shield

shield

ES 5.0 java api shield 连接问题

Elasticsearchnovia 回复了问题 • 2 人关注 • 1 个回复 • 226 次浏览 • 2016-12-13 10:45 • 来自相关话题

shield安装后过期怎么办?

回复

Elasticsearchsuwensen 发起了问题 • 1 人关注 • 0 个回复 • 573 次浏览 • 2016-04-05 10:35 • 来自相关话题

Day24: Elasticsearch添加Shield后TransportClient如何连接?

Adventmedcl 发表了文章 • 6 个评论 • 1322 次浏览 • 2015-12-28 12:13 • 来自相关话题

Shield是Elasticsearch一个安全防护插件,提供了权限访问控制和日志审计功能,企业可以很方便的和LDAP或是ActiveDirectory进行集成,重用现有的安全认证体系.






Elasticsearch使用了Shield后,Elasticsearch就需要权限才能访问了,和默认的调用方式有些不同,下面简单介绍一下HTTP和TCP两种方式的连接.

关于Shield的安装和配置我这里不就具体介绍,创建了一个用户名和密码都是tribe_user的用户,权限是admin.

1.HTTP方式
现在直接访问es的http接口就会报错

curl http://localhost:9200

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}

shield支持HttpBasic验证,所以正确的访问姿势是:

curl -u tribe_user:tribe_user http://localhost:9200 { "name" : "Melter", "cluster_name" : "elasticsearch", "version" : { "number" : "2.1.1", "build_hash" : "805c528f3167980046f224310f9147fa745e5371", "build_timestamp" : "2015-12-09T20:23:16Z", "build_snapshot" : false, "lucene_version" : "5.3.1" }, "tagline" : "You Know, for Search" }

如果是浏览器访问的话,第一次访问会弹出验证窗口,后续只要不关闭这个浏览器保持这个session就能一直访问.
注意http basic是不安全的认证方式,仅供开发调试使用,生产环境还需要结合HTTPS的加密通道使用.

2.TransportClient方式的访问Shield加防的Elasticsearch,稍微麻烦点,需要依赖Shield的包,步骤如下:
2.1 如果你是maven管理的项目,在pom.xml文件里添加Elasticsearch的maven仓库源,如下:

<repositories> 
<repository> 
<id>elasticsearch-releases</id> 
<url>https://maven.elasticsearch.or ... gt%3B 
<releases> <enabled>true</enabled> </releases> 
<snapshots> <enabled>false</enabled> </snapshots> 
</repository> 
</repositories>

2.2 添加依赖的配置

<dependency> 
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>shield</artifactId>
<version>2.1.1</version>
</dependency

2.3 构建TransportClient的地方增加访问用户的配置

import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.SecuredString; import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;

String clusterName="elasticsearch"; String ip= "127.0.0.1"; 
Settings settings = Settings.settingsBuilder()   
.put("cluster.name", clusterName)
 .put("shield.user", "tribe_user:tribe_user") 
.build(); 
try { client = TransportClient.builder() 
.addPlugin(ShieldPlugin.class) 
.settings(settings).build() 
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(ip),9300)); 
String token = basicAuthHeaderValue("tribe_user", new SecuredString("tribe_user".toCharArray()));   client.prepareSearch()
.putHeader("Authorization", token).get();   } 
catch (UnknownHostException e) 
{ logger.error("es",e); }
 
现在的编辑器贴代码有点恶心,可以看这里:
http://log.medcl.net/item/2015 ... -1252 查看全部
Shield是Elasticsearch一个安全防护插件,提供了权限访问控制和日志审计功能,企业可以很方便的和LDAP或是ActiveDirectory进行集成,重用现有的安全认证体系.

shield-triad.png


Elasticsearch使用了Shield后,Elasticsearch就需要权限才能访问了,和默认的调用方式有些不同,下面简单介绍一下HTTP和TCP两种方式的连接.

关于Shield的安装和配置我这里不就具体介绍,创建了一个用户名和密码都是tribe_user的用户,权限是admin.

