3.1、Elasticsearch集群内部通信加密和身份安全认证功能

开启Elasticsearch集群内部通信加密和身份安全认证功能

在 6.8 之前免费版本并不包含安全认证功能，之后版本有开放一些基础认证功能；为了防止各种事故，一般都会设置es集群的访问密码；设置访问密码的前提必须要设置集群证书，不然es启动报错。
关于设置证书的作用，简单来说就是为ES集群内部节点之间的安全通信进行加密，他的原理就是为每一个节点添加一个CA证书，只有持有相同CA证书的节点才能加入集群中。

如果是单节点的话也是按照如下配置即可

1.修改ES集群配置文件

#所有节点都需要做以下配置

cd /usr/local/elasticsearch-7.6.1/config/

vim elasticsearch.yml

#新增下列项，开启x-pack功能，并指定证书位置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

2.生成TLS证书

#选中其中一个节点即可

cd /usr/local/elasticsearch-7.6.1/bin

./elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""

#执行完成后会在ES目录的config目录下生成elastic-certificates.p12文件

ls /usr/local/elasticsearch-7.6.1/config/

1	`elastic-certificates.p12 elasticsearch.keystore elasticsearch.yml jvm.options log4j2.properties role_mapping.yml roles.yml` `users` `users_roles`

生成出来的elastic-certificates.p12文件需复制给ES的其他节点的config目录下

3.重启ES集群使配置生效

su - es

#通过kill命令先杀掉es进程

cd /usr/local/elasticsearch-7.6.1/bin/

nohup ./elasticsearch &

4.生成ES身份安全认证用户密码

cd /usr/local/elasticsearch-7.6.1/bin

#ES需是启动状态，在其中一个节点设置密码即可，设置完之后，数据会自动同步到其他节点(后面加入的ES节点，也会自动同步)。

./elasticsearch-setup-passwords auto

#该方式会自动帮我们设置好密码，若想一开始就手动设置，可更改成使用./elasticsearch-setup-passwords interactive命令

future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/java/jdk1.8.0_60/jre] does not meet this requirement
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
 
 
Changed password for user apm_system
PASSWORD apm_system = WG8ltzIMVDnyZp1TKUkL
 
Changed password for user kibana
PASSWORD kibana = RPqBrGh1P7A2NxSGxoq8
 
Changed password for user logstash_system
PASSWORD logstash_system = zigtbsMWFKWS2n9NaqV2
 
Changed password for user beats_system
PASSWORD beats_system = HczYXRh4YYO98sMjLZOa
 
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = hLGaUwPRZosIwGzSUu6I
 
Changed password for user elastic
PASSWORD elastic = E8r1ucoTxQJ0fWopnnYe

可参考Elasticsearch用户说明

5.验证

此时再访问es就会发现需要用户密码登录了

此时使用原来的命令查看ES集群节点状态，发现是会报错的

curl -XGET "localhost:9200/_cat/nodes?v"

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"secu

rity\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

方式一：附带访问密码访问

curl --user elastic:E8r1ucoTxQJ0fWopnnYe -XGET "localhost:9200/_cat/nodes?v"

方式二：单独输入密码访问

curl --user elastic -XGET "localhost:9200/_cat/nodes?v"

ES配置身份安全认证后，其他组件若想访问ES，也是需要进行相关配置的，详细可参考Kibana组件访问带有安全认证的Elasticsearch集群、Elasticsearch-head组件访问带有安全认证的Elasticsearch集群、Logstash组件访问带有安全认证的Elasticsearch集群