问题描述
我在 AWS 上使用 ES 服务.我在学习如何使用它方面取得了很好的进展,尤其是使用 ES HighLevelRestClient.所以现在我想保护 ES 服务器,添加用户身份验证安全性.Amazon 提供了访问密钥"和秘密密钥"值以供使用,类似于用户/密码"凭证.不幸的是,他们还提供了自己的 AWSCredentials 和 AWS4Signer 类来创建凭证.签署请求!
I'm using the ES service on AWS. I've made good progress learning how to use it, particularly with the ES HighLevelRestClient. So now I wanted to secure the ES server, adding user authentication security. Amazon provides the "access key" and "secret key" values to use, analogous to "user/password" credentials. Unfortunately, they also provide their own AWSCredentials and AWS4Signer classes to create credentials & sign the request!
他们的代码示例非常简单,并且可以与 Elastic Co 的 Java低级"RestClient 配合使用.这是类似于亚马逊在 https 上推荐的内容的片段://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-indexing-programmatic.html:
Their code examples are simple enough, and work fine with Elastic Co's Java "Low Level" RestClient. Here's a snippet analogous to what amazon recommends at https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-indexing-programmatic.html:
credentialsProvider = new AWSStaticCredentialsProvider (new BasicAWSCredentials ("access key", "secret key")); // while debugging
HttpRequestInterceptor interceptor =
new AWSRequestSigningApacheInterceptor (serviceName, signer, credentialsProvider);
RestClient lowLevelClient = RestClient.builder (HttpHost.create (esURL))
.setHttpClientConfigCallback (hacb -> hacb.addInterceptorLast (interceptor)).build ();
好消息是,这很好用!不幸的是,对 ES High Level Rest Client 签名版本的明显扩展(如 在用于 JAVA 的 elasticsearch 高级客户端中添加身份验证) 不起作用!即:
The good news is, this works fine! Unfortunately, the obvious extension to a signed version of the ES High Level Rest Client (as suggested in Add authentication in elasticsearch high level client for JAVA) doesn't work! That is:
RestClientBuilder builder = RestClient.builder (HttpHost.create (esURL))
.setHttpClientConfigCallback (hacb -> hacb.addInterceptorLast (interceptor));
highLevelClient = new RestHighLevelClient (builder);
总是导致来自 AWS 的以下错误消息:
always leads to the following error message from AWS:
{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}
我推测 ES 高级 rest 客户端构建了 AWS 拦截器在创建签名时看不到的 JSON 查询.由于等效方法适用于 Elastic Co 云实例(请参阅上面提到的 SO 线程),我猜这是 AWS 人员和 ES 人员不互相交谈的地方.
I speculate that the ES high-level rest client constructs JSON queries which the AWS interceptor does not see when creating the signature. Since the equivalent method works fine for the Elastic Co cloud instance (see SO thread mentioned above), I'm guessing this is where AWS folks and ES folks are not talking to each other.
有什么方法可以使用 AWS CredentialsProvider 和 Signer,但使用 Apache HttpAsyncClientBuilder::setDefaultCredentialProvider 方法?或者是否有一个 ES Rest API 版本,其中 Java 高级 Rest 客户端在 AWS 拦截器签名之前完全构建请求?
Is there some way I can use the AWS CredentialsProvider and Signer, but with the Apache HttpAsyncClientBuilder::setDefaultCredentialProvider method? Or is there a version of the ES Rest API in which the Java High Level Rest Client constructs the request fully before the AWS interceptor signs it?
否则,我将被迫使用 IP 地址签名 (ugh),开始使用 Low Level Rest Client (double ugh),或者使用 ssh 隧道和 AWS VPC 安全性的某种组合(很多 ugh).
Otherwise, I'll be forced to use IP address signing (ugh), start using the Low Level Rest Client (double ugh), or use some combination of ssh tunneling and AWS VPC security (many ughs).
推荐答案
好的,我找到了一个目前对我很有效的答案.我在 github 上找到了 aws-es-proxy1,它让我可以运行代理服务器在我的机器上.我通过 127.0.0.1:9200(可配置)连接到它,它对我的请求进行签名并将其转发到我的 aws es 服务器.有效!
Ok, I found one answer which is working well for me for now. I found aws-es-proxy1 on github, which lets me run a proxy server on my machine. I connect to it via 127.0.0.1:9200 (configurable), and it signs my requests and forwards it to my aws es server. Works!
不过,它确实为我的应用添加了外部依赖,所以总的来说,我认为这是一种解决方法,而不是解决方案.
It does add an external dependency to my app, though, so on the whole I think it's a workaround, not a solution.
这篇关于Elasticsearch on AWS 用户身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!