一.单机elasticsearch测试
1.elasticsearch.yml新增配置
xpack.security.enabled: true xpack.security.transport.ssl.enabled: true
2.设置所有内置用户密码:
[root@ansible elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Passwords do not match. Try again. Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
3.测试
[root@ansible elasticsearch]# curl http://192.168.86.128:9200/_cat/health?v -u elastic Enter host password for user 'elastic': epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent 1650520371 05:52:51 elasticsearch yellow 1 1 2 2 0 0 1 0 - 66.7%
二.集群elasticsearch (由于环境有限,用两台测试)
1.elasticsearch.yml新增配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
启动服务后会警告:
2022-04-21T14:09:54,656][WARN ][o.e.t.TcpTransport ] [ansible] exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/192.168.86.129:49038}], closing connection io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common
因为xpack.security.enabled=true,启用安全功能以后,必须使用TLS来确保节点之间的通信已加密,
执行:/usr/share/elasticsearch/bin/elasticsearch-certutil ca
注:
a.Enter password后面可输入密码也可不输入,输入需要记住,后面需要用
b.生产的ca默认路径:/usr/share/elasticsearch
[root@ansible elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode. Use the 'ca-dn' option if you wish to configure the 'distinguished name' of the certificate authority By default the 'ca' mode produces a single PKCS#12 output file which holds: * The CA certificate * The CA's private key If you elect to generate PEM format certificates (the -pem option), then the output will be a zip file containing individual files for the CA certificate and private key Please enter the desired output file [elastic-stack-ca.p12]: Enter password for elastic-stack-ca.p12 :
2.为集群中的每个节点生成证书和私钥
传输elastic-stack-ca.p12到每个es 节点,执行:bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : 输入创建ca加密密码 Please enter the desired output file [elastic-certificates.p12]: Enter password for elastic-certificates.p12 : 这里如果输入密码,需要添加密码库配置 Certificates written to /usr/share/elasticsearch/elastic-certificates.p12
各节点生成的elastic-certificates.p12复制到/etc/elasticsearch/config下
mkdir /etc/elasticsearch/config ; mv /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/config ; chmod +r /etc/elasticsearch/config/elastic-certificates.p12
3.elasticsearch.yml新增配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: config/elastic-certificates.p12
如果节点证书配置密码的话,这里要加入密码库:
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
如果不执行,服务启动会在journalctl -xe报错:
otstrap.BootstrapException: org.elasticsearch.cli.UserException: unable to create temporary keystore at [/etc/elasticsearch/elasticsearch.keystore.tmp], please check filesystem permission
4. 重启服务 systemctl restart elasticsearch
5.初始化密码
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
6.查看集群状态
[root@ansible elasticsearch]# curl http://192.168.86.128:9200/_cat/nodes?v -u elastic Enter host password for user 'elastic': ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 192.168.86.129 14 98 0 0.01 0.02 0.00 mdi * elk 192.168.86.128 18 87 1 0.00 0.03 0.00 mdi - ansible [root@ansible elasticsearch]# curl -X GET "192.168.86.128:9200/_cat/health?v" -u elastic Enter host password for user 'elastic': epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent 1650526166 07:29:26 my_cluster green 2 2 4 2 0 0 0 0 - 100.0% [root@ansible elasticsearch]# curl -X GET "192.168.86.129:9200/_cat/health?v" -u elastic Enter host password for user 'elastic': epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent 1650526181 07:29:41 my_cluster green 2 2 4 2 0 0 0 0 - 100.0%
参考官网:
https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-tls.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.1/built-in-users.html
备注:kibana服务kibana.yml 需要添加配置且登录web时,需要用elastic用户,kibana用户会报:403错误
elasticsearch.username: "kibana" elasticsearch.password: "654321"
