【elasticsearch】X-PACK 认证

戒掉贪嗔痴(薛双奇)

已于 2024-07-11 09:17:56 修改

阅读量139

点赞数 1

分类专栏：数据库运维-ElasticSearch-LK 文章标签： elasticsearch jenkins 大数据

于 2024-06-29 17:22:45 首次发布

本文链接：https://blog.csdn.net/weixin_43346403/article/details/140067345

版权

数据库运维-ElasticSearch-LK 专栏收录该内容

53 篇文章 0 订阅

订阅专栏

1.
--创建CA认证私钥

cd /esdb/esapp/esapp9201/config
/esdb/esapp/esapp9201/bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA''s private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: enter
Enter password for elastic-stack-ca.p12 : esadmin  --输入密码。

--生成文件。
/esdb/esapp/esapp9201/elastic-stack-ca.p12

2.为认证节点颁发证书。

cd /esdb/esapp/esapp9201/config
/esdb/esapp/esapp9201/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

Enter password for CA (elastic-stack-ca.p12) : esadmin
Please enter the desired output file [elastic-certificates.p12]: elastic-certificates.p12
Enter password for elastic-certