Elasticsearch从6.8开始, 允许免费用户使用X-Pack的安全功能, 以前安装es都是裸奔。接下来记录配置安全认证的方法。
环境:CentOS 8.5
Elasticsearch版本:7.14.0
用户:root
本次执行全部使用
root
用户执行,如果使用的是普通用户,记得前面加sudo
一、基础配置
-
修改 Linux 的
vm.max_map_count
参数。设置
vm.max_map_count=262144
vim /etc/sysctl.conf vm.max_map_count=262144
-
不重启, 直接生效当前的命令
sysctl -w vm.max_map_count=262144
-
-
安装 3 个 Elasticsearch 做集群,找到合适位置新建文件夹,配置文件、日志文件、数据文件夹
mkdir -p elasticsearch01/data elasticsearch01/logs mkdir -p elasticsearch02/data elasticsearch02/logs mkdir -p elasticsearch03/data elasticsearch03/logs mkdir config && touch config/elasticsearch.yml mkdir plugins
-
创建用户,并获取用户的id
# 新建 elasticsearch 用户 useradd elasticsearch # 为 elasticsearch 用户设置密码 passwd elasticsearch # 将 elasticsearch 添加到 docker 用户组(如果不存在用户组,创建 docker 用户组) usermod -G docker elasticsearch # 重启 docker systemctl restart docker
-
将刚才创建的文件夹的所有权赋予
elasticsearch
用户# 返回到上一级,进行赋权 chown -R elasticsearch elasticsearch
-
获取用户
elasticsearch
的idcat /etc/passwd | grep elasticsearch # 获取到id为 1001
二、拉取镜像、编写执行文件
-
拉取镜像
docker pull elasticsearch:7.14.0
-
创建docker-compose.yml
version: '3.8' services: elasticsearch01: image: elasticsearch:7.14.0 container_name: elasticsearch01 environment: - node.name=elasticsearch01 - cluster.name=elasticsearch-docker-cluster - discovery.seed_hosts=elasticsearch02,elasticsearch03 - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" user: "1001" ulimits: memlock: soft: -1 hard: -1 volumes: - ./elasticsearch01/data:/usr/share/elasticsearch/data - ./elasticsearch01/logs:/usr/share/elasticsearch/logs - ./plugins:/usr/share/elasticsearch/plugins - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 ports: - 9200:9200 networks: mynet: ipv4_address: 172.88.0.5 elasticsearch02: image: elasticsearch:7.14.0 container_name: elasticsearch02 environment: - node.name=elasticsearch02 - cluster.name=elasticsearch-docker-cluster - discovery.seed_hosts=elasticsearch01,elasticsearch03 - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" user: "1001" ulimits: memlock: soft: -1 hard: -1 volumes: - ./elasticsearch02/data:/usr/share/elasticsearch/data - ./elasticsearch02/logs:/usr/share/elasticsearch/logs - ./plugins:/usr/share/elasticsearch/plugins - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 networks: mynet: ipv4_address: 172.88.0.6 elasticsearch03: image: elasticsearch:7.14.0 container_name: elasticsearch03 environment: - node.name=elasticsearch03 - cluster.name=elasticsearch-docker-cluster - discovery.seed_hosts=elasticsearch01,elasticsearch02 - cluster.initial_master_nodes=elasticsearch01,elasticsearch02,elasticsearch03 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" user: "1001" ulimits: memlock: soft: -1 hard: -1 volumes: - ./elasticsearch03/data:/usr/share/elasticsearch/data - ./elasticsearch03/logs:/usr/share/elasticsearch/logs - ./plugins:/usr/share/elasticsearch/plugins - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 networks: mynet: ipv4_address: 172.88.0.7 networks: mynet: external: true
-
version:需要安装 docker 官网查询
-
user 里面填写刚才添加用户 id
-
-
编写配置文件
elasticsearch.yml
vim config/elasticsearch.yml
内容如下:
network.host: 0.0.0.0 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.transport.ssl.keystore.password: 一会儿生成 elastic-certificates.p12 设置的密码,没有不要这个配置 xpack.security.transport.ssl.truststore.password: 一会儿生成 elastic-certificates.p12 设置的密码,没有不要这个配置 xpack.security.transport.ssl.truststore.type: PKCS12 xpack.security.audit.enabled: true
- network.host 设置允许其他ip访问,解除ip绑定
- xpack.security 则是安全相关配置,其中ssl的证书需要手动生成
-
生成证书elastic-certificates.p12
es提供了生成证书的工具
elasticsearch-certutil
,我们可以在docker实例中生成它,然后复制出来,统一使用。首先运行es实例
docker run -d --name=elasticsearch -e "discovery.type=single-node" elasticsearch:7.14.0
进入实例内部
docker exec -it elasticsearch bash
-
生成ca: elastic-stack-ca.p12
./bin/elasticsearch-certutil ca
-
再生成cert: elastic-certificates.p12
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
生成 elastic-certificates.p12 ,一会儿复制后放到
config
目录下 -
退出容器,复制证书,退出容器快捷键
Ctrl + D
# 在每一个config目录下复制下面命令: docker cp elasticsearch:/usr/share/elasticsearch/elastic-certificates.p12 ./config
-
删除该容器
docker rm -f elasticsearch
三、安装镜像
-
进入创建的用户
elasticsearch
su elasticsearch
-
在ES集群目录上一层目录执行
docker-compose
安装集群docker-compose up
-
进入其中一台进行生成密码
docker exec -it elasticsearch01 bash
四、生成密码
- 生成密码用auto, 自己设置用
interactive
[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords -h
Sets the passwords for reserved users
Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user
Non-option arguments:
command
Option Description
------ -----------
-E <KeyValuePair> Configure a setting
-h, --help Show help
-s, --silent Show minimal output
-v, --verbose Show verbose output
[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
Changed password for user apm_system
PASSWORD apm_system = YxVzeT9B2jEDUjYp66Ws
Changed password for user kibana
PASSWORD kibana = 8NnThbj0N02iDaTGhidU
Changed password for user logstash_system
PASSWORD logstash_system = 9nIDGe7KSV8SQidSk8Dj
Changed password for user beats_system
PASSWORD beats_system = qeuVaf1VEALpJHfEUOjJ
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = DtZCrCkVTZsinRn3tW3D
Changed password for user elastic
PASSWORD elastic = q5f2qNfUJQyvZPIz57MZ
五、测试
浏览器访问localhost:9200/9201/9202 需要输入账号
输入对应的elastic/password就好
浏览器访问localhost:5601
六、忘记密码
如果生成后忘记密码了怎么办, 可以进入机器去修改。
进入es的机器
sudo docker exec -it es01 /bin/bash
创建一个临时的超级用户RyanMiao
./bin/elasticsearch-users useradd ryan -r superuser
Enter new password:
ERROR: Invalid password...passwords must be at least [6] characters long
[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd ryan -r superuser
Enter new password:
Retype new password:
用这个用户去修改elastic的密码:
curl -XPUT -u ryan:ryan123 http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d '
{
"password": "q5f2qNfUJQyvZPIz57MZ"
}'