開啟Elasticsearch集群內部通信加密和身份安全認證功能
在 6.8 之前免費版本並不包含安全認證功能,之后版本有開放一些基礎認證功能;為了防止各種事故,一般都會設置es集群的訪問密碼;設置訪問密碼的前提必須要設置集群證書,不然es啟動報錯。
關於設置證書的作用,簡單來說就是為ES集群內部節點之間的安全通信進行加密,他的原理就是為每一個節點添加一個CA證書,只有持有相同CA證書的節點才能加入集群中。
如果是單節點的話也是按照如下配置即可
1.修改ES集群配置文件
#所有節點都需要做以下配置
cd /usr/local/elasticsearch-7.6.1/config/
vim elasticsearch.yml
#新增下列項,開啟x-pack功能,並指定證書位置 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
2.生成TLS證書
#選中其中一個節點即可
cd /usr/local/elasticsearch-7.6.1/bin
./elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
#執行完成后會在ES目錄的config目錄下生成elastic-certificates.p12文件
ls /usr/local/elasticsearch-7.6.1/config/
elastic-certificates.p12 elasticsearch.keystore elasticsearch.yml jvm.options log4j2.properties role_mapping.yml roles.yml users users_roles
生成出來的elastic-certificates.p12文件需復制給ES的其他節點的config目錄下
3.重啟ES集群使配置生效
su - es
#通過kill命令先殺掉es進程
cd /usr/local/elasticsearch-7.6.1/bin/
nohup ./elasticsearch &
4.生成ES身份安全認證用戶密碼
cd /usr/local/elasticsearch-7.6.1/bin
#ES需是啟動狀態,在其中一個節點設置密碼即可,設置完之后,數據會自動同步到其他節點(后面加入的ES節點,也會自動同步)。
./elasticsearch-setup-passwords auto
#該方式會自動幫我們設置好密碼,若想一開始就手動設置,可更改成使用./elasticsearch-setup-passwords interactive命令
future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/java/jdk1.8.0_60/jre] does not meet this requirement Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]y Changed password for user apm_system PASSWORD apm_system = WG8ltzIMVDnyZp1TKUkL Changed password for user kibana PASSWORD kibana = RPqBrGh1P7A2NxSGxoq8 Changed password for user logstash_system PASSWORD logstash_system = zigtbsMWFKWS2n9NaqV2 Changed password for user beats_system PASSWORD beats_system = HczYXRh4YYO98sMjLZOa Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = hLGaUwPRZosIwGzSUu6I Changed password for user elastic PASSWORD elastic = E8r1ucoTxQJ0fWopnnYe
5.驗證
此時再訪問es就會發現需要用戶密碼登錄了
此時使用原來的命令查看ES集群節點狀態,發現是會報錯的
curl -XGET "localhost:9200/_cat/nodes?v"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"secu
rity\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
方式一:附帶訪問密碼訪問
curl --user elastic:E8r1ucoTxQJ0fWopnnYe -XGET "localhost:9200/_cat/nodes?v"
方式二:單獨輸入密碼訪問
curl --user elastic -XGET "localhost:9200/_cat/nodes?v"
ES配置身份安全認證后,其他組件若想訪問ES,也是需要進行相關配置的,詳細可參考Kibana組件訪問帶有安全認證的Elasticsearch集群、Elasticsearch-head組件訪問帶有安全認證的Elasticsearch集群、Logstash組件訪問帶有安全認證的Elasticsearch集群