엘라스틱 서치 security 설정
기본값으로 비활성화 되어있는 인증관련설정을 활성화 함
7버전부터 인증설정이 없으면 익명사용자로 작업시 경고 메시지 출력됨
09:01:10 WARN org.elasticsearch.client.RestClient - request [GET ] returned 1 warnings: [299 Elasticsearch-7.17.1-e5acb99f822233d62d6444ce45a4543dc1c8059a "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See <https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html> to enable security."
아무런 인증없이 엘라스틱서치/키바나 사용할수 없으므로 아래와 같이 인증 설정을 함
config/elasticsearch.yml파일내
xpack.security.enabled: true
위 설정을 넣어준다
수동으로 넣으면 재기동 후 삭제되므로 아래 helm 차트내 values에 값 넣기
esConfig: {}
elasticsearch.yml: |
xpack.security.enabled: true
security enable시 ssl을 필수로 적용하여야함,
bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
테스트용 1node 작업시엔 문제 없지만 2노드이상이면 서로 통신에 ssl을 사용하므로 아래 설정을 해주어야함
ssl 인증서 관련 추가 설정 필요
"Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure",
"at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]",
"at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]",
"at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) ~[?:?]",
"at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]",
"at sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~[?:?]",
"at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]",
"at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[?:?]",
"at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[?:?]",
"at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[?:?]",
"at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[?:?]",
"at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[?:?]",
"at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:298) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1344) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1237) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1286) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507) ~[netty-codec-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446) ~[netty-codec-4.1.66.Final.jar:4.1.66.Final]",
"... 16 more"] }
인증서가 없어 서로 통신이 안됨
인증서 생성 및 배포
instance 정보로 인증서및 ca생성
elasticsearch@elasticsearch-master-0:~$ elasticsearch-certutil ca --out /tmp/elastic-stack-ca.p12 --pass ''
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
elasticsearch@elasticsearch-master-0:~$ elasticsearch-certutil cert --name security-master --dns security-master --ca /tmp/elastic-stack-ca.p12 --pass '' --ca-pass '' --out /tmp/elastic-certificates.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA)
unless the --self-signed command line option is specified.
The tool can automatically generate a new CA for you, or you can provide your own with
the --ca or --ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -keep-ca-key (retain generated CA key)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Certificates written to /tmp/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
elasticsearch@elasticsearch-master-0:~$ ll /tmp
생성된 인증서 로컬 저장 및 확인
ybchoi@ybchoiui-MacBookPro elasticsearch % kubectl cp -n elasticsearch elasticsearch-master-0:/tmp/elastic-certificates.p12 elastic-certificates.p12
Defaulted container "elasticsearch" out of: elasticsearch, configure-sysctl (init)
tar: Removing leading `/' from member names
ybchoi@ybchoiui-MacBookPro elasticsearch % kubectl cp -n elasticsearch elasticsearch-master-0:/tmp/elastic-stack-ca.p12 elastic-stack-ca.p12
Defaulted container "elasticsearch" out of: elasticsearch, configure-sysctl (init)
tar: Removing leading `/' from member names
ybchoi@ybchoiui-MacBookPro elasticsearch % ll
total 40
-rw-r--r-- 1 ybchoi staff 3658 5 6 11:10 elastic-certificates.p12
-rw-r--r-- 1 ybchoi staff 2672 5 6 11:10 elastic-stack-ca.p12
-rw-r--r-- 1 ybchoi staff 9863 5 6 10:24 values.yaml
ca이용하여 인증서 생성
ybchoi@ybchoiui-MacBookPro elasticsearch % ll
total 64
-rw-r--r-- 1 ybchoi staff 3658 5 6 11:10 elastic-certificates.p12
-rw-r--r-- 1 ybchoi staff 2672 5 6 11:10 elastic-stack-ca.p12
-rw-r--r-- 1 ybchoi staff 9863 5 6 10:24 values.yaml
생성된 인증서 k8s secret으로 등록
ybchoi@ybchoiui-MacBookPro elasticsearch % kubectl create secret -n elasticsearch generic elastic-certificates --from-file=elastic-certificates.p12
secret/elastic-certificates created
등록된 인증서를 마운트하고 사용할수 있도록 헬름차트 수정
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
변경된 value 적용을 위한 upgrade
helm upgrade elasticsearch -n elasticsearch -f values.yaml elastic/elasticsearch
정상 작동안됨...
다 삭제하고 새로 배포해도 안됨
helm value.yaml내 protocol을 http → https로 변경하니 잘됨
내가 원하는건 그냥 패스워드 인증이므로 강제로 적용해야하는 transport layer에만 ssl을 적용하는것 테스트
굳이 https까지 쓸필욘 없으므로 아래와 같이 설정 후 재배포
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: false
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
protocol: http
정상 작동
필수인 tranport(cluster통신) 만 ssl적용하고 elasticsearch 접근은 http+userauth 이용하여 설정 완료
kibana
kibana의 경우 별다른 설정없이 기존 방법대로 설치 하면 됨