ES 数据保护?

公司打包售卖一整套软硬件环境给甲方，甲方拥有 root 权限；乙方诉求是 ES 数据不能被甲方获取到做他用，只能通过web页面查询时用；码农收到的需求是能否通过现有的低成本的技术手段防止甲方获取到全部的ES数据。

答案: ES的密码安全仅仅是API层面的功能，不会影响到底层数据，所以不能通过简单的低成本的技术防止甲方获取到ES数据，唯一的手段是商务合同。

搭建环境

docker-compose.yml

version: '3.3'
services:
  esxx:
    image: elasticsearch:7.6.1
    container_name: esxx
    environment:
      - node.name=esxx
      - node.attr.temperature=hot
      - cluster.name=es-docker-cluster
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms16g -Xmx16g"
    volumes:
      - ./test_data:/usr/share/elasticsearch/data
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    restart: always
    networks:
      - custom_net
    ports:
      - 9400:9200
    ulimits:
      memlock:
        soft: -1
        hard: -1
networks:
  custom_net:
    external:
      name: box_net

复制代码

elasticsearch.yml

network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.audit.enabled: true
复制代码

ES 安全索引

设置密码

$ docker exec -ti esxx sh
WARNING: Error loading config file: /home/kslab/.docker/config.json: open /home/kslab/.docker/config.json: permission denied
sh-4.2# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = uEdUclorglQ20a7uWzsj

Changed password for user kibana
PASSWORD kibana = oOf7PYoXZCsAS47ET9EP

Changed password for user logstash_system
PASSWORD logstash_system = jopSqNF9hSpgizRdDq3Y

Changed password for user beats_system
PASSWORD beats_system = r2Zi8vV4e1PuYJyhyFSV

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = D77d95g7suJqVi8ZKgnP

Changed password for user elastic
PASSWORD elastic = Gc6CoQNjkJKoKAr7jEs1
复制代码

ES 日志

{"type": "server", "timestamp": "2021-01-20T09:26:42,200Z", "level": "INFO", "component": "o.e.x.s.s.SecurityIndexManager", "cluster.name": "es-docker-cluster", "node.name": "esxx", "message": "security index does not exist. Creating [.security-7] with alias [.security]", "cluster.uuid": "QsoCLcMcRw2yxlXpI6kXSQ", "node.id": "xUjbRbzmT_SUJ5Gzz81oUQ"  }
{"type": "server", "timestamp": "2021-01-20T09:26:42,256Z", "level": "INFO", "component": "o.w.a.d.Monitor", "cluster.name": "es-docker-cluster", "node.name": "esxx", "message": "try load config from /usr/share/elasticsearch/config/analysis-ik/IKAnalyzer.cfg.xml", "cluster.uuid": "QsoCLcMcRw2yxlXpI6kXSQ", "node.id": "xUjbRbzmT_SUJ5Gzz81oUQ"  }
{"type": "server", "timestamp": "2021-01-20T09:26:42,658Z", "level": "INFO", "component": "o.e.c.m.MetaDataCreateIndexService", "cluster.name": "es-docker-cluster", "node.name": "esxx", "message": "[.security-7] creating index, cause [api], templates [], shards [1]/[0], mappings [_doc]", "cluster.uuid": "QsoCLcMcRw2yxlXpI6kXSQ", "node.id": "xUjbRbzmT_SUJ5Gzz81oUQ"  }
{"type": "server", "timestamp": "2021-01-20T09:26:43,003Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "es-docker-cluster", "node.name": "esxx", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.security-7][0]]]).", "cluster.uuid": "QsoCLcMcRw2yxlXpI6kXSQ", "node.id": "xUjbRbzmT_SUJ5Gzz81oUQ"  }

复制代码

查看索引

$ curl localhost:9400/_cat/indices
green  open .security-7     9IzOc3mlTMOykN3CFwyasQ 1 0 6 0 19.5kb 19.5kb
green open my-index-000001 FvtW0L1ESGSZCSYUDGfngA 3 2 0 0   690b   690b
$ ls nodes/0/indices/
9IzOc3mlTMOykN3CFwyasQ  FvtW0L1ESGSZCSYUDGfngA
复制代码

可见ES的密码是单独存储在一个命名为.security-x的索引当中，由此可以看到数据索引和安全索引是完全分开的，那么可以通过删除安全索引来破解数据的访问权限

删除安全索引文件夹

$ rm -rf nodes/0/indices/9IzOc3mlTMOykN3CFwyasQ
复制代码

ES 认证开关

ES 会通过配置文件参数决定是否要对API请求进行认证，如果没有配置认证参数则直接跳过认证环节进行查询，所以最简单的办法就是把认证参数关掉就可以获取到所有数据了

删除 dockerfile 中 ES 认证配置参数

...
    volumes:
      - ./test_data:/usr/share/elasticsearch/data
      # - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      # - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
    restart: always
...
复制代码

总结

通过关闭认证配置文件或直接删除安全索引即可轻易的获取到全部 ES 数据，所以对于卖数据又想进行数据保护的场景，是无法通过简单的技术手段进行数据保护的， 但是可以参考发明专利，通过合同或法律的形式来保护公司的权益。

关注我的微信公众号，欢迎留言讨论，我会尽可能回复，感谢您的阅读。