ELK集群配置安全认证

最新推荐文章于 2024-08-23 09:47:52 发布

Dustin.Hoffman

最新推荐文章于 2024-08-23 09:47:52 发布

阅读量2.7k

点赞数

分类专栏： elk 文章标签： https elasticsearch ssl

本文链接：https://blog.csdn.net/weixin_43334786/article/details/109481743

版权

elk 专栏收录该内容

16 篇文章 3 订阅

订阅专栏

一、生成证书

集群结构：

hostname	IP
es1	192.168.1.5
es2	192.168.1.6
es3	192.168.1.7
kibana	192.168.1.8
logstash	192.168.1.15

1、创建ca证书

[elk@es1 elasticsearch]$ bin/elasticsearch-certutil ca
......
Please enter the desired output file [elastic-stack-ca.p12]: #此处可以不输入任何内容，使用默认的名称
Enter password for elastic-stack-ca.p12 : #此处输入密码，可以不输入

2、用上面创建的ca来给es1节点创建证书文件：

[elk@es1 elasticsearch]$ bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ip 192.168.1.5
......
Enter password for CA (elastic-stack-ca.p12) : #此处的密码是你上一步设置的密码
Please enter the desired output file [elastic-certificates.p12]: es1-certificates.p12 #注意命名规范
Enter password for es1-certificates.p12 : 

Certificates written to /app/elk/elasticsearch/es1-certificates.p12

3、同样创建es2的证书文件：

[elk@es1 elasticsearch]$ bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ip 192.168.1.6
......
Enter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: es2-certificates.p12 #注意命名
Enter password for es1-certificates.p12 : 

Certificates written to /app/elk/elasticsearch/es2-certificates.p12

4、创建es3的证书文件：

[elk@es1 elasticsearch]$ bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ip 192.168.1.7
......
Enter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: es3-certificates.p12 #注意命名
Enter password for es1-certificates.p12 : 

Certificates written to /app/elk/elasticsearch/es3-certificates.p12

5、生成logstash所需证书：

[elk@es1 elasticsearch]$ openssl pkcs12 -in elastic-stack-ca.p12 -clcerts -nokeys > logstash.cer
[elk@es1 elasticsearch]$ openssl x509 -in logstash.cer -out logstash.pem

6、生成后续kibana所需证书：

[elk@es1 elasticsearch]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 -name "CN=something,OU=Consulting Team,DC=mydomain,DC=com"
......
Enter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [CN=something,OU=Consulting Team,DC=mydomain,DC=com.p12]: client.p12
Enter password for client.p12 : 

Certificates written to /app/elk/elasticsearch/client.p12

二、配置ES集群：

1、拷贝证书到指定目录conf/cert下：

[elk@es1 elasticsearch]$ cp elastic-stack-ca.p12 config/cert/
[elk@es1 elasticsearch]$ cp es1-certificates.p12 config/cert/
[elk@es1 elasticsearch]$ scp elastic-stack-ca.p12 es2-certificates.p12 es2:/app/elk/elasticsearch/config/cert/
root@192.168.1.6's password: 
elastic-stack-ca.p12                                              100% 2527     1.2MB/s   00:00    
es2-certificates.p12                                              100% 3467     1.0MB/s   00:00    
[elk@es1 elasticsearch]$ scp elastic-stack-ca.p12 es3-certificates.p12 es3:/app/elk/elasticsearch/config/cert/
root@192.168.1.7's password: 
elastic-stack-ca.p12                                              100% 2527     1.2MB/s   00:00    
es3-certificates.p12                                              100% 3467     1.1MB/s   00:00

2、修改es1的配置文件：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: cert/es1-certificates.p12
xpack.security.transport.ssl.truststore.path: cert/elastic-stack-ca.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path:  cert/es1-certificates.p12
xpack.security.http.ssl.truststore.path:  cert/elastic-stack-ca.p12
xpack.security.http.ssl.client_authentication: optional

3、修改es2的配置文件：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: cert/es2-certificates.p12
xpack.security.transport.ssl.truststore.path: cert/elastic-stack-ca.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path:  cert/es2-certificates.p12
xpack.security.http.ssl.truststore.path:  cert/elastic-stack-ca.p12
xpack.security.http.ssl.client_authentication: optional

