注:Elasticsearch示例版本:7.6.2
一、单机版
1. 修改配置
需要在配置文件中开启x-pack验证, 修改config目录下面的elasticsearch.yml文件,在里面添加如下内容,并重启es.
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
2. 设置密码
进入es的安装根目录bin下,/usr/local/elasticsearch-7.6.2/bin
执行设置用户名和密码的命令,这里需要为4个用户分别设置密码,elastic, kibana, logstash_system,beats_system
./elasticsearch-setup-passwords interactive
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [elastic]
3. 测试
将kibana.yml添加,并重启kibana:
elasticsearch.username: "elastic"
elasticsearch.password: "xxxx"
4. 修改密码
修改密码时,将第一步配置删除,然后重启es,将.security-7的索引删除即可。
然后重新1-4步骤。
二、集群版
1. 生成 TLS 和身份验证
单独使用一个节点生成证书;
证书会生成在config目录下,证书文件名为 elastic-certificates.p12;
su esuser
cd /usr/local/elasticsearch-7.6.2/bin
./elasticsearch-certutil cert -out /usr/local/elasticsearch-7.6.2/config/elastic-certificates.p12 -pass ""
执行完上面命令以后就可以在elasticsearch目录下的config目录里看到多了一个elastic-certificates.p12文件;
把elastic-certificates.p12这个文件复制到其他节点下,也是elasticsearch目录下的config目录里即可;
2. 修改配置
编辑elasticsearch.yml文件(每个节点都要配置)开启x-pack功能,并指定证书位置
#加密配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
3. 重启es集群
全部节点都要重启一遍
4. 设置访问密码
在其中一个节点设置密码即可,设置完之后,数据会自动同步到其他节点。
cd到elasticsearch目录下的bin目录执行
su esuser
cd /usr/local/elasticsearch-7.6.2/bin
./elasticsearch-setup-passwords interactive
依次对每个账户设置密码
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [elastic]
5. 测试验证
将kibana.yml添加,并重启kibana:
elasticsearch.username: "elastic"
elasticsearch.password: "xxxx"