堆栈内存溢出
  简体   繁体   English

Django-Haystack使用Amazon Elasticsearch托管和IAM凭证

[英]Django-Haystack using Amazon Elasticsearch hosting with IAM credentials

 原文  2016-01-29 17:43:52       django/ amazon-web-services/ heroku/ elasticsearch/ django-haystack

问题描述

I am hoping to use Amazon's Elasticsearch server to power a search of longtext fields in a Django database. 我希望使用亚马逊的Elasticsearch服务器来搜索Django数据库中的longtext字段。 However, I also don't want to expose this search to those who don't have a log in and don't want to rely on security through obscurity or some IP restriction tactic (unless it would work well with an existing heroku app, where the Django app is deployed). 但是,我也不想将此搜索公开给那些没有登录并且不想通过默默无闻或某些IP限制策略依赖安全性的人(除非它适用于现有的heroku应用程序,部署Django应用程序的地方)。

Haystack seems to go a long way toward this, but there doesn't seem to be an easy way to configure it to use Amazon's IAM credentials to access the Elasticsearch service. Haystack似乎对此有很长的路要走,但似乎没有一种简单的方法可以配置它来使用Amazon的IAM凭证来访问Elasticsearch服务。 This functionality does exist in elasticsearch-py, whichi it uses. 这个功能确实存在于elasticsearch-py中,它使用它。

https://elasticsearch-py.readthedocs.org/en/master/#running-with-aws-elasticsearch-service https://elasticsearch-py.readthedocs.org/en/master/#running-with-aws-elasticsearch-service 

from elasticsearch import Elasticsearch, RequestsHttpConnection
from requests_aws4auth import AWS4Auth

host = 'YOURHOST.us-east-1.es.amazonaws.com'
awsauth = AWS4Auth(YOUR_ACCESS_KEY, YOUR_SECRET_KEY, REGION, 'es')

es = Elasticsearch(
    hosts=[{'host': host, 'port': 443}],
    http_auth=awsauth,
    use_ssl=True,
    verify_certs=True,
    connection_class=RequestsHttpConnection
)
print(es.info())

Regarding using HTTP authorization, I found this under issues at https://github.com/django-haystack/django-haystack/issues/1046 关于使用HTTP授权,我在https://github.com/django-haystack/django-haystack/issues/1046上发现了这个问题。 

from urlparse import urlparse
parsed = urlparse('https://user:pass@host:port')
HAYSTACK_CONNECTIONS = {
    'default': {
        'ENGINE': 'haystack.backends.elasticsearch_backend.ElasticsearchSearchEngine',
        'URL': parsed.hostname,
        'INDEX_NAME': 'haystack',
        'KWARGS': {
            'port': parsed.port,
            'http_auth': (parsed.username, parsed.password),
            'use_ssl': True,
        }
    }
}

I am wondering if there is a way to combine these two, something like the following (which, as expected, gives an error since it's more than just a user name and password): 我想知道是否有办法将这两者结合起来,如下所示(正如预期的那样,它会产生错误,因为它不仅仅是用户名和密码): 

from requests_aws4auth import AWS4Auth
awsauth = AWS4Auth([AACCESS_KEY],[SECRET_KEY],[REGION],'es')


HAYSTACK_CONNECTIONS = {
    'default': {
        'ENGINE': 'haystack.backends.elasticsearch_backend.ElasticsearchSearchEngine',
        'URL': [AWSHOST],
        'INDEX_NAME': 'haystack',
        'KWARGS': {
            'port': 443,
            'http_auth': awsauth,
            'use_ssl': True,
            'verify_certs': True
        }
    },
}

The error here: 这里的错误: 

TypeError at /admin/
must be convertible to a buffer, not AWS4Auth

Request Method:     GET
Request URL:    http://127.0.0.1:8000/admin/
Django Version:     1.7.7
Exception Type:     TypeError
Exception Value:    

must be convertible to a buffer, not AWS4Auth

Exception Location:     /usr/lib/python2.7/base64.py in b64encode, line 53

Any ideas on how to accomplish this? 有关如何实现这一目标的任何想法?