1.HTTP方式
现在直接访问es的http接口就会报错

curl http://localhost:9200

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}

shield支持HttpBasic验证,所以正确的访问姿势是:

curl -u tribe_user:tribe_user http://localhost:9200 { "name" : "Melter", "cluster_name" : "elasticsearch", "version" : { "number" : "2.1.1", "build_hash" : "805c528f3167980046f224310f9147fa745e5371", "build_timestamp" : "2015-12-09T20:23:16Z", "build_snapshot" : false, "lucene_version" : "5.3.1" }, "tagline" : "You Know, for Search" }

如果是浏览器访问的话,第一次访问会弹出验证窗口,后续只要不关闭这个浏览器保持这个session就能一直访问.
注意http basic是不安全的认证方式,仅供开发调试使用,生产环境还需要结合HTTPS的加密通道使用.

2.TransportClient方式的访问Shield加防的Elasticsearch,稍微麻烦点,需要依赖Shield的包,步骤如下:
2.1 如果你是maven管理的项目,在pom.xml文件里添加Elasticsearch的maven仓库源,如下:

<repositories> 
<repository> 
<id>elasticsearch-releases</id> 
<url>https://maven.elasticsearch.or ... gt%3B 
<releases> <enabled>true</enabled> </releases> 
<snapshots> <enabled>false</enabled> </snapshots> 
</repository> 
</repositories>

2.2 添加依赖的配置

<dependency> 
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>shield</artifactId>
<version>2.1.1</version>
</dependency

2.3 构建TransportClient的地方增加访问用户的配置

import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.SecuredString; import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;

String clusterName="elasticsearch"; String ip= "127.0.0.1"; 
Settings settings = Settings.settingsBuilder()   
.put("cluster.name", clusterName)
 .put("shield.user", "tribe_user:tribe_user") 
.build(); 
try { client = TransportClient.builder() 
.addPlugin(ShieldPlugin.class) 
.settings(settings).build() 
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(ip),9300)); 
String token = basicAuthHeaderValue("tribe_user", new SecuredString("tribe_user".toCharArray()));   client.prepareSearch()
.putHeader("Authorization", token).get();   } 
catch (UnknownHostException e) 
{ logger.error("es",e); }
 
现在的编辑器贴代码有点恶心,可以看这里:
http://log.medcl.net/item/2015 ... -1252

ES 5.0 java api shield 连接问题

回复

Elasticsearchnovia 回复了问题 • 2 人关注 • 1 个回复 • 226 次浏览 • 2016-12-13 10:45 • 来自相关话题

shield安装后过期怎么办?

回复

Elasticsearchsuwensen 发起了问题 • 1 人关注 • 0 个回复 • 573 次浏览 • 2016-04-05 10:35 • 来自相关话题

Day24: Elasticsearch添加Shield后TransportClient如何连接?

Adventmedcl 发表了文章 • 6 个评论 • 1322 次浏览 • 2015-12-28 12:13 • 来自相关话题

Shield是Elasticsearch一个安全防护插件,提供了权限访问控制和日志审计功能,企业可以很方便的和LDAP或是ActiveDirectory进行集成,重用现有的安全认证体系.






Elasticsearch使用了Shield后,Elasticsearch就需要权限才能访问了,和默认的调用方式有些不同,下面简单介绍一下HTTP和TCP两种方式的连接.

关于Shield的安装和配置我这里不就具体介绍,创建了一个用户名和密码都是tribe_user的用户,权限是admin.

1.HTTP方式
现在直接访问es的http接口就会报错

curl http://localhost:9200

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}

shield支持HttpBasic验证,所以正确的访问姿势是:

curl -u tribe_user:tribe_user http://localhost:9200 { "name" : "Melter", "cluster_name" : "elasticsearch", "version" : { "number" : "2.1.1", "build_hash" : "805c528f3167980046f224310f9147fa745e5371", "build_timestamp" : "2015-12-09T20:23:16Z", "build_snapshot" : false, "lucene_version" : "5.3.1" }, "tagline" : "You Know, for Search" }

如果是浏览器访问的话,第一次访问会弹出验证窗口,后续只要不关闭这个浏览器保持这个session就能一直访问.
注意http basic是不安全的认证方式,仅供开发调试使用,生产环境还需要结合HTTPS的加密通道使用.

2.TransportClient方式的访问Shield加防的Elasticsearch,稍微麻烦点,需要依赖Shield的包,步骤如下:
2.1 如果你是maven管理的项目,在pom.xml文件里添加Elasticsearch的maven仓库源,如下:

<repositories> 
<repository> 
<id>elasticsearch-releases</id> 
<url>https://maven.elasticsearch.or ... gt%3B 
<releases> <enabled>true</enabled> </releases> 
<snapshots> <enabled>false</enabled> </snapshots> 
</repository> 
</repositories>

2.2 添加依赖的配置

<dependency> 
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>shield</artifactId>
<version>2.1.1</version>
</dependency

2.3 构建TransportClient的地方增加访问用户的配置

import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.SecuredString; import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;

String clusterName="elasticsearch"; String ip= "127.0.0.1"; 
Settings settings = Settings.settingsBuilder()   
.put("cluster.name", clusterName)
 .put("shield.user", "tribe_user:tribe_user") 
.build(); 
try { client = TransportClient.builder() 
.addPlugin(ShieldPlugin.class) 
.settings(settings).build() 
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(ip),9300)); 
String token = basicAuthHeaderValue("tribe_user", new SecuredString("tribe_user".toCharArray()));   client.prepareSearch()
.putHeader("Authorization", token).get();   } 
catch (UnknownHostException e) 
{ logger.error("es",e); }
 
现在的编辑器贴代码有点恶心,可以看这里:
http://log.medcl.net/item/2015 ... -1252 查看全部
Shield是Elasticsearch一个安全防护插件,提供了权限访问控制和日志审计功能,企业可以很方便的和LDAP或是ActiveDirectory进行集成,重用现有的安全认证体系.

shield-triad.png


Elasticsearch使用了Shield后,Elasticsearch就需要权限才能访问了,和默认的调用方式有些不同,下面简单介绍一下HTTP和TCP两种方式的连接.

关于Shield的安装和配置我这里不就具体介绍,创建了一个用户名和密码都是tribe_user的用户,权限是admin.

1.HTTP方式
现在直接访问es的http接口就会报错

curl http://localhost:9200

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}

shield支持HttpBasic验证,所以正确的访问姿势是:

curl -u tribe_user:tribe_user http://localhost:9200 { "name" : "Melter", "cluster_name" : "elasticsearch", "version" : { "number" : "2.1.1", "build_hash" : "805c528f3167980046f224310f9147fa745e5371", "build_timestamp" : "2015-12-09T20:23:16Z", "build_snapshot" : false, "lucene_version" : "5.3.1" }, "tagline" : "You Know, for Search" }

如果是浏览器访问的话,第一次访问会弹出验证窗口,后续只要不关闭这个浏览器保持这个session就能一直访问.
注意http basic是不安全的认证方式,仅供开发调试使用,生产环境还需要结合HTTPS的加密通道使用.

2.TransportClient方式的访问Shield加防的Elasticsearch,稍微麻烦点,需要依赖Shield的包,步骤如下:
2.1 如果你是maven管理的项目,在pom.xml文件里添加Elasticsearch的maven仓库源,如下:

<repositories> 
<repository> 
<id>elasticsearch-releases</id> 
<url>https://maven.elasticsearch.or ... gt%3B 
<releases> <enabled>true</enabled> </releases> 
<snapshots> <enabled>false</enabled> </snapshots> 
</repository> 
</repositories>

2.2 添加依赖的配置

<dependency> 
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>shield</artifactId>
<version>2.1.1</version>
</dependency

2.3 构建TransportClient的地方增加访问用户的配置

import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.SecuredString; import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;

String clusterName="elasticsearch"; String ip= "127.0.0.1"; 
Settings settings = Settings.settingsBuilder()   
.put("cluster.name", clusterName)
 .put("shield.user", "tribe_user:tribe_user") 
.build(); 
try { client = TransportClient.builder() 
.addPlugin(ShieldPlugin.class) 
.settings(settings).build() 
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(ip),9300)); 
String token = basicAuthHeaderValue("tribe_user", new SecuredString("tribe_user".toCharArray()));   client.prepareSearch()
.putHeader("Authorization", token).get();   } 
catch (UnknownHostException e) 
{ logger.error("es",e); }
 
现在的编辑器贴代码有点恶心,可以看这里:
http://log.medcl.net/item/2015 ... -1252