目标
在CentOS8上面安装ES7.13,并使用ES7的基础安全进行登录使用。
思路
这里主要使用DNF来安装ES,ES安装完成之后,设置一个登录密码来保证ES安全。Elastic7.0之后的版本,x-pack基础安全是免费的了。
步骤
安装ES
设置依赖源:
sudo vim /etc/yum.repos.d/elasticsearch.repo
内容:
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
安装 ES:
sudo dnf install --enablerepo=elasticsearch elasticsearch
设置系统服务:
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
服务启停:
sudo systemctl start elasticsearch.service
sudo systemctl stop elasticsearch.service
ES 服务脚本路径:/usr/lib/systemd/system/elasticsearch.service
ES 服务启停日志目录:
/var/log/elasticsearch/
放开 ES 服务端口:
# 启用firewall防火墙
sudo systemctl start firewalld
# 自启动防火墙
sudo systemctl enable firewalld
# 放开一个端口
sudo firewall-cmd --zone=public --add-port=9200/tcp --permanent
# 重启防火墙
sudo firewall-cmd --reload
# 查看防火墙
sudo firewall-cmd --list-all
# 第二种方式查看防火墙
sudo firewall-cmd --list-all --zone=public
配置 ES 安全
启用xpack
# 切换从root用户
su
# 修改ES配置文件
vim /etc/elasticsearch/elasticsearch.yml
添加如下一行:
xpack.security.enabled: true
验证 xpack 是否生效:
sudo systemctl restart elasticsearch
curl http://127.0.0.1:9200
出现如下情况,表示安全配置生效:
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
配置keystore
这个步骤可选,因为安装ES时候,已经完成这个步骤。
创建 elasticsearch keystore
cd /usr/share/elasticsearch
sudo ./bin/elasticsearch-keystore create
# 设置 elasticsearch keystore permissions
su
sudo chown root:elasticsearch /etc/elasticsearch/elasticsearch.keystore
sudo chmod 0660 /etc/elasticsearch/elasticsearch.keystore
# 检测权限
ls -al elasticsearch.keystore
-rw-rw---- 1 root elasticsearch 199 1月 26 12:58 elasticsearch.keystore
检查 elasticsearck keystore 是否已经设置好:
sudo ./bin/elasticsearch-keystore list
keystore.seed
设置bootstrap密码
echo "password_es" | sudo ./bin/elasticsearch-keystore add -x "bootstrap.password"
# 检测是否设置成功
sudo ./bin/elasticsearch-keystore list
bootstrap.password
keystore.seed
# 重启ES
sudo systemctl restart elasticsearch
# 检测ES
curl -u 'elastic:password_es' localhost:9200
检测结果:
{
"name" : "xxx",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "dTq1Ug4jRym8b1jexBAfBQ",
"version" : {
"number" : "7.13.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "4d960a0733be83dd2543ca018aa4ddc42e956800",
"build_date" : "2021-06-10T21:01:55.251515791Z",
"build_snapshot" : false,
"lucene_version" : "8.8.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
到这里每次使用ES的时候,都需要带上ES的超级用户名和密码。
放开ES外网限制
network.host: 0.0.0.0
discovery.type: single-node