2 个解决方案

解决方案1
 9 已采纳  2016-02-02 06:28:13

You are one step from success, add connection_class to KWARGS and everything should work as expected. 你是成功的一步,将connection_class添加到KWARGS ,一切都应该按预期工作。 

import elasticsearch

HAYSTACK_CONNECTIONS = {
    'default': {
        'ENGINE': 'haystack.backends.elasticsearch_backend.ElasticsearchSearchEngine',
        'URL': [AWSHOST],
        'INDEX_NAME': 'haystack',
        'KWARGS': {
            'port': 443,
            'http_auth': awsauth,
            'use_ssl': True,
            'verify_certs': True,
            'connection_class': elasticsearch.RequestsHttpConnection,
        }
    },
}

解决方案2
 0  2016-01-29 22:49:52

AWS Identity and Access Management (IAM) allows you to manage users and user permissions for AWS services , to control which AWS resources users of AWS itself can access. AWS身份和访问管理 (IAM)允许您管理AWS服务的用户和用户权限,以控制AWS自身的用户可以访问的AWS资源。

You cannot use IAM credentials to authorize users at the application level via http_auth, as it appears you are trying to do via Haystack here. 您无法使用IAM凭据通过http_auth在应用程序级别对用户进行授权,因为您在此处尝试通过Haystack进行操作。 They are different authentication schemes for different services. 它们是针对不同服务的不同认证方案。 They are not compatible. 它们不兼容。

In your security use case, you have stated the need to 1) restrict access to your application, and 2) to secure the Elasticsearch service port from open access. 在您的安全用例中,您已声明需要1)限制对您的应用程序的访问,以及2)保护Elasticsearch服务端口免受开放访问。 These two requirements can be met using the following methods: 使用以下方法可以满足这两个要求:

Restrict access to your application 限制对您的应用程序的访问

I also don't want to expose this search to those who don't have a log in 我也不想将此搜索公开给那些没有登录的人

For the front-end search app, you want to use a server level Basic access authentication (HTTP auth) configuration on the web server. 对于前端搜索应用程序,您希望在Web服务器上使用服务器级别的基本访问身份验证 (HTTP身份验证)配置。 This is where you want to control user login access to your app, via a standard http_auth username and password (again, not IAM). 您可以通过标准的http_auth用户名和密码(同样不是IAM)来控制用户对您应用的登录访问权限。 This will secure your app at the application level. 这将确保您的应用程序在应用程序级别。

Secure the Elasticsearch service port 保护Elasticsearch服务端口

don't want to rely on security through obscurity or some IP restriction tactic (unless it would work well with an existing heroku app, where the Django app is deployed). 不想通过默默无闻或一些IP限制策略来依赖安全性(除非它适用于部署Django应用程序的现有heroku应用程序)。

IP restriction is exactly what would work here, and consistent with AWS security best practices. IP限制正是在这里工作的,并且与AWS安全最佳实践一致。 You want to use security groups and security group rules as a firewall to control traffic for your EC2 instances. 您希望将安全组和安全组规则用作防火墙来控制EC2实例的流量。

Given a Haystack configuration of: 鉴于Haystack配置: 

HAYSTACK_CONNECTIONS = {
    'default': {
        'ENGINE': 'haystack.backends.elasticsearch_backend.ElasticsearchSearchEngine',
        'URL': 'http://127.0.0.1:9200/',
        'INDEX_NAME': 'haystack',
    },
}

you will want to implement an IP restriction at the security group and/or ACL level on that IP and port 127.0.0.1, to restrict access from only your Django host or other authorize hosts. 您将希望在该IP和端口127.0.0.1上的安全组和/或ACL级别实施IP限制,以限制仅来自您的Django主机或其他授权主机的访问。 This will secure it from any unauthorized access at the service level. 这样可以保护它免受服务级别的任何未经授权的访问。

In your implementation, the URL will likely resolve to a public or private IP, depending on your network architecture. 在您的实现中,URL可能会解析为公共或私有IP,具体取决于您的网络体系结构。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 django-haystack elasticsearch作为后端和searchengine - django-haystack elasticsearch as backend and searchengine 稳定的Django-Haystack + elasticsearch设置 - Stable Django-Haystack + elasticsearch setup 使用Django-Haystack和ElasticSearch捕获ConnectionError - Catch ConnectionError with Django-Haystack and ElasticSearch Cloud 9中的Django-Haystack Elasticsearch配置 - Django-Haystack elasticsearch config in cloud 9 Django-Haystack elasticsearch预取错误 - Django-Haystack elasticsearch prefetch error 使用属性的Django-haystack结果过滤? - Django-haystack result filtering using attributes? 使用django-haystack rebuild_index命令重建ElasticSearch索引 - Rebuilding ElasticSearch index using django-haystack rebuild_index command 使用django-haystack + Elasticsearch如何搜索单词的子集? - Using django-haystack +Elasticsearch how can I search subsets of a word? 如何使用django-haystack和elasticsearch后端进行模糊搜索? - How can I do a fuzzy search using django-haystack and the elasticsearch backend? 卸载django-haystack - Uninstalling django-haystack
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM