[英]How to access Kibana from Amazon elasticsearch service?
I created Amazon elasticsearch service and populated data into it using logstash, which has been installed on an EC2 instance. 我创建了Amazon elasticsearch服务,并使用logstash将数据填充到其中,logstash已安装在EC2实例上。 On the Amazon elasticservice console page, there will be a link to access Kibana.
在Amazon弹性服务控制台页面上,将有一个访问Kibana的链接。
search-cluster_name-XXXXXXXXXXXXXXXXXXX.region_name.es.amazonaws.com/_plugin/kibana/
when I click the link, browser is throwing the following error. 当我点击链接时,浏览器抛出以下错误。
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:region_name:account_id:domain/cluster_name/_plugin/kibana/"}
I'm sure that this has something related with access policy of ES domain.How should I modify my access policy so that I can access Kibana from a click on the link specified ? 我确定这与ES域的访问策略有关。如何修改访问策略,以便通过点击指定的链接访问Kibana?
You can setup an Access Policy with both IAM and IP-address based access. 您可以使用基于IAM和IP地址的访问来设置访问策略。 See my answer here .
在这里看到我的答案 。 In short:
简而言之:
arn:aws:iam::aws:policy/AmazonESFullAccess
policy arn:aws:iam::aws:policy/AmazonESFullAccess
策略的配置文件 Here's an example policy (statement order is important!) 这是一个示例策略(语句顺序很重要!)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.168.1.0",
"192.168.1.1"
]
}
}
}
]
}
I used for that purpose proxy tool called aws-es-kibana . 我用于那个名为aws-es-kibana的代理工具。 It signs all your requests sent to aws kibana.
它会将您发送给aws kibana的所有请求签名。
IAM configuration: IAM配置:
I created new IAM user "elasticsearch_user" with programmatic access (and I got accessKeyId and secretAccessKey associated with that account). 我创建了具有编程访问权限的新IAM用户“elasticsearch_user”(我获得了与该帐户关联的accessKeyId和secretAccessKey)。
Elasticsearch configuration: Elasticsearch配置:
I created elasticsearch policy that enables access for the new created IAM user: 我创建了弹性搜索策略,允许新创建的IAM用户访问:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{YOUR_AWS_ACCOUNT_ID}:user/elasticsearch_user"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:{YOUR_AWS_ACCOUNT_ID}:domain/{YOUR_ELASTICSEARCH_DOMAIN}/*"
}
]
}
Connect to kibana from your local station: 从当地车站连接到kibana:
To connect from my local station (windows) to kibana I just need to type in console: 要从我的本地站(Windows)连接到kibana,我只需要输入控制台:
SET AWS_ACCESS_KEY_ID=myAccessKeyId
SET AWS_SECRET_ACCESS_KEY=mySecretAccessKey
aws-es-kibana search-{PROTECTED_PART_OF_YOUR_ELASTICSEARCH_ENDPOINT}.eu-central-1.es.amazonaws.com
After that you should have proxied access to your kibana under: http://127.0.0.1:9200/_plugin/kibana 之后你应该代理访问你的kibana: http : //127.0.0.1 :9200 / _plugin / kibana
You have to configure an access policy for your elasticsearch cluster. 您必须为elasticsearch集群配置访问策略。 there are two options:
有两种选择:
Option 1, using IAM based access is the better option: 选项1,使用基于IAM的访问是更好的选择:
kibana_user
with programmatic access. kibana_user
的IAM用户,具有编程访问权限。 Save the accessKeyId and the secretAccessKey. kibana_user
. kibana_user
访问kibana_user
。
kibana_user
kibana_user
的ARN I seriously recommend against the second option with IP-based access. 我认真推荐使用基于IP的访问的第二个选项。 Even if you have a static IP,
即使你有静态IP,
The only case where this makes sense is if you are running your own proxy server with its own authentication method and a static IP. 唯一有意义的情况是,如果您使用自己的身份验证方法和静态IP运行自己的代理服务器。
In my case, I had an nginx server running which already had access to the elasticsearch service. 在我的例子中,我有一个运行的nginx服务器,它已经可以访问elasticsearch服务。 So all I had to do was to add a proxy on this nginx.
所以我所要做的就是在这个nginx上添加一个代理。 No changes in AWS IAM required.
无需更改AWS IAM。
Add this to /etc/nginx/sites-enabled/elasticsearch 将其添加到/ etc / nginx / sites-enabled / elasticsearch
server {
listen 7777;
server_name 127.0.0.1 default_server;
access_log /var/log/nginx/elasticsearch.access.log;
location / {
auth_basic "My Super Secret Server";
auth_basic_user_file /etc/nginx/.elasticsearch_htpasswd;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass https://<your_server_here>.es.amazonaws.com/;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
and restart nginx. 并重新启动nginx。 Then you can access kibana at:
然后你可以访问kibana:
http://your_nginx_server_name.com:7777/_plugin/kibana/app/kibana#/dev_tools/console?_g=()
The file /etc/nginx/.elasticsearch_htpasswd
is a standard apache2 htaccess file. 文件
/etc/nginx/.elasticsearch_htpasswd
是标准的apache2 htaccess文件。 You can find more about basic auth for nginx here . 您可以在此处找到有关nginx的基本身份验证的更多信息。
NOTE: Basic auth is NOT a recommended way to secure anything. 注意:基本身份验证不是保护任何内容的推荐方法。 Definitely don't use this in production.
绝对不要在生产中使用它。
You may need to have IP-based policy and allow access to your domain from specific IP (Kibana's). 您可能需要具有基于IP的策略,并允许从特定IP(Kibana)访问您的域。
Other option (aside from changing access policy to be completely open) would be signing requests - IIRC this helped a friend of mine with similar message. 其他选择(除了改变访问政策完全开放)将是签署请求 - IIRC这帮助了我的朋友有类似的信息。
http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains.html#es-managedomains-signing-service-requests http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains.html#es-managedomains-signing-service-requests
See also "Connecting a Local Kibana Server to Amazon Elasticsearch Service" on the same page. 另请参见同一页面上的“将本地Kibana服务器连接到Amazon Elasticsearch Service”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.