[英]How to connect to Elasticsearch with python using SSL?
I am trying to connect to an Elasticsearch node from Python with SSL.我正在尝试使用 SSL 从 Python 连接到 Elasticsearch 节点。
I'm using the basic code for that:我正在为此使用基本代码:
from elasticsearch import Elasticsearch
from ssl import create_default_context
context = create_default_context(cafile="path/to/cafile.pem")
es = Elasticsearch("https://elasticsearch.url:port", ssl_context=context, http_auth=('elastic','yourpassword'))
From: https://github.com/elastic/elasticsearch-py来自: https://github.com/elastic/elasticsearch-py
I need to supply cafile.pem
, and http_auth
parameters.我需要提供
cafile.pem
和http_auth
参数。 On the server where my Python is running, SSL connection is already set up, so I can do basic queries to Elasticsearch. It was set up using keys in the ~/.ssh
directory: id_rsa
, id_rsa.pub
.在运行我的 Python 的服务器上,已经建立了 SSL 连接,因此我可以对 Elasticsearch 进行基本查询。它是使用
~/.ssh
目录中的键设置的: id_rsa
, id_rsa.pub
。
So, now I am wondering whether I should supply id_rsa.pub
key in place of path/to/cafile.pem
, and if yes, then I would need to change permissions of ~/.ssh
folder which seems like not a good idea from security perspective.所以,现在我想知道我是否应该提供
id_rsa.pub
密钥代替path/to/cafile.pem
,如果是,那么我需要更改~/.ssh
文件夹的权限,这似乎不是一个好主意来自安全视角。
Then, I am not sure that .pub
is the same as .pem
, do I need to convert it first?然后,我不确定
.pub
是否与.pem
相同,是否需要先转换它? Then, should http_auth
just be omitted since I do not use any password when I do simple queries from the terminal?那么,是否应该省略
http_auth
,因为我在从终端进行简单查询时不使用任何密码?
How should I go about this issue of setting up access in Python to ES with SSL according to best practices? go 在Python 中根据最佳实践设置对ES 和SSL 的访问权限问题,我应该如何解决?
I tried both .pub
and generated from it pem
: https://serverfault.com/questions/706336/how-to-get-a-pem-file-from-ssh-key-pair我尝试了
.pub
并从中生成了pem
: https://serverfault.com/questions/706336/how-to-get-a-pem-file-from-ssh-key-pair
But both failed to create_default_context
with an unknown error
in context.load_verify_locations(cafile, capath, cadata)
.但是两者都未能
create_default_context
,并在context.load_verify_locations(cafile, capath, cadata)
中出现unknown error
。
The answer for my particular case turned out to be very simple.我的特殊情况的答案非常简单。 I found it here:
我在这里找到了它:
https://elasticsearch-py.readthedocs.io/en/master/ https://elasticsearch-py.readthedocs.io/en/master/
es = Elasticsearch(['https://user:secret@localhost:443'])
Just specified https
url
inside and it worked out right away.刚刚在里面指定
https
url
,它马上就解决了。
Elasticsearch Docker image & Python2.7. Elasticsearch Docker 图像和 Python2.7。 Have Copied ssl certificate file to root of the project.
已将 ssl 证书文件复制到项目的根目录。 Made sure it's readable, ownership and group ownership will allow read access.
确保它是可读的,所有权和组所有权将允许读取访问。 Put pass and login to constants.
将 pass 和 login 放入常量。
es = Elasticsearch(
hosts=[
"https://localhost:9200"
],
http_auth=(USR_LOGIN, USR_PASS),
use_ssl=True,
verify_certs=True,
ca_certs="./http_ca.crt",
)
For self-signed certificates , using:对于自签名证书,使用:
from elastic_transport import NodeConfig
from elasticsearch import AsyncElasticsearch
client = AsyncElasticsearch(
hosts=[
NodeConfig(
scheme= "https",
host="<host URL>",
port=443,
verify_certs=False,
ca_certs=None,
ssl_show_warn=False,
)
],
http_auth=("username", "password"),
verify_certs=False,
ca_certs="/path/to/cafile.pem", # PEM format
client_cert="/path/to/tls.cert" # PEM format
client_key="/path/to/tls.key" # PEM format
)
client.info()
Explanation:解释:
verify_certs=False
disables the underlying Python SSL modules from verifying the self-signed certs, but properly sends it upstream to the server. verify_certs=False
禁用底层 Python SSL 模块验证自签名证书,但正确地将其向上游发送到服务器。 For non-self-signed certificates , you should try enabling verify_certs=True
.verify_certs=True
。AsyncElasticsearch
, but if you need the sync Elasticsearch
version, it should be directly compatible as all the parameters are the same.AsyncElasticsearch
,但是如果你需要 sync Elasticsearch
版本,应该直接兼容,因为所有参数都是一样的。 See: https://elasticsearch-py.readthedocs.io/en/v8.8.1/async.html#getting-started-with-async )So, now I am wondering whether I should supply id_rsa.pub key in place of path/to/cafile.pem, and if yes, then I would need to change permissions of ~/.ssh folder which seems like not a good idea from security perspective.
所以,现在我想知道我是否应该提供 id_rsa.pub 密钥来代替 path/to/cafile.pem,如果是,那么我需要更改 ~/.ssh 文件夹的权限,这似乎不是一个好主意来自安全视角。
These SSH keys is most likely not related to Elasticsearch, but for allowing you to connect and authenticate with your server running Elasticsearch.这些 SSH 密钥很可能与 Elasticsearch 无关,但允许您连接并验证运行 Elasticsearch 的服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.