ES安全,設定賬號密碼
阿新 • • 發佈:2022-04-21
一.單機elasticsearch測試
1.elasticsearch.yml新增配置
xpack.security.enabled: true xpack.security.transport.ssl.enabled: true
2.設定所有內建使用者密碼:
[root@ansible elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [yView Code/N]y Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Passwords do not match. Try again. Enter password for [kibana]: Reenter password for [kibana]: Enter passwordfor [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed passwordfor user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
3.測試
[root@ansible elasticsearch]# curl http://192.168.86.128:9200/_cat/health?v -u elastic Enter host password for user 'elastic': epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent 1650520371 05:52:51 elasticsearch yellow 1 1 2 2 0 0 1 0 - 66.7%View Code
二.叢集elasticsearch (由於環境有限,用兩臺測試)
1.elasticsearch.yml新增配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
啟動服務後會警告:
2022-04-21T14:09:54,656][WARN ][o.e.t.TcpTransport ] [ansible] exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/192.168.86.129:49038}], closing connection io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in commonView Code
因為xpack.security.enabled=true,ES中要加密通訊,
執行:/usr/share/elasticsearch/bin/elasticsearch-certutil ca
注:
a.Enter password後面可輸入密碼也可不輸入,輸入需要記住,後面需要用
b.生產的ca預設路徑:/usr/share/elasticsearch
[root@ansible elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode. Use the 'ca-dn' option if you wish to configure the 'distinguished name' of the certificate authority By default the 'ca' mode produces a single PKCS#12 output file which holds: * The CA certificate * The CA's private key If you elect to generate PEM format certificates (the -pem option), then the output will be a zip file containing individual files for the CA certificate and private key Please enter the desired output file [elastic-stack-ca.p12]: Enter password for elastic-stack-ca.p12 :View Code
2.為叢集中的每個節點生成證書和私鑰
傳輸elastic-stack-ca.p12到每個es 節點,執行:bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : 輸入建立ca加密密碼 Please enter the desired output file [elastic-certificates.p12]: Enter password for elastic-certificates.p12 : 這裡如果輸入密碼,需要新增密碼庫配置 Certificates written to /usr/share/elasticsearch/elastic-certificates.p12
各節點生成的elastic-certificates.p12複製到/etc/elasticsearch/config下
mkdir /etc/elasticsearch/config ; mv /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/config ; chmod +r /etc/elasticsearch/config/elastic-certificates.p12
3.elasticsearch.yml新增配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: config/elastic-certificates.p12
如果節點證書配置密碼的話,這裡要加入密碼庫:
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
如果不執行,服務啟動會在journalctl -xe報錯:
otstrap.BootstrapException: org.elasticsearch.cli.UserException: unable to create temporary keystore at [/etc/elasticsearch/elasticsearch.keystore.tmp], please check filesystem permission
4. 重啟服務 systemctl restart elasticsearch
5.初始化密碼
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
6.檢視叢集狀態
[root@ansible elasticsearch]# curl http://192.168.86.128:9200/_cat/nodes?v -u elastic Enter host password for user 'elastic': ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 192.168.86.129 14 98 0 0.01 0.02 0.00 mdi * elk 192.168.86.128 18 87 1 0.00 0.03 0.00 mdi - ansible [root@ansible elasticsearch]# curl -X GET "192.168.86.128:9200/_cat/health?v" -u elastic Enter host password for user 'elastic': epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent 1650526166 07:29:26 my_cluster green 2 2 4 2 0 0 0 0 - 100.0% [root@ansible elasticsearch]# curl -X GET "192.168.86.129:9200/_cat/health?v" -u elastic Enter host password for user 'elastic': epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent 1650526181 07:29:41 my_cluster green 2 2 4 2 0 0 0 0 - 100.0%View Code
參考官網:
https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-tls.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.1/built-in-users.html
備註:kibana服務kibana.yml 需要新增配置且登入web時,需要用elastic使用者,kibana使用者會報:403錯誤
elasticsearch.username: "kibana" elasticsearch.password: "654321"