**

anatolicvs · Jul 17, 2020 · 18237d0 · 18237d0
1 parent be5500f
commit 18237d0
Show file tree

Hide file tree

Showing 6 changed files with 168 additions and 27 deletions.
diff --git a/config.yml b/config.yml
@@ -0,0 +1,23 @@
+opendistro_security:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        enabled: true
+        order: 0
+        http_authenticator:
+          type: basic
+          challenge: false
+        authentication_backend:
+          type: internal
+      openid_auth_domain:
+        enabled: true
+        order: 1
+        http_authenticator:
+          type: openid
+          challenge: false
+        config:
+          subject_key: preferred_username
+          roles_key: roles
+          openid_connect_url: http://147.100.20.44:7000/keycloak/auth/realms/master/.well-known/openid-configuration
+        authentication_backend:
+          type: noop  
diff --git a/data.sql b/data.sql
@@ -78,14 +78,32 @@ CREATE TABLE IF NOT EXISTS group (
 ); 
 
 CREATE TABLE IF NOT EXISTS group_policy (
-    id serial PRIMARY KEY, 
+    group_id  integer,
+    policy_id integer,
+
+    CONSTRAINT group_policy_policy_id_fkey FOREIGN KEY (policy_id)
+        REFERENCES policies(id) MATCH SIMPLE
+        ON UPDATE NO ACTION ON DELETE NO ACTION,
+
+    CONSTRAINT group_policy_group_id_fkey FOREIGN KEY (group_id)
+        REFERENCES group(id) MATCH SIMPLE
+        ON UPDATE NO ACTION ON DELETE NO ACTION,
 
     createdAt timestamp NOT NULL DEFAULT NOW(),
     updatedAt timestamp
 ); 
 
 CREATE TABLE IF NOT EXISTS group_user (
-    id serial PRIMARY KEY, 
+    group_id  integer,
+    user_id integer, 
+
+    CONSTRAINT group_user_user_id_fkey FOREIGN KEY (user_id)
+        REFERENCES users(id) MATCH SIMPLE
+        ON UPDATE NO ACTION ON DELETE NO ACTION,
+
+     CONSTRAINT group_user_group_id_fkey FOREIGN KEY (group_id)
+        REFERENCES group(id) MATCH SIMPLE
+        ON UPDATE NO ACTION ON DELETE NO ACTION,
 
     createdAt timestamp NOT NULL DEFAULT NOW(),
     updatedAt timestamp

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,6 @@
 version: "3.7"
 
 services:
-
   consul:
     image: consul:latest
     container_name: in-sylva-consul
@@ -12,12 +11,12 @@ services:
     networks:
       - insylva-net
     ports:
-      - '8300:8300'
-      - '8301:8301'
-      - '8301:8301/udp'
-      - '8500:8500'
-      - '8600:8600'
-      - '8600:8600/udp'
+      - "8300:8300"
+      - "8301:8301"
+      - "8301:8301/udp"
+      - "8500:8500"
+      - "8600:8600"
+      - "8600:8600/udp"
 
   postgres:
     image: in-sylva.postgres:latest
@@ -128,7 +127,7 @@ services:
       # - ./node.pem:/usr/share/elasticsearch/config/node.pem
       # - ./node-key.pem:/usr/share/elasticsearch/config/node-key.pem
       # - ./admin.pem:/usr/share/elasticsearch/config/admin.pem
-      # - ./admin-key.pem:/usr/share/elasticsearch/config/admin-key.pem
+      #- ./admin-key.pem:/usr/share/elasticsearch/config/admin-key.pem
       - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
       - ./internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
       - ./roles_mapping.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
@@ -181,12 +180,16 @@ services:
     restart: unless-stopped
 
   kibana:
-    image: amazon/opendistro-for-elasticsearch-kibana:latest
+    image: in-sylva.kibana:latest
     container_name: odfe-kibana
     ports:
       - 5601:5601
     volumes:
-      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
+      - type: volume
+        source: logs
+        target: /var/log
+    # volumes:
+    #  - ./kibana.yml:/usr/share/kibana/config/kibana.yml
     environment:
       SERVER_HOST: 0.0.0.0
       ELASTICSEARCH_URL: http://odfe-node1:9200
@@ -198,6 +201,101 @@ services:
       - insylva-net
     restart: unless-stopped
 
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
+    container_name: elasticsearch1
+    environment:
+      - node.name=elasticsearch1
+      - cluster.name=docker-cluster
+      - cluster.initial_master_nodes=elasticsearch1
+      - bootstrap.memory_lock=true
+      - "ES_JAVA_OPTS=-Xms256M -Xmx256M"
+      - http.cors.enabled=true
+      - http.cors.allow-origin=*
+      - network.host=_eth0_
+    ulimits:
+      nofile:
+        soft: 65536
+        hard: 65536
+      nproc: 65535
+      memlock:
+        soft: -1
+        hard: -1
+    cap_add:
+      - ALL
+    deploy:
+      replicas: 1
+      update_config:
+        parallelism: 1
+        delay: 10s
+      resources:
+        limits:
+          cpus: "1"
+          memory: 256M
+        reservations:
+          cpus: "1"
+          memory: 1G
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+        window: 10s
+    volumes:
+      - type: volume
+        source: logs
+        target: /var/log
+      - type: volume
+        source: esdata1
+        target: /usr/share/elasticsearch/data
+    networks:
+      - insylva-net
+    ports:
+      - 9200:9200
+      - 9300:9300
+
+  kibana1:
+    image: docker.elastic.co/kibana/kibana:7.8.0
+    container_name: kibana1
+    environment:
+      SERVER_HOST: 0.0.0.0
+      ELASTICSEARCH_URL: http://elasticsearch:9200
+      ELASTICSEARCH_HOSTS: http://elasticsearch:9200
+    ports:
+      - 5601:5601
+    volumes:
+      - type: volume
+        source: logs
+        target: /var/log
+      # - ./kibana.yml:/usr/share/kibana/config/kibana.yml
+    ulimits:
+      nproc: 65535
+      memlock:
+        soft: -1
+        hard: -1
+    cap_add:
+      - ALL
+    deploy:
+      replicas: 1
+      update_config:
+        parallelism: 1
+        delay: 10s
+      resources:
+        limits:
+          cpus: "1"
+          memory: 256M
+        reservations:
+          cpus: "1"
+          memory: 256M
+      restart_policy:
+        condition: on-failure
+        delay: 30s
+        max_attempts: 3
+        window: 120s
+    links:
+      - elasticsearch
+    networks:
+      - insylva-net
+
   search-api:
     image: in-sylva.search.api:latest
     container_name: in-sylva.search.api
@@ -258,10 +356,10 @@ services:
       CONSUL_IP: http://in-sylva-consul
       CONSUL_PORT: 8500
 
