2.ElasticSearch系列之集群权限认证

1. 在master节点上创建秘钥库

export ES_PATH_CONF="/home/elasticsearch/config" &&   /usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore create

2. 在所有节点中开启ssl认证

2.1 生成elastic-stack-ca.p12

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-certutil ca

## 出现Please enter the desired output file [elastic-stack-ca.p12]:输入全路径  
/home/elasticsearch/config/certs/elastic-stack-ca.p12

2.2 生成证书：elastic-certificates.p12

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-certutil cert --ca /home/elasticsearch/config/certs/elastic-stack-ca.p12

## 出现 Enter password for CA (/home/elasticsearch/config/certs/elastic-stack-ca.p12) : 数据刚才设置的证书密码
后出现Please enter the desired output file [elastic-certificates.p12]:，输入全路径
 /home/elasticsearch/config/certs/elastic-certificates.p12

2.3 将elasticsearch节点密码添加至elasticsearch-keystore

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

/usr/local/elasticsearch-7.6.2/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

2.3 将两个证书一个密码文件等拷贝至集群其他节点

scp -r /home/elasticsearch/config/certs elasticsearch@192.168.0.8:/home/elasticsearch/config/
scp /home/elasticsearch/config/elasticsearch.keystore elasticsearch@192.168.0.8:/home/elasticsearch/config/

2.4 在所有节点elasticsearch.yml中新增配置

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path:  certs/elastic-certificates.p12

3.5 在master节点上设置密码

export ES_PATH_CONF="/home/elasticsearch/config"  &&  IP="192.168.0.7" && name="HOST192.168.0.7" && /usr/local/elasticsearch-7.6.2/bin/elasticsearch-setup-passwords interactive  -Enode.name="HOST192.168.0.7" -Enetwork.host="192.168.0.7"

注意：1.此操作会对elasticsearch、logstash、kibana分别设置登录密码（默认es用户名为elastic，
logstash用户名为logstash_system，kibana用户名为kibana）.

2.这些内置用户存储在.security由X-Pack安全性管理的特殊索引中。如果更改了密码或禁用了用户，则该更改将自动反映在群集中的每个节点上。这也意味着如果您的.security索引被删除或从快照恢复，那么您应用的任何更改都将丢失。

4 验证权限

4.1 未输入用户

请求：curl http://192.168.0.8:9200/_cat/nodes?pretty
响应：{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication credentials for REST request [/_cat/nodes?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication credentials for REST request [/_cat/nodes?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

4.2 输入用户及密码

curl -u elastic http://192.168.0.8:9200/_cat/nodes?pretty
Enter host password for user 'elastic':
192.168.0.7 10 78 6 0.02 0.13 0.13 dilm * HOST192.168.0.7
192.168.0.8  9 77 4 0.00 0.08 0.10 dilm - HOST192.168.0.8

OK,到此权限配置成功

欢迎关注公众号算法小生或沈健的技术博客