本文主要讲解通过启用X-Pack来设置ElasticSearch的访问密码
集群与单据环境设置区别
- 集群需要在某一台生成证书然后拷贝到其它节点目录下
- 集群环境重设密码的时候需要整个集群节点都已启动,可在任一台处修改
官方教程:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html#encrypt-internode-communication
详细配置:https://www.elastic.co/guide/en/elasticsearch/reference/7.15/security-settings.html#transport-tls-ssl-settings
1、生成CA证书
# 进入es的bin目录,执行以下命令生成CA证书
# -out config/certs/elastic-stack-ca.p12 可以指定证书输出位置,默认目录下
# 过程中会提示输入证书密码,可以不输,如果输入了就要记住,下面要用到,不然启动不了ES
# 过程中直接输入回车
elasticsearch-certutil ca
生成的CA证书
2、使用CA证书生成p12秘钥
# -out config/certs/elastic-certificates.p12可以指定证书输出位置,默认在主目录下
# 如果步骤1输入了CA证书密码,这一步要输入
# 运行以下命令
elasticsearch-certutil cert --ca elastic-stack-ca.p12
生成的p12秘钥
3、(可选)把p12秘钥密码加到ES的密码库,如果上面步骤2输入了密码,这里一定要执行,不然启动会失败并报错【 failed to load SSL configuration [xpack.security.transport.ssl],keystore password was incorrect】
# 运行下面命令,并输入上面p12的密码
elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
4、复制上面生成的p12文件到config/certs,如下
5、修改ES配置开启X-Pack(es_home/config/elasticsearch.yml)
若是集群环境则需要将证书文件目录,以及配置文件,在所有集群环境下都修改一下
# 开启xpack
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
# 证书配置
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
#跨域配置(可选)
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
6、重启ES
elasticsearch
7、设置用户密码
这里需要为4个用户分别设置密码,elastic,kibana,logstash_system,beats_system,remote_monitoring_user
其中,用户权限分别如下:
- elastic:拥有 superuser 角色,是内置的超级用户。
- kibana:拥有 kibana_system 角色,用户 kibana 用来连接 elasticsearch 并与之通信。Kibana 服务器以该用户身份提交请求以访问集群监视 API 和 .kibana 索引。不能访问 index。
- logstash_system:拥有 logstash_system 角色。用户 Logstash 在 Elasticsearch 中存储监控信息时使用。
设置密码
# 手动配置每个用户密码模式(需要一个一个的输入)
elasticsearch-setup-passwords interactive
# 运行过程
D:\ELK\elasticsearch-7.15.0\bin>elasticsearch-setup-passwords.bat interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
#自动配置每个用户密码(随机生成并返回字符串密码,需要保存好)
elasticsearch-setup-passwords auto
# 修改密码
curl -H 'Content-Type: application/json' -u elastic:123456 -XPUT 'http://localhost:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "1234567" }'
8、测试
打开localhost:9200,输入上面设置的密码即可
成功登录
9、常见问题
9.1 Elasticsearch设置用户名密码之后,不能再直接使用Elasticsearch head 访问,可以在查询等API上加上用户等参数
解决方案:在访问的URL中拼接授权账号信息,如http://localhost:9100/?auth_user=elastic&auth_password=123456