1, generate ssl certificate
By ES_HOME / bin / x-pack / certgen ssl certificate generation
IP:
10.17.90.20,10.17.90.21,10.17.90.22,10.17.90.24,10.17.90.25,10.17.90.26,10.17.90.27,10.17.90.28
hostname:
d1705027.grid.com,d1705028.grid.com,d1705029.grid.com,d1806001.grid.com,d1806002.grid.com,d1806003.grid.com,d1809002.grid.com,d1809003.grid.com
Modify salt configure add-ssl configuration (complete)
modify the configuration file elasticsearch.yml, open ssl transport
xpack.ssl.key: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.key
xpack.ssl.certificate: /data1/elasticsearch9201/config/elasticsearch/elasticsearch.crt
xpack.ssl.certificate_authorities: /data1/elasticsearch9201/config/ca/ca.crt
xpack.security.transport.ssl.enabled: true
2, change passwords es cluster built-account
./bin/x-pack/setup-passwords interactive
custom built accounts (elastic, kibana, logstash_system) password
account elastic as elasticsearch super administrator, has all privileges
accounts kibana kibana components for access to relevant information for web display
account logstash_system logstash monitoring data for the service acquisition elasticsearch
Note: this step must first start elasticsearch service, and turn-Pack Security the X-
./bin/x-pack/setup-passwords Interactive
Elastic:
kibana:
logstash_system:
3, es open ldap verification
Modify elasticsearch.yml open configuration
Note:
es modify elasticsearch.yml cluster configuration Adding
http.cors.allow-headers: Authorization, X- Requested-With, Content-Length, Content-Type
4, kibana modify the startup script
Unmodified
5, kibana modify the configuration file
You need to install x-pack plug plugin
modify link es cluster account and password
6, logstash modify the configuration file
output elasticsearh
添加
user => elastic
password => password
7, restart the cluster
curl -XPUT -H 'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{
"transient" : {
"cluster.routing.allocation.enable":"none"
}
}'
curl -XPUT -u elastic: -H 'Content-Type: application/json' "http://127.0.0.1:9200/_cluster/settings" -d '{
"transient" : {
"cluster.routing.allocation.enable":"all"
}
}'
8, elasticsearch-head login authentication
?auth_user=elastic&auth_password=
9, add role
index_name=cron_term_log
role_name=${index_name}_all
echo "{\"cluster\":[],\"indices\":[{\"names\":[\"${index_name}*\"],\"privileges\":[\"all\"]}],\"run_as\":[],\"transient_metadata\":{\"enabled\":true}}" >${index_name}
curl -XPOST -H "Content-Type: application/json" -u elastic: "http://localhost:9201/_xpack/security/role/$role_name" -d@${index_name}
10, the user is bound role
11, the configuration information is as follows
Cat elasticsearch.yml
cluster.name: elk_cluster
node.master: true
node.data: true
node.attr.box_type: hot
node.name: 10.20.90.36
path.data: /data1/data/elasticsearch
path.logs: /data1/logs/elasticsearch
network.host: 0.0.0.0
http.port: 9200
transport.tcp.compress: true
http.max_content_length: 200mb
discovery.zen.ping.unicast.hosts: ['10.22.90.36', '10.20.90.37']
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping_timeout: 120s
index.store.type: mmapfs
bootstrap.system_call_filter: false
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
# thread_pool config
thread_pool.index.queue_size: 3000
thread_pool.search.min_queue_size: 400
thread_pool.search.max_queue_size: 3000
thread_pool.get.queue_size: 3000
thread_pool.bulk.queue_size: 3000
xpack.ssl.key: /data1/elasticsearch/config/elk_crt/elk.key
xpack.ssl.certificate: /data1/elasticsearch/config/elk_crt/elk.crt
xpack.ssl.certificate_authorities: /data1/elasticsearch/config/elk_crt/ca/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.enabled: true
xpack.monitoring.enabled: true
xpack.graph.enabled: true
xpack.watcher.enabled: true
xpack.monitoring.exporters:
id1:
type: http
host: ["http://10.20.90.36:9200"]
auth.username: elastic
auth.password: RHjv
action.auto_create_index: true
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://111.151.118.122:389"
bind_dn:
bind_password: admin
user_search:
base_dn: ""
attribute: data
group_search:
base_dn: ""
files:
role_mapping: "/data1/elasticsearch/config/x-pack/role_mapping.yml"
unmapped_groups_as_roles: true