elasticsearch使用x-pack安全验证
elasticsearch、kibana、logstash版本:7.3.2
让客户满意是我们工作的目标,不断超越客户的期望值来自于我们对这个行业的热爱。我们立志把好的技术通过有效、简单的方式提供给客户,将通过不懈努力成为客户在信息化领域值得信任、有价值的长期合作伙伴,公司提供的服务项目有:域名注册、网页空间、营销软件、网站建设、合山网站维护、网站推广。
192.168.3.100 | elasticsearch |
192.168.3.101 | elasticsearch |
192.168.3.102 | elasticsearch、kibana |
#使用es自带工具生成CA及证书 ES_HOME=/usr/local/elasticsearch $ES_HOME/bin/elasticsearch-certutil ca $ES_HOME/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mkdir $ES_HOME/config/certs && mv $ES_HOME/elastic-* $ES_HOME/config/certs
复制证书到其他es节点
#es配置文件(es1为例) elasticsearch.yml cluster.name: my-es node.name: es-1 node.master: true node.data: true node.ingest: false path.data: /usr/local/elasticsearch/data/ path.logs: /usr/local/elasticsearch/log/ network.host: 0.0.0.0 http.port: 9200 transport.port: 9300 transport.compress: true discovery.seed_hosts: ["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"] cluster.initial_master_nodes: ["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"] #head插件 http.cors.enabled: true http.cors.allow-origin: "*" #开启安全功能 xpack.security.enabled: true #集群内部通信加密 xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
#使用systemd管理es /usr/lib/systemd/system/elasticsearch.service [Unit] Description=Elasticsearch Documentation=http://www.elastic.co Wants=network-online.target After=network-online.target [Service] User=es Group=es LimitNOFILE=100000 LimitNPROC=100000 ExecStart=/usr/local/elasticsearch/bin/elasticsearch [Install] WantedBy=multi-user.target
#启动es集群;设置默认账户密码 #自动生成密码 $ES_HOME/bin/elasticsearch-setup-passwords auto
#手动设置密码 $ES_HOME/bin/elasticsearch-setup-passwords interactive
#Kibana相关证书 Kibana_HOME=/usr/local/kibana #kibana连接es加密需要使用pem证书 cd $ES_HOME/config/certs #证书转换 openssl pkcs12 -in elastic-certificates.p12 -out elastic-certificates.pem -nodes mkdir $Kibana_HOME/config/certs && mv elastic-certificates.pem $Kibana_HOME/config/certs #https证书 $ES_HOME/bin/elasticsearch-certutil ca --pem mv $ES_HOME/elastic-stack-ca.zip $Kibana_HOME/config/certs && unzip $Kibana_HOME/config/certs/elastic-stack-ca.zip
#kibana配置文件 kibana.yml server.host: "192.168.3.102" elasticsearch.hosts: ["http://192.168.3.102:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"] elasticsearch.username: "kibana" elasticsearch.password: "ukCAClFof70DU5mWnHC7" logging.dest: /usr/local/kibana/log/kibana.log logging.quiet: true #启用https访问kibana;使用私有证书会有访问日志报错的问题 #server.ssl.enabled: true #server.ssl.certificate: /usr/local/kibana/config/certs/ca/ca.crt #server.ssl.key: /usr/local/kibana/config/certs/ca/ca.key #启用elasticsearch连接加密 elasticsearch.ssl.certificateAuthorities: [ "/usr/local/kibana/config/certs/elastic-certificates.pem" ] elasticsearch.ssl.verificationMode: certificate
#systemd管理kibana /usr/lib/systemd/system/kibana.service [Unit] Description=Kinaba Documentation=http://www.elastic.co Wants=network-online.target After=network-online.target [Service] User=kibana Group=kibana ExecStart=/usr/local/kibana/bin/kibana [Install] WantedBy=multi-user.target
#logstash示例 input { stdin { } } output { elasticsearch { hosts => ["http://192.168.3.100:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"] index => "test-%{+YYYY.MM.dd}" user => "elastic" password => "HkqZIHZsuXSv6B5OwqJ7" } }
使用PKCS12配置logstash=>es安全加密未成功(有大佬成功的话私信或者评论下),可以参考下面链接使用PEM方式来完成各组件之间的安全通信
https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash#step-5-2
参考:
https://www.elastic.co/guide/en/elastic-stack-overview/7.3/ssl-tls.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.3/configuring-security.html
https://www.elastic.co/guide/en/kibana/7.3/using-kibana-with-security.html
https://www.elastic.co/guide/en/kibana/7.3/configuring-tls.html
标题名称:elasticsearch使用x-pack安全验证
网站网址:http://scyanting.com/article/ghooij.html