xpack.security.enabled: true
一,开启x-pack权限认证
在elasticsearch.yml文件中配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
二,初始化密码
./elasticsearch-setup-passwords interactive
三,生成密码报错
三台服务器,有两台设置失败,想起来这两台都是小内存,查下内存使用情况:
还剩下几十兆的空间,估计是内存原因。将vm.options内存改到512m,然并卵。
四,艰难的排错过程
1,加上-verbose选项查看日志信息
./elasticsearch-setup-passwords interactive -verbose
发现有如下报错:
Unexpected response code [503] from calling PUT http://localhost:9200/_securit ... retty
Cause: Cluster state has not been recovered yet, cannot write to the [null] index
Possible next steps:
* Try running this tool again.
* Try running with the --verbose parameter for additional messages.
* Check the elasticsearch logs for additional error details.
* Use the change password API manually.
ERROR: Failed to set password for user [apm_system].
显然,data节点加入集群失败。
查看集群状态:
http://47.105.109.31:9200/_cluster/health
显示为:red。说明集群启动失败。
想起来,开启x-pack,结点直接如何认证呢?
2,然后一顿百度,找到了正确姿势,集群结点间需要通过证书认证。
2.1 生成证书
// 生成证书
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
// 为结点签发证书
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
生成的证书文件名默认是elastic-certificates.p12
2.2 将生成的证书拷贝到所有结点
scp elastic-certificates.p12 root@1.0.0.111:/etc/elasticsearch/
2.3 修改配置文件 /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: none
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
2.4 重新启动es集群
在启动的过程中出现如下警告,不知原因。
client did not trust this server's certificate
五,集群es结点的加密通信
1,加密通信就是开启ssl,修改配置文件elasticsearch.yml文件,重启es即可。
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
2, 验证
// 错误
http://ip:9200
// 正确
https://ip:9200
六,kibana与es的加密通信
第五步的时候,es已经支持ssl通信,现在只要配置kibana通过ssl访问es。
1,生成kibana认证
es用的认证文件是p12为后缀的,kibana的认证文件以pem结尾。通过openssl将p12文件转换为pem文件。
openssl pkcs12 -in /etc/elasticsearch/elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem
2,修改配置文件
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
elasticsearch.hosts: ["https://node-1:9200"]
elasticsearch.ssl.verificationMode: certificate
七,客户端与kibana的加密通信
1,生成加密文件
sudo ./elasticsearch-certutil ca --pem
生成的加密文件为elastic-stack-ca.zip,将该文件已到达kibana的配置文件下并解压。
mv elastic-stack-ca.zip /usr/local/src/kibana/config/
unzip elastic-stack-ca.zip
2,修改配置文件kibana.yml
server.ssl.enabled: true
server.ssl.certificate: /usr/local/src/kibana/kibana/config/ca/ca.crt
server.ssl.key: /usr/local/src/kibana/kibana/config/ca/ca.key
重新启动kibana。
5,验证
https://47.5.6.1:5601/
参考文献1:elasticsearch7.4 免费启用x-pack插件 设置账号、权限 包含错误–ERROR: Failed to set password for user [apm_system]