4、修改es3的配置文件：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: cert/es3-certificates.p12
xpack.security.transport.ssl.truststore.path: cert/elastic-stack-ca.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path:  cert/es3-certificates.p12
xpack.security.http.ssl.truststore.path:  cert/elastic-stack-ca.p12
xpack.security.http.ssl.client_authentication: optional

5、重启所有ES节点

[elk@es1 elasticsearch]$ bin/elasticsearch -d

6、重启完成后，访问http://192.168.1.5:9200/_cat/health?v，可以看到要求输入用户名密码。

而此时我们还没设置密码，下面开始设置密码（注意：设置密码的时候，ES必须是启动状态）：

[elk@es1 ~]$ cd /usr/share/elasticsearch/bin
[elk@es1 bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

可以看到，我们修改了6个用户的密码，设置完成后，再次访问http://192.168.1.3:9200/_cat/health?v，输入用户名elastic，密码123456，就能看到集群健康状态了。

三、配置kibana

1、上面我们在es1上给kibana创建了一个证书client.p12，现在发送到kibana的config目录下：

[root@es1 elasticsearch]# scp client.p12 kibana:/app/elk/kibana/config/

2、利用client.p12证书生成其他所需证书：

#
[elk@localhost config]$ openssl pkcs12 -in client.p12 -clcerts -nokeys > client.cer
Enter Import Password:
MAC verified OK
#client-ce.cer为kibana安全认证使用
[elk@localhost config]$ openssl pkcs12 -in client.p12 -cacerts -nokeys -chain > client-ca.cer
Enter Import Password:
MAC verified OK
#下面的server.crt和server.key是给kibana启用ssl访问使用
[elk@localhost config]$ openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 3650 -out server.crt -subj "/C=CN/ST=tj/L=tj/O=sgcc/OU=elk/"
Generating a 2048 bit RSA private key
...........+++
.............................+++
writing new private key to 'server.key'
-----

3、修改Kibana配置文件：

[root@kibana ~]# vim /etc/kibana/kibana.yml 
server.port: 5601
server.host: "192.168.1.8"
server.name: "kibana"
elasticsearch.hosts: ["https://192.168.1.5:9200","https://192.168.1.6:9200","https://192.168.1.7:9200"]
i18n.locale: "zh-CN"
#下面为安全配置
xpack.security.enabled: true
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
elasticsearch.ssl.certificateAuthorities: config/client-ca.cer
elasticsearch.ssl.verificationMode: certificate
xpack.security.encryptionKey: "4297f44b13955235245b2497399d7a93"
xpack.reporting.encryptionKey: "4297f44b13955235245b2497399d7a93"
server.ssl.enabled: true
server.ssl.certificate: config/server.crt
server.ssl.key: config/server.key

3、给上面的证书文件调整权限，保证我们启动kibana的用户对该文件有读取权限：

[root@kibana ~]# chown -R elk:elk /app

然后重启Kibana，重新访问https://192.168.1.8:5601：
在这里插入图片描述此时输入用户名elastic和密码123456即可登录。

四、logstash配置

这是因为我们的logstash的配置文件output部分是输出到ES集群的，我们刚刚给ES集群设置了安全认证，所以现在logstash的配置文件也要添加相关配置：

1、同样先把es上生成的client.crt.pem证书cp到logstash的config目录下：

[root@es1 elasticsearch]# scp logstash.pem logstash:/app/elk/logstash/config/

2、修改logstash配置文件：

node.name: logstash
pipeline.id: logstash
pipeline.workers: 3
pipeline.batch.size: 5000
pipeline.batch.delay: 200
http.host: "0.0.0.0"
http.port: 19600-19700
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: elastic
xpack.monitoring.elasticsearch.password: "123456"
xpack.monitoring.elasticsearch.hosts: ["https://192.168.1.5:9200", "https://192.168.1.6:9200", "https://192.168.1.7:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: config/logstash.pem
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate

3、在output部分配置ES集群的用户名、密码和证书：

output {
    elasticsearch {
	hosts => ["https://192.168.1.5:9200", "https://192.168.1.6:9200", "https://192.168.1.7:9200"]
	index => "elk-heartbeat"
        user  => "elastic"
        password => "123456"
        ssl => true
        cacert => "/app/elk/logstash/config/logstash.pem"
    }
}