其他分享
首页 > 其他分享> > Elasticsearch集群内部通信加密和身份安全认证功能

Elasticsearch集群内部通信加密和身份安全认证功能

作者:互联网

开启Elasticsearch集群内部通信加密和身份安全认证功能

在 6.8 之前免费版本并不包含安全认证功能,之后版本有开放一些基础认证功能;为了防止各种事故,一般都会设置es集群的访问密码;设置访问密码的前提必须要设置集群证书,不然es启动报错。
关于设置证书的作用,简单来说就是为ES集群内部节点之间的安全通信进行加密,他的原理就是为每一个节点添加一个CA证书,只有持有相同CA证书的节点才能加入集群中。

如果是单节点的话也是按照如下配置即可

1.修改ES集群配置文件

#所有节点都需要做以下配置

cd /usr/local/elasticsearch-7.6.1/config/

vim elasticsearch.yml

#新增下列项,开启x-pack功能,并指定证书位置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

2.生成TLS证书

#选中其中一个节点即可

cd /usr/local/elasticsearch-7.6.1/bin

./elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""

#执行完成后会在ES目录的config目录下生成elastic-certificates.p12文件

ls /usr/local/elasticsearch-7.6.1/config/

elastic-certificates.p12  elasticsearch.keystore  elasticsearch.yml  jvm.options  log4j2.properties  role_mapping.yml  roles.yml  users  users_roles

生成出来的elastic-certificates.p12文件需复制给ES的其他节点的config目录下

3.重启ES集群使配置生效

su - es

#通过kill命令先杀掉es进程

cd /usr/local/elasticsearch-7.6.1/bin/

nohup ./elasticsearch &

4.生成ES身份安全认证用户密码

cd /usr/local/elasticsearch-7.6.1/bin

#ES需是启动状态,在其中一个节点设置密码即可,设置完之后,数据会自动同步到其他节点。

./elasticsearch-setup-passwords auto   

#该方式会自动帮我们设置好密码,若想一开始就手动设置,可更改成使用./elasticsearch-setup-passwords interactive命令

future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/java/jdk1.8.0_60/jre] does not meet this requirement
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = WG8ltzIMVDnyZp1TKUkL

Changed password for user kibana
PASSWORD kibana = RPqBrGh1P7A2NxSGxoq8

Changed password for user logstash_system
PASSWORD logstash_system = zigtbsMWFKWS2n9NaqV2

Changed password for user beats_system
PASSWORD beats_system = HczYXRh4YYO98sMjLZOa

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = hLGaUwPRZosIwGzSUu6I

Changed password for user elastic
PASSWORD elastic = E8r1ucoTxQJ0fWopnnYe

5.验证

此时再访问es就会发现需要用户密码登录了

此时使用原来的命令查看ES集群节点状态,发现是会报错的

curl -XGET "localhost:9200/_cat/nodes?v"

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"secu
rity\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

方式一:附带访问密码访问

curl --user elastic:E8r1ucoTxQJ0fWopnnYe -XGET "localhost:9200/_cat/nodes?v"

方式二:单独输入密码访问

curl --user elastic -XGET "localhost:9200/_cat/nodes?v"

6.ES其他用户操作

cd /usr/local/elasticsearch-7.6.1/bin

创建超级用户

sh elasticsearch-users useradd esadmin -p Qwe123. -r superuser

将elastic用户的密码修改为elastic

curl -u esadmin:Qwe123. -XPUT "http://localhost:9200/_xpack/security/user/elastic/_password?pretty" -H 'Content-Type: application/json' -d '{"password": "elastic"}'

删除超级用户

sh elasticsearch-users userdel esadmin


ES配置身份安全认证后,其他组件若想访问ES,也是需要进行相关配置的,详细可参考Kibana身份验证配置

 

标签:ES,加密,elastic,system,Elasticsearch,user,elasticsearch,security,集群
来源: https://www.cnblogs.com/cjzzz/p/16133347.html