-      SERVICE_IP: http://gatekeeper  
+      SERVICE_IP: http://gatekeeper
       SERVICE_PORT: 4000
       SERVICE_NAME: in-sylva-gatekeeper-v1
-      
+
       KEYCLOAK_REALM: in-sylva
       KEYCLOAK_SERVER_URL: http://keycloak:8080/keycloak/auth
       KEYCLOAK_SERVER_PUBLIC_KEY: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp4KOgK5s+xvmun5sbPzcRLTIvGmVyG+nNdILYKNkpjUuFGvG2KqDNZZsq5rk9EPyrEApnbPWmOZusCn1dVegoGvkfSxkyP7AtVamwZMvTBObG0Ktju47o8/KCk63NPfwdWxSNyhWWa3VV95+l4VctvwAH7MeEV6uTDjsby2+LIojJOE+IWhPoLXiINuQ/GzKrzd30pS0XpMLQdru1vJgLXBPAvcZbYMvIkK3b5zIC02x4mL7PGP2LFZBZxUTMhRoC6cTc7C3uDagF5MHPOqfVl3ycHbm7Hc4bpJGSzqYGINLQ28I59WqM5zc+Wpml0Lmyd6wv5eqUTJWQKdc92DvtQIDAQAB
@@ -315,7 +413,7 @@ services:
       CONSUL_IP: in-sylva-consul
       CONSUL_PORT: 8500
 
-      SERVICE_IP: source-manager  
+      SERVICE_IP: source-manager
       SERVICE_PORT: 5000
       SERVICE_NAME: in-sylva-source-manager-v1
     ports:
@@ -415,6 +513,8 @@ volumes:
   odfe-data1:
   odfe-data2:
   portainer_data:
+  logs:
+  esdata1:
 
 networks:
   insylva-net:

diff --git a/elasticsearch.yml b/elasticsearch.yml
@@ -1,4 +1,4 @@
-# opendistro_security.disabled: true
+opendistro_security.disabled: true
 # opendistro_security.ssl.transport.pemcert_filepath: node.pem
 # opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
 # opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
@@ -19,7 +19,7 @@
 # opendistro_security.restapi.roles_enabled:
 #     ["all_access", "security_rest_api_access"]
 # cluster.routing.allocation.disk.threshold_enabled: false
-node.max_local_storage_nodes: 3
+# node.max_local_storage_nodes: 3
 # opendistro_security.audit.config.disabled_rest_categories: NONE
 # opendistro_security.audit.config.disabled_transport_categories: NONE
 # opendistro_security.allow_unsafe_democertificates: true
diff --git a/kibana/Dockerfile b/kibana/Dockerfile
@@ -1,3 +1,3 @@
-FROM amazon/opendistro-for-elasticsearch-kibana:1.6.0
+FROM amazon/opendistro-for-elasticsearch-kibana:1.9.0
 RUN /usr/share/kibana/bin/kibana-plugin remove opendistro_security
 COPY --chown=kibana:kibana kibana.yml /usr/share/kibana/config/
diff --git a/kibana/kibana.yml b/kibana/kibana.yml
@@ -1,19 +1,19 @@
 server.name: kibana
 server.host: "0"
 
-opendistro_security.auth.type: "basicauth"
-opendistro_security.basicauth.enabled: false
-opendistro_security.multitenancy.enabled: true
-opendistro_security.multitenancy.show_roles: true
-opendistro_security.multitenancy.enable_filter: true
-opendistro_security.multitenancy.tenants.enable_global: true
-opendistro_security.multitenancy.tenants.enable_private: true
+# opendistro_security.auth.type: "basicauth"
+# opendistro_security.basicauth.enabled: false
+# opendistro_security.multitenancy.enabled: true
+# opendistro_security.multitenancy.show_roles: true
+# opendistro_security.multitenancy.enable_filter: true
+# opendistro_security.multitenancy.tenants.enable_global: true
+# opendistro_security.multitenancy.tenants.enable_private: true
 
 elasticsearch.hosts: "http://localhost:9200"
 elasticsearch.ssl.verificationMode: none
 elasticsearch.username: "kibanaserver"
 elasticsearch.password: "InSylva146544"
 elasticsearch.requestHeadersWhitelist: ["securitytenant", "Authorization"]
 
-opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
-opendistro_security.readonly_mode.roles: ["kibana_read_only"]
+# opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
+# opendistro_security.readonly_mode.roles: ["kibana_read_only"]