[英]Amazon AWS elasticsearch Kibana access from browser
I know this issue has been already discussed before , Yet I feel my question is a bit different. 我知道这个问题之前已经讨论过,但我觉得我的问题有点不同。
I'm trying to figure out how am I to enable access to the Kibana over the self manged AWS elastic search which I have in my AWS account . 我正在试图弄清楚如何通过我自己的AWS账户中自我管理的AWS弹性搜索来启用对Kibana的访问。
Could be that what am I about to say here is inaccurate or complete nonsense . 可能是我在这里要说的是不准确或完全无稽之谈。 I am pretty novice in the whole AWS VPC wise section and to ELK stuck.
我是整个AWS VPC明智部分的新手,也是ELK卡住的。
Architecture: Here is the "Architecture": 架构:这是“架构”:
Resources: 资源:
I have found the following link which suggest to use one of two option: 我发现以下链接建议使用以下两个选项之一:
https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/ https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/
Solutions: 解决方案:
Option 1: resource based policy 选项1:基于资源的政策
This was discussed in the following thread but unfortunately did not work for me. 这在以下主题中讨论过,但遗憾的是对我不起作用。
Proper access policy for Amazon Elastic Search Cluster 适用于Amazon Elastic Search Cluster的正确访问策略
When I try to implement it in the Amazon console, Amazon notifies me that because I'm using Security group , I should resolve it by using security group. 当我尝试在亚马逊控制台中实现它时,亚马逊通知我,因为我正在使用安全组,我应该使用安全组来解决它。
Security group rules: 安全组规则:
I tried to set a rule which allows my personal computer(Router) public IP to access Amazon elastic search ports or even opening all ports to my public IP. 我试图设置一条规则,允许我的个人计算机(路由器)公共IP访问亚马逊弹性搜索端口,甚至打开所有端口到我的公共IP。
But that didn't worked out. 但这没有成功。 I would be happy to get a more detailed explanation to why but I'm guessing that's because the elastic search has only internal IP and not public IP and because it is encapsulated within the VPC I am unable to access it from outside even if I define a rule for a public IP to access it.
我很乐意得到一个更详细的解释原因,但我猜这是因为弹性搜索只有内部IP而不是公共IP,因为它封装在VPC中我即使我定义也无法从外部访问它公共IP访问它的规则。
Option 2: Using proxy 选项2:使用代理
I'm decline to use this solution unless I have no other choice. 除非我别无选择,否则我拒绝使用此解决方案。
I'm guessing that if I set another server with public and internal IP within the same subnet and VPC as that of the elastic search , and use it as a proxy, I would be then be able to access this server from the outside by defining the same rules to the it's newly created security group . 我猜测如果我在同一个子网和VPC中设置另一台公共和内部IP服务器和弹性搜索服务器,并将其用作代理,那么我将能够通过定义从外部访问该服务器与新创建的安全组相同的规则。 Like the article suggested.
喜欢文章建议。
Sources: 资料来源:
I found out of the box solution that some one already made for this issue using proxy server in the following link: 我找到了开箱即用的解决方案,在以下链接中使用代理服务器为此问题做了一些解决方案:
Using either executable or docker container. 使用可执行文件或docker容器。
https://github.com/abutaha/aws-es-proxy https://github.com/abutaha/aws-es-proxy
Option 3: Other 选项3:其他
Can you suggest other solution? 你能建议其他解决方案吗? Is it possible to use Amazon Load balancer or Amazon API gateway to accomplish this task?
是否可以使用Amazon Load Balancer或Amazon API网关来完成此任务?
I just need proof of concept not something which goes into production environment. 我只需要概念证明而不是进入生产环境的东西。
Bottom line: 底线:
I need to be able to aceess Kibana from browser in order to be able to search elastic search indexes. 我需要能够从浏览器中获取Kibana,以便能够搜索弹性搜索索引。
Thanks a lot 非常感谢
The best way is with the just released Cognito authentication. 最好的方法是刚刚发布的Cognito身份验证。
https://aws.amazon.com/about-aws/whats-new/2018/04/amazon-elasticsearch-service-simplifies-user-authentication-and-access-for-kibana-with-amazon-cognito/ https://aws.amazon.com/about-aws/whats-new/2018/04/amazon-elasticsearch-service-simplifies-user-authentication-and-access-for-kibana-with-amazon-cognito/
This is a great way to authenticated A SINGLE USER . 这是验证A SINGLE USER的好方法。 This is not a good way for the system you're building to access ElasticSearch.
对于您正在构建的用于访问ElasticSearch的系统而言,这不是一个好方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.