Elasticsearch集群内部通信加密和身份安全认证功能
作者:互联网
开启Elasticsearch集群内部通信加密和身份安全认证功能
在 6.8 之前免费版本并不包含安全认证功能,之后版本有开放一些基础认证功能;为了防止各种事故,一般都会设置es集群的访问密码;设置访问密码的前提必须要设置集群证书,不然es启动报错。
关于设置证书的作用,简单来说就是为ES集群内部节点之间的安全通信进行加密,他的原理就是为每一个节点添加一个CA证书,只有持有相同CA证书的节点才能加入集群中。
如果是单节点的话也是按照如下配置即可
1.修改ES集群配置文件
#所有节点都需要做以下配置
cd /usr/local/elasticsearch-7.6.1/config/
vim elasticsearch.yml
#新增下列项,开启x-pack功能,并指定证书位置 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
2.生成TLS证书
#选中其中一个节点即可
cd /usr/local/elasticsearch-7.6.1/bin
./elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
#执行完成后会在ES目录的config目录下生成elastic-certificates.p12文件
ls /usr/local/elasticsearch-7.6.1/config/
elastic-certificates.p12 elasticsearch.keystore elasticsearch.yml jvm.options log4j2.properties role_mapping.yml roles.yml users users_roles
生成出来的elastic-certificates.p12文件需复制给ES的其他节点的config目录下
3.重启ES集群使配置生效
su - es
#通过kill命令先杀掉es进程
cd /usr/local/elasticsearch-7.6.1/bin/
nohup ./elasticsearch &
4.生成ES身份安全认证用户密码
cd /usr/local/elasticsearch-7.6.1/bin
#ES需是启动状态,在其中一个节点设置密码即可,设置完之后,数据会自动同步到其他节点。
./elasticsearch-setup-passwords auto
#该方式会自动帮我们设置好密码,若想一开始就手动设置,可更改成使用./elasticsearch-setup-passwords interactive命令
future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/java/jdk1.8.0_60/jre] does not meet this requirement Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]y Changed password for user apm_system PASSWORD apm_system = WG8ltzIMVDnyZp1TKUkL Changed password for user kibana PASSWORD kibana = RPqBrGh1P7A2NxSGxoq8 Changed password for user logstash_system PASSWORD logstash_system = zigtbsMWFKWS2n9NaqV2 Changed password for user beats_system PASSWORD beats_system = HczYXRh4YYO98sMjLZOa Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = hLGaUwPRZosIwGzSUu6I Changed password for user elastic PASSWORD elastic = E8r1ucoTxQJ0fWopnnYe
5.验证
此时再访问es就会发现需要用户密码登录了
此时使用原来的命令查看ES集群节点状态,发现是会报错的
curl -XGET "localhost:9200/_cat/nodes?v"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"secu rity\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
方式一:附带访问密码访问
curl --user elastic:E8r1ucoTxQJ0fWopnnYe -XGET "localhost:9200/_cat/nodes?v"
方式二:单独输入密码访问
curl --user elastic -XGET "localhost:9200/_cat/nodes?v"
6.ES其他用户操作
cd /usr/local/elasticsearch-7.6.1/bin
创建超级用户
sh elasticsearch-users useradd esadmin -p Qwe123. -r superuser
将elastic用户的密码修改为elastic
curl -u esadmin:Qwe123. -XPUT "http://localhost:9200/_xpack/security/user/elastic/_password?pretty" -H 'Content-Type: application/json' -d '{"password": "elastic"}'
删除超级用户
sh elasticsearch-users userdel esadmin
ES配置身份安全认证后,其他组件若想访问ES,也是需要进行相关配置的,详细可参考Kibana身份验证配置
标签:ES,加密,elastic,system,Elasticsearch,user,elasticsearch,security,集群 来源: https://www.cnblogs.com/cjzzz/p/16133347.html