一、集群身份认证与用户鉴权
1,开启es安全模块
#启动单节点 bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true 或者 bin/elasticsearch -E xpack.security.enabled=true #使用Curl访问ES,或者浏览器访问 “localhost:9200/_cat/nodes?pretty”。返回401错误 curl 'localhost:9200/_cat/nodes?pretty' #运行密码设定的命令,设置ES内置用户及其初始密码。 bin/elasticsearch-setup-passwords interactive curl -u elastic 'localhost:9200/_cat/nodes?pretty'
2,设置kibana
# 修改 kibana.yml elasticsearch.username: "kibana" elasticsearch.password: "changeme"
3,登录
#启动。使用用户名,elastic,密码a123456
二、集群内安全通信
# 生成证书 # 为您的Elasticearch集群创建一个证书颁发机构。例如,使用elasticsearch-certutil ca命令: bin/elasticsearch-certutil ca #为群集中的每个节点生成证书和私钥。例如,使用elasticsearch-certutil cert 命令: bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 #将证书拷贝到 config/certs目录下 elastic-certificates.p12 bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12 bin/elasticsearch -E node.name=node1 -E cluster.name=geektime -E path.data=node1_data -E http.port=9201 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12 #不提供证书的节点,无法加入 bin/elasticsearch -E node.name=node2 -E cluster.name=geektime -E path.data=node2_data -E http.port=9202 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate
## elasticsearch.yml 配置 #xpack.security.transport.ssl.enabled: true #xpack.security.transport.ssl.verification_mode: certificate #xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 #xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
三、使用https与集群外部间的安全通信
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
# ES 启用 https bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.http.ssl.enabled=true -E xpack.security.http.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.http.ssl.truststore.path=certs/elastic-certificates.p12
#Kibana 连接 ES https # 为kibana生成pem openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem elasticsearch.hosts: ["https://localhost:9200"] elasticsearch.ssl.certificateAuthorities: [ "/Users/yiruan/geektime/kibana-7.1.0/config/certs/elastic-ca.pem" ] elasticsearch.ssl.verificationMode: certificate # 为 Kibna 配置 HTTPS # 生成后解压,包含了instance.crt 和 instance.key bin/elasticsearch-certutil ca --pem server.ssl.enabled: true server.ssl.certificate: config/certs/instance.crt server.ssl.key: config/certs/instance.key