问题描述
我正在AWS上使用ES服务.我在学习如何使用它方面取得了很大的进步,尤其是在ES HighLevelRestClient中.因此,现在我想保护ES服务器的安全,增加用户身份验证的安全性. Amazon提供了要使用的访问密钥"和秘密密钥"值,类似于用户/密码"凭证.不幸的是,他们还提供了自己的AWSCredentials和AWS4Signer类来创建凭证和凭证.签署请求!
I'm using the ES service on AWS. I've made good progress learning how to use it, particularly with the ES HighLevelRestClient. So now I wanted to secure the ES server, adding user authentication security. Amazon provides the "access key" and "secret key" values to use, analogous to "user/password" credentials. Unfortunately, they also provide their own AWSCredentials and AWS4Signer classes to create credentials & sign the request!
他们的代码示例非常简单,并且可以与Elastic Co的Java"Low Level" RestClient一起很好地工作.这是类似于Amazon在 https ://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-indexing-programmatic.html :
Their code examples are simple enough, and work fine with Elastic Co's Java "Low Level" RestClient. Here's a snippet analogous to what amazon recommends at https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-indexing-programmatic.html:
credentialsProvider = new AWSStaticCredentialsProvider (new BasicAWSCredentials ("access key", "secret key")); // while debugging
HttpRequestInterceptor interceptor =
new AWSRequestSigningApacheInterceptor (serviceName, signer, credentialsProvider);
RestClient lowLevelClient = RestClient.builder (HttpHost.create (esURL))
.setHttpClientConfigCallback (hacb -> hacb.addInterceptorLast (interceptor)).build ();
好消息是,这很好!不幸的是,ES High Level Rest Client签名版本的明显扩展(如)不起作用!那就是:
The good news is, this works fine! Unfortunately, the obvious extension to a signed version of the ES High Level Rest Client (as suggested in Add authentication in elasticsearch high level client for JAVA) doesn't work! That is:
RestClientBuilder builder = RestClient.builder (HttpHost.create (esURL))
.setHttpClientConfigCallback (hacb -> hacb.addInterceptorLast (interceptor));
highLevelClient = new RestHighLevelClient (builder);
总是会导致来自AWS的以下错误消息:
always leads to the following error message from AWS:
{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}
我推测ES高级休息客户端会构造JSON查询,而AWS拦截器在创建签名时不会看到这些查询.由于等效方法在Elastic Co云实例上很好用(请参见上面的SO线程),所以我猜这是AWS人员和ES人员之间不交谈的地方.
I speculate that the ES high-level rest client constructs JSON queries which the AWS interceptor does not see when creating the signature. Since the equivalent method works fine for the Elastic Co cloud instance (see SO thread mentioned above), I'm guessing this is where AWS folks and ES folks are not talking to each other.
是否可以通过某种方式使用AWS CredentialsProvider和Signer,但可以使用Apache HttpAsyncClientBuilder :: setDefaultCredentialProvider方法?还是有ES Rest API的版本,其中Java High Level Rest客户端在AWS拦截器对其进行签名之前就完全构建了请求?
Is there some way I can use the AWS CredentialsProvider and Signer, but with the Apache HttpAsyncClientBuilder::setDefaultCredentialProvider method? Or is there a version of the ES Rest API in which the Java High Level Rest Client constructs the request fully before the AWS interceptor signs it?
否则,我将被迫使用IP地址签名(ugh),开始使用低级Rest Client(双ugh)或使用ssh隧道和AWS VPC安全性的某种组合(许多ughs).
Otherwise, I'll be forced to use IP address signing (ugh), start using the Low Level Rest Client (double ugh), or use some combination of ssh tunneling and AWS VPC security (many ughs).
推荐答案
好吧,我发现了一个目前对我来说很好的答案.我在github上找到了aws-es-proxy 1 在我的机器上.我通过127.0.0.1:9200(可配置)连接到它,它签署了我的请求并将其转发到我的AWS服务器.有效!
Ok, I found one answer which is working well for me for now. I found aws-es-proxy1 on github, which lets me run a proxy server on my machine. I connect to it via 127.0.0.1:9200 (configurable), and it signs my requests and forwards it to my aws es server. Works!
但是,它确实向我的应用程序添加了外部依赖关系,因此,总的来说,我认为这是一种解决方法,而不是解决方案.
It does add an external dependency to my app, though, so on the whole I think it's a workaround, not a solution.
这篇关于Elasticsearch on AWS用户身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!