────────┘
│ HTTPS/TLS
┌─────────────────────────▼───────────────────────────────┐
│ Elasticsearch Cluster │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Security Module │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ 认证 │ │ 授权 │ │ 审计 │ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Node 1 │ │ Node 2 │ │ Node 3 │ │
│ └─────────┘ └─────────┘ └─────────┘ │
└─────────────────────────────────────────────────────────┘
11.2 启用安全功能
11.2.1 启用内置安全
# elasticsearch.yml
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# 传输层加密
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/node01.key
xpack.security.transport.ssl.certificate: certs/node01.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
# HTTP 层加密
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/node01.key
xpack.security.http.ssl.certificate: certs/node01.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
11.2.2 生成证书
# 使用 elasticsearch-certutil 生成证书
./bin/elasticsearch-certutil ca
# 生成节点证书
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 \
--dns node01.example.com \
--ip 192.168.1.101
# 转换为 PEM 格式
openssl pkcs12 -in node01.p12 -out node01.crt -nokeys
openssl pkcs12 -in node01.p12 -out node01.key -nocerts -nodes
11.2.3 设置内置用户密码
# 交互式设置
./bin/elasticsearch-setup-passwords interactive
# 自动生成随机密码
./bin/elasticsearch-setup-passwords auto
11.3 用户管理
11.3.1 内置用户
| 用户 | 说明 |
|---|---|
elastic |
超级用户 |
kibana_system |
Kibana 连接用户 |
logstash_system |
Logstash 连接用户 |
beats_system |
Beats 连接用户 |
apm_system |
APM 连接用户 |
remote_monitoring_user |
监控用户 |
11.3.2 创建用户
# 创建用户
POST /_security/user/john_doe
{
"password": "secure_password",
"roles": ["read_index", "write_index"],
"full_name": "John Doe",
"email": "john@example.com",
"enabled": true
}
# 更新用户
PUT /_security/user/john_doe
{
"password": "new_password",
"roles": ["read_index", "admin"]
}
# 删除用户
DELETE /_security/user/john_doe
11.3.3 用户认证
# 基本认证
curl -X GET "localhost:9200/_cluster/health" \
-u elastic:password
# API Key 认证
curl -X GET "localhost:9200/_cluster/health" \
-H "Authorization: ApiKey YOUR_API_KEY"
# Bearer Token
curl -X GET "localhost:9200/_cluster/health" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
11.4 角色管理
11.4.1 内置角色
| 角色 | 说明 |
|---|---|
superuser |
完全访问权限 |
cluster_admin |
集群管理权限 |
read |
读取索引 |
write |
写入索引 |
kibana_user |
Kibana 用户 |
logstash_admin |
Logstash 管理 |
beats_admin |
Beats 管理 |
11.4.2 创建角色
# 创建自定义角色
POST /_security/role/analytics_user
{
"cluster": ["monitor"],
"indices": [
{
"names": ["logs-*"],
"privileges": ["read", "view_index_metadata"]
}
],
"field_security": {
"grant": ["@timestamp", "message", "level", "host"]
},
"metadata": {
"description": "Analytics read-only role"
}
}
# 创建写入角色
POST /_security/role/data_writer
{
"cluster": [],
"indices": [
{
"names": ["data-*"],
"privileges": ["create_index", "write", "read"]
}
]
}
11.4.3 角色权限
{
"indices": [
{
"names": ["my-index-*"],
"privileges": [
"all",
"create_index",
"delete_index",
"read",
"write",
"delete",
"delete_by_query",
"index",
"get",
"manage",
"view_index_metadata"
]
}
]
}
11.4.4 分配角色
# 为用户分配角色
POST /_security/user/john_doe
{
"roles": ["analytics_user", "data_writer"]
}
# 批量分配
POST /_security/role_mapping/analytics_team
{
"roles": ["analytics_user"],
"role_templates": {
"format": " granting_role"
},
"rules": {
"field": {
"groups": "cn=analytics,ou=groups,dc=example,dc=com"
}
},
"enabled": true
}
11.5 API Key 管理
11.5.1 创建 API Key
# 创建 API Key
POST /_security/api_key
{
"name": "my-app-key",
"role_descriptors": {
"index_writer": {
"index": [
{
"names": ["my-index"],
"privileges": ["write"]
}
]
}
},
"expiration": "30d",
"metadata": {
"application": "my-app"
}
}
# 响应
{
"id": "xyz123...",
"name": "my-app-key",
"expiration": 1704067200000,
"api_key": "abc123..."
}
11.5.2 验证 API Key
# 使用 API Key 认证
curl -X GET "localhost:9200/my-index/_search" \
-H "Authorization: ApiKey xyz123:abc123"
11.5.3 管理 API Key
# 列出 API Keys
GET /_security/api_key?name=my-app-key
# 撤销 API Key
DELETE /_security/api_key/xyz123
11.6 字段级安全
# 创建带字段级安全的角色
POST /_security/role/sensitive_data_reader
{
"indices": [
{
"names": ["sensitive-*"],
"privileges": ["read"],
"field_security": {
"grant": ["name", "email", "department"],
"except": ["ssn", "salary"]
}
}
]
}
11.7 文档级安全
# 基于字段值过滤
POST /_security/role/department_reader
{
"indices": [
{
"names": ["documents-*"],
"privileges": ["read"],
"query": {
"term": {
"department": "{{user.meta.department}}"
}
}
}
]
}
# 创建用户时指定元数据
POST /_security/user/jane_doe
{
"password": "password",
"roles": ["department_reader"],
"metadata": {
"department": "sales"
}
}
11.8 审计日志
11.8.1 启用审计
# elasticsearch.yml
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [file, index]
# 文件输出
xpack.security.audit.appender:
type: file
path: /var/log/elasticsearch/audit.log
fileSize: 200MB
maxFileSize: 1GB
maxBackupIndex: 10
# 索引输出
xpack.security.audit.appender:
type: index
index name: security-audit
11.8.2 审计事件
xpack.security.audit.events:
include:
- authentication_failed
- authentication_success
- access_denied
- access_granted
- connection
11.8.3 查看审计日志
# 搜索审计日志
GET /security-audit-*/_search
{
"query": {
"term": {
"event.action": "authentication_success"
}
}
}
11.9 IP 过滤
11.9.1 配置 IP 过滤器
# elasticsearch.yml
xpack.security.transport.filter.enabled: true
# 允许的 IP
action.auto_create_index: "allowed-index1,allowed-index2,-*,+localhost"
# 限制访问
network.host: 192.168.1.100
11.9.2 基于角色的 IP 过滤
{
"roles": {
"internal_users": {
"cluster": ["all"],
"indices": [{ "names": ["*"], "privileges": ["all"] }],
"grant": [{ "field": { "ip": ["10.0.0.0/8"] } }]
}
}
}
11.10 安全最佳实践
11.10.1 配置检查清单
□ 启用安全功能 (xpack.security.enabled: true)
□ 配置 TLS/SSL 加密
□ 使用强密码策略
□ 最小权限原则分配角色
□ 定期轮换密钥
□ 启用审计日志
□ 配置 IP 访问控制
□ 禁用不必要的内置用户
□ 使用 API Key 代替密码
□ 定期审计访问日志
11.10.2 密码策略
# 启用密码策略
xpack.security.authc.password_policies:
- name: strong
hash: bcrypt
min_length: 12
require_uppercase: true
require_lowercase: true
require_digits: true
require_special_chars: true
11.11 总结
本章介绍了 Elasticsearch 的安全配置,包括认证、授权、加密和审计等功能。生产环境中务必启用安全功能并遵循最小权限原则。