elasticsearch使用x-pack安全验证

发布时间:2020-07-10 15:08:06 作者:疯狂小二丶
来源:网络 阅读:2492

elasticsearch、kibana、logstash版本:7.3.2


192.168.3.100elasticsearch
192.168.3.101elasticsearch
192.168.3.102elasticsearch、kibana


#使用es自带工具生成CA及证书
ES_HOME=/usr/local/elasticsearch
$ES_HOME/bin/elasticsearch-certutil ca
$ES_HOME/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
mkdir $ES_HOME/config/certs && mv $ES_HOME/elastic-* $ES_HOME/config/certs

elasticsearch使用x-pack安全验证

复制证书到其他es节点


#es配置文件(es1为例)
elasticsearch.yml
cluster.name: my-es
node.name: es-1
node.master: true 
node.data: true
node.ingest: false
path.data: /usr/local/elasticsearch/data/
path.logs: /usr/local/elasticsearch/log/
network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
transport.compress: true
discovery.seed_hosts: ["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"]
cluster.initial_master_nodes: ["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"]
#head插件
http.cors.enabled: true
http.cors.allow-origin: "*"
#开启安全功能
xpack.security.enabled: true
#集群内部通信加密
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12


#使用systemd管理es
/usr/lib/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
User=es
Group=es
LimitNOFILE=100000
LimitNPROC=100000
ExecStart=/usr/local/elasticsearch/bin/elasticsearch
[Install]
WantedBy=multi-user.target


#启动es集群;设置默认账户密码
#自动生成密码
$ES_HOME/bin/elasticsearch-setup-passwords auto

elasticsearch使用x-pack安全验证

#手动设置密码
$ES_HOME/bin/elasticsearch-setup-passwords interactive


#Kibana相关证书
Kibana_HOME=/usr/local/kibana
#kibana连接es加密需要使用pem证书
cd  $ES_HOME/config/certs
#证书转换
openssl pkcs12 -in elastic-certificates.p12 -out elastic-certificates.pem -nodes
mkdir $Kibana_HOME/config/certs && mv elastic-certificates.pem $Kibana_HOME/config/certs
#https证书
$ES_HOME/bin/elasticsearch-certutil ca --pem
mv $ES_HOME/elastic-stack-ca.zip $Kibana_HOME/config/certs && unzip $Kibana_HOME/config/certs/elastic-stack-ca.zip



#kibana配置文件
kibana.yml
server.host: "192.168.3.102"
elasticsearch.hosts: ["http://192.168.3.102:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "ukCAClFof70DU5mWnHC7"
logging.dest: /usr/local/kibana/log/kibana.log
logging.quiet: true
#启用https访问kibana;使用私有证书会有访问日志报错的问题
#server.ssl.enabled: true
#server.ssl.certificate: /usr/local/kibana/config/certs/ca/ca.crt
#server.ssl.key: /usr/local/kibana/config/certs/ca/ca.key
#启用elasticsearch连接加密
elasticsearch.ssl.certificateAuthorities: [ "/usr/local/kibana/config/certs/elastic-certificates.pem" ]
elasticsearch.ssl.verificationMode: certificate


#systemd管理kibana
/usr/lib/systemd/system/kibana.service
[Unit]
Description=Kinaba
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
User=kibana
Group=kibana
ExecStart=/usr/local/kibana/bin/kibana
[Install]
WantedBy=multi-user.target


#logstash示例
input {
  stdin {
  }
}
output {
  elasticsearch {
    hosts => ["http://192.168.3.100:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"]
    index => "test-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "HkqZIHZsuXSv6B5OwqJ7"
  }
}



使用PKCS12配置logstash=>es安全加密未成功(有大佬成功的话私信或者评论下),可以参考下面链接使用PEM方式来完成各组件之间的安全通信

https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash#step-5-2


参考:

https://www.elastic.co/guide/en/elastic-stack-overview/7.3/ssl-tls.html

https://www.elastic.co/guide/en/elasticsearch/reference/7.3/configuring-security.html

https://www.elastic.co/guide/en/kibana/7.3/using-kibana-with-security.html

https://www.elastic.co/guide/en/kibana/7.3/configuring-tls.html

推荐阅读:
  1. x-pack破解
  2. elasticsearch如何安全加固?

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

x-pack认证 x-pack

上一篇:统计学bootstrap能够解决什么问题

下一篇:mongodb删除用户和密码的方法

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》