正文
在最低安全配置中添加密码保护后,需要配置传输层安全 (TLS)。传输层处理集群中节点之间的所有内部通信。如果集群有多个节点,那么您必须在节点之间配置 TLS。如果不启用 TLS,生产模式集群将不会启动。传输层依赖于双向 TLS 来加密和验证节点。正确应用 TLS 可确保恶意节点无法加入集群并与其他节点交换数据。虽然在 HTTP 层实现用户名和密码认证对于保护本地集群很有用,但节点之间的通信安全需要 TLS。在节点之间配置 TLS 是基本的安全设置,以防止未经授权的节点访问您的集群。
传统方式
集群安装
1、生成证书
./bin/elasticsearch-certutil ca
Please enter the desired output file [elastic-stack-ca.p12]: 此处按回车键
Enter password for elastic-stack-ca.p12 : 输入密码 snail(也可以不输入)
2、集群中的任意一个节点生成证书和私钥
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : 输入上面的密码
Please enter the desired output file [elastic-certificates.p12]: 回车
Enter password for elastic-certificates.p12 : 输入上面的密码
3、此时已生成证书elastic-certificates.p12,将该证书复制到每一个节点的config目录下
/usr/local/elasticsearch/config
4、在每一个节点上存储密码
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
5、修改每一个节点elasticsearch.yml 注意不要有多余的空格
# ======================== Elasticsearch Configuration ========================= # # NOTE: Elasticsearch comes with reasonable defaults for most settings. # Before you set out to tweak and tune the configuration, make sure you # understand what are you trying to accomplish and the consequences. # # The primary way of configuring a node is via this file. This template lists # the most important settings you may want to configure for a production cluster. # # Please consult the documentation for further information on configuration options: # https://www.elastic.co/guide/en/elasticsearch/reference/index.html # # ---------------------------------- Cluster ----------------------------------- # # Use a descriptive name for your cluster: # cluster.name: my-es # # ------------------------------------ Node ------------------------------------ # # Use a descriptive name for the node: # node.name: node-3 # # Add custom attributes to the node: # #node.attr.rack: r1 # # ----------------------------------- Paths ------------------------------------ # # Path to directory where to store the data (separate multiple locations by comma): # path.data: /usr/local/es/data # # Path to log files: # path.logs: /usr/local/es/logs # # ----------------------------------- Memory ----------------------------------- # # Lock the memory on startup: # #bootstrap.memory_lock: true # # Make sure that the heap size is set to about half the memory available # on the system and that the owner of the process is allowed to use this # limit. # # Elasticsearch performs poorly when the system is swapping the memory. # # ---------------------------------- Network ----------------------------------- # # By default Elasticsearch is only accessible on localhost. Set a different # address here to expose this node on the network: # network.host: 0.0.0.0 # # By default Elasticsearch listens for HTTP traffic on the first free port it # finds starting at 9200. Set a specific HTTP port here: # http.port: 9200 # # For more information, consult the network module documentation. # # --------------------------------- Discovery ---------------------------------- # # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is ["127.0.0.1", "[::1]"] # discovery.seed_hosts: ["192.168.139.160","192.168.139.161", "192.168.139.162"] # # Bootstrap the cluster using an initial set of master-eligible nodes: # cluster.initial_master_nodes: ["node-1", "node-2","node-3"] # # For more information, consult the discovery and cluster formation module documentation. # # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: # #action.destructive_requires_name: true #设置密码 xpack.security.enabled: true http.cors.allow-headers: Authorization xpack.license.self_generated.type: basic #设置单点模式 #discovery.type: single-node #设置证书 xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.client_authentication: required xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
6、授权证书文件
chown -R snail_es.es /usr/local/elasticsearch/
7、设置密码,请保证每个节点都在运行的状态
./bin/elasticsearch-setup-passwords interactive 手动 ./bin/elasticsearch-setup-passwords auto 自动
Changed password for user apm_system
PASSWORD apm_system = Yu0vjHZxkCBXuGnTM9VM
Changed password for user kibana_system
PASSWORD kibana_system = oNXyGWsWHLC3VllVb4Qb
Changed password for user kibana
PASSWORD kibana = oNXyGWsWHLC3VllVb4Qb
Changed password for user logstash_system
PASSWORD logstash_system = XFd1IoqZAgt7scdxwXN2
Changed password for user beats_system
PASSWORD beats_system = 1oENHpgMQLeLyiugkmRy
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = bjGZqG7SxffKciVJRxsX
Changed password for user elastic
PASSWORD elastic = cGKuMaWGZLBaSSDW7qKX
elastic
一个内置的超级用户。
kibana_system
Kibana 用于连接 Elasticsearch 并与之通信的用户。
logstash_system
Logstash 在 Elasticsearch 中存储监控信息时使用的用户。
beats_system
Beats 在 Elasticsearch 中存储监控信息时使用的用户。
apm_system
APM 服务器在 Elasticsearch 中存储监控信息时使用的用户。
remote_monitoring_user
在 Elasticsearch 中收集和存储监控信息时使用的用户 Metricbeat。
它具有remote_monitoring_agent和 remote_monitoring_collector内置角色。
8、结束
Docker方式
1、创建挂载目录并授权
[root@localhost ~]# mkdir -p /data/es/{conf,data,logs,plugins} #授权 [root@localhost ~]# chmod 777 -R /data/
2、进入容器生成证书
docker exec -it elasticsearch /bin/bash ./bin/elasticsearch-certutil ca #集群中的任意一个节点生成证书和私钥 ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
3、将证书复制到每个节点的config目录(挂载目录)
将证书复制到宿主机 #复制 docker cp elasticsearch:/usr/share/elasticsearch/elastic-certificates.p12 /root
4、将证书复制到每一个节点docker容器中
docker cp /data/es/conf/elastic-certificates.p12 elasticsearch:/usr/share/elasticsearch/config #存储密码 每一个节点都要执行 ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
5、修改配置文件跟上面配置文件一样
6、进入容器设置密码
docker exec -it elasticsearch /bin/bash ./bin/elasticsearch-setup-passwords interactive 手动 ./bin/elasticsearch-setup-passwords auto 自动
7、重新启动容器或者新创建容器
docker run --name elasticsearch --privileged=true --net=host \ -v /data/es/conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \ -v /data/es/data:/usr/share/elasticsearch/data \ -v /data/es/logs:/usr/share/elasticsearch/logs \ -v /data/es/plugins:/usr/share/elasticsearch/plugins \ -d elasticsearch:7.14.2
8、结束
