ELK Kibana 8.3.2登录认证

在网上找了好几篇文章，没找到8.3.2版本的，我自己试了一下，记录下配置过程：

首先修改es配置文件：

# Enable security features
xpack.security.enabled: true    #此处改为true；

xpack.security.enrollment.enabled: false

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: false
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true                  #此处改为true；
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

尝试使用elastic用户对接kibana和es

重设elastic用户密码：

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
#会自动生成一个密码：
ZYpacazIAXCEfp******

kibana 8.3.2版本使用elastic用户有报错：

#修改kibana.yml：
elasticsearch.username: "elastic"
elasticsearch.password: "ZYpacazIAXCEfp******"

#提示不要使用elastic用户对接啥的：
Jul 25 16:42:14 fei kibana[10771]:  FATAL  Error: [config validation of [elasticsearch].username]: value of "elastic" is forbidden. This is a superuser account that cannot write to system indices that Kibana needs to function. Use a service account token instead. 

新增用户及用户操作

需要在es中增加用户：

fei@fei:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-users useradd logadmin
Enter new password: 123456
Retype new password:

#修改kibana.yml，增加es的用户和密码后，提示logadmin未绑定角色：
[ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: action [cluster:monitor/nodes/info] is unauthorized for user [logadmin] with roles [], this action is granted by the cluster privileges [monitor,manage,all]

#查看配置角色的命令：
fei@fei:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-users
……
Commands
--------
useradd - Adds a file user
userdel - Deletes a file based user
passwd - Changes the password of an existing file based user
roles - Edit roles of an existing user
list - List existing file based users and their corresponding roles

#角色列表：
Warning: The following roles [all] are not in the [/etc/elasticsearch/roles.yml] file. Make sure the names are correct. If the names are correct and the roles were created using the API please disregard this message. Nonetheless the user will still be associated with all specified roles
Known roles: [watcher_admin, apm_system, viewer, logstash_system, rollup_user, kibana_user, beats_admin, remote_monitoring_agent, rollup_admin, snapshot_user, data_frame_transforms_admin, monitoring_user, enrich_user, kibana_admin, logstash_admin, editor, data_frame_transforms_user, machine_learning_user, machine_learning_admin, watcher_user, apm_user, beats_system, transform_user, reporting_user, kibana_system, transform_admin, remote_monitoring_collector, transport_client, superuser, ingest_admin]

用户角色管理：

#增加授权：
#superuser能正常打开es的9200端口，kibana_system配置后才可以正常对接kb和es
fei@fei:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-users roles -a superuser logadmin
fei@fei:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-users roles -a kibana_system logadmin

#移除授权：
fei@fei:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-users roles -r kibana_admin logadmin

#查看授权：
fei@fei:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-users roles -v logadmin
logadmin       : kibana_system,superuser

logstash配置文件同样需要修改，roles配置不需要再次修改：

output {
    #同时也发送到elasticsearch
    elasticsearch {
        index => "syslog-%{+YYYY.MM.dd}"
        hosts => ["172.31.0.135:9200"]
        user => "logadmin"
        password => "123456"
    }
}