盒子
盒子
文章目录
  1. 1. 在master节点上创建秘钥库
  2. 2. 在所有节点中开启ssl认证
    1. 2.1 生成elastic-stack-ca.p12
    2. 2.2 生成证书:elastic-certificates.p12
    3. 2.3 将elasticsearch节点密码添加至elasticsearch-keystore
    4. 2.3 将两个证书一个密码文件等拷贝至集群其他节点
    5. 2.4 在所有节点elasticsearch.yml中新增配置
    6. 3.5 在master节点上设置密码
    7. 4 验证权限
      1. 4.1 未输入用户
      2. 4.2 输入用户及密码

ElasticSearch7.6权限认证手册

1. 在master节点上创建秘钥库

1
export ES_PATH_CONF="/home/elasticsearch/config" &&   /usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore create

2. 在所有节点中开启ssl认证

2.1 生成elastic-stack-ca.p12
1
2
3
4
/usr/local/elasticsearch-7.6.2/bin/elasticsearch-certutil ca

## 出现Please enter the desired output file [elastic-stack-ca.p12]:输入全路径
/home/elasticsearch/config/certs/elastic-stack-ca.p12
2.2 生成证书:elastic-certificates.p12
1
2
3
4
5
/usr/local/elasticsearch-7.6.2/bin/elasticsearch-certutil cert --ca /home/elasticsearch/config/certs/elastic-stack-ca.p12

## 出现 Enter password for CA (/home/elasticsearch/config/certs/elastic-stack-ca.p12) : 数据刚才设置的证书密码
后出现Please enter the desired output file [elastic-certificates.p12]:,输入全路径
/home/elasticsearch/config/certs/elastic-certificates.p12
2.3 将elasticsearch节点密码添加至elasticsearch-keystore
1
2
3
/usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
2.3 将两个证书一个密码文件等拷贝至集群其他节点
1
2
scp -r /home/elasticsearch/config/certs elasticsearch@192.168.0.8:/home/elasticsearch/config/
scp elasticsearch.keystore elasticsearch@192.168.0.8:/home/elasticsearch/config/
2.4 在所有节点elasticsearch.yml中新增配置
1
2
3
4
5
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
3.5 在master节点上设置密码
1
export ES_PATH_CONF="/home/elasticsearch/config"  &&  IP="192.168.07" && name="HOST192.168.0.7" && /usr/local/elasticsearch-7.6.2/bin/elasticsearch-setup-passwords interactive  -Enode.name="HOST192.168.0.7" -Enetwork.host="192.168.0.7"

注意:1.此操作会对elasticsearch、logstash、kibana分别设置登录密码(默认es用户名为elastic,
logstash用户名为logstash_system,kibana用户名为kibana).

2.这些内置用户存储在.security由X-Pack安全性管理的特殊索引中。如果更改了密码或禁用了用户,则该更改将自动反映在群集中的每个节点上。这也意味着如果您的.security索引被删除或从快照恢复,那么您应用的任何更改都将丢失。

4 验证权限
4.1 未输入用户
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
请求:curl http://192.168.0.8:9200/_cat/nodes?pretty
响应:{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication credentials for REST request [/_cat/nodes?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
}
],
"type" : "security_exception",
"reason" : "missing authentication credentials for REST request [/_cat/nodes?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
}
},
"status" : 401
}
4.2 输入用户及密码
1
2
3
4
curl -u elastic http://192.168.0.8:9200/_cat/nodes?pretty
Enter host password for user 'elastic':
192.168.0.7 10 78 6 0.02 0.13 0.13 dilm * HOST192.168.0.7
192.168.0.8 9 77 4 0.00 0.08 0.10 dilm - HOST192.168.0.8

OK,到此权限配置成功

支持一下
扫一扫,支持沈健
  • 微信扫一扫
  • 支付宝扫一扫