目錄
集羣身份認證
說明:訪問ES集羣需要用戶名和密碼,否則不能調用接口等。
具體實現:這裏以單個節點進行演示,ip爲192.168.52.127
1)elasticsearch.yml初始配置:
cluster.name: test
node.name: node-1
path.data: /home/elk/elasticsearch-7.2.0/data
path.logs: /home/elk/elasticsearch-7.2.0/logs
http.port: 9200
network.host: 0.0.0.0
discovery.seed_hosts: ["192.168.52.127"]
cluster.initial_master_nodes: ["node-1"]
bin/elasticsearch測試可正常啓動,然後訪問http://192.168.52.127:9200/可正常訪問
關閉elasticsearch
2)更新elasticsearch.yml配置,添加以下內容:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
bin/elasticsearch測試可正常啓動,然後訪問http://192.168.52.127:9200/發現需要輸入用戶名和密碼才能訪問
可以創建默認的用戶和分組
3)創建默認的用戶和分組
首先,確保elasticsearch啓動;
然後,bin/elasticsearch-setup-passwords interactive
按照上圖中輸入密碼後(我這裏設置的是123456),重新訪問http://192.168.52.127:9200/,輸入賬號:elastic,密碼:123456,可正常訪問
集羣內部通訊的安全
說明:使用證書實現,一方面可以保證數據安全,避免因數據抓包導致的敏感信息泄露,另一方面避免一個其他節點(即未配置證書的節點)的隨意加入。
具體實現:配置好證書,先啓動集羣一個節點,然後先後測試新加入的節點(未配置證書,配置證書)
1)bin/elasticsearch-certutil ca
2)ls
3)bin/elasticsearch-certutil cert --ca /home/elk/elasticsearch-7.2.0/config/certs/elastic-stack-ca.p12
4)ls
5)elasticsearch.yml中:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /home/elk/elasticsearch-7.2.0/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /home/elk/elasticsearch-7.2.0/config/certs/elastic-certificates.p12
6)啓動es
首先刪除data目錄:rm -rf data/
啓動:bin/elasticsearch
7)驗證
a.新加入一個節點,elasticsearch.yml配置爲:
cluster.name: test
node.name: node-2
path.data: /home/elk/elasticsearch-7.2.0/data
path.logs: /home/elk/elasticsearch-7.2.0/logs
http.port: 9200
network.host: 0.0.0.0
discovery.seed_hosts: ["192.168.52.127"]
cluster.initial_master_nodes: ["node-1"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
b.刪除data目錄
c.啓動
bin/elasticsearch
會發現報錯:unable to find valid certification path to requested target
按照步驟5)在配置中添加,在執行,發現正常了
在瀏覽器中輸入:http://192.168.52.127:9200/_cluster/health
集羣與外部間的安全通信
說明:使用https訪問集羣,不能通過http訪問
1)https訪問ES集羣
elasticsearch.yml中:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /home/elk/elasticsearch-7.2.0/config/certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /home/elk/elasticsearch-7.2.0/config/certs/elastic-certificates.p12
以http訪問集羣,報錯:io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record
以https訪問,則可以正常訪問
2)https訪問kibana
a.因爲ES集羣配置了https訪問,所以首先需要配置kibana連接ES https。具體操作如下:
第一步:openssl version -a //查看openssl是否安裝
第二步:openssl pkcs12 -in /home/elk/elasticsearch-7.2.0/config/certs/elastic-certificates.p12 -cacerts -nokeys -out /home/elk/elasticsearch-7.2.0/config/certs/elastic-ca.pem //生成證書
第三步:在kibana.yml中配置:
server.host: "192.168.52.127"
server.port: 5601
elasticsearch.hosts:["https://localhost:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
elasticsearch.ssl.certificateAuthorities: /home/elk/elasticsearch-7.2.0/config/certs/elastic-ca.pem
elasticsearch.ssl.verificationMode: certificate
4)在瀏覽器中輸入http://192.168.52.127:5601/啓動kibana,在devtool中操作
get /
發現可正常調用ES的接口。
b.配置使用https訪問kibana
第一步:bin/elasticsearch-certutil ca --pem 
第二步:解壓elastic-stack-ca.zip
yum install -y unzip zip //安裝unzip
unzip elastic-stack-ca.zip //將上述zip解壓
第三步:在kibana.yml中添加如下配置:
server.ssl.enabled: true
server.ssl.certificate: /home/elk/elasticsearch-7.2.0/config/certs/ca/ca.crt
server.ssl.key: /home/elk/elasticsearch-7.2.0/config/certs/ca/ca.key
第四步:啓動kibana,bin/kibana
使用http訪問kibana,不能訪問;https就可以了。
特別注意:因爲在上述證書生成時,我是直接回車沒有設置密碼的,如果你給證書設置了密碼,參考https://www.elastic.co/guide/en/elasticsearch/reference/7.2/configuring-tls.html,記得如下操作:
參考資料:
https://www.elastic.co/guide/en/elasticsearch/reference/7.2/secure-cluster.html
http://gk.link/a/10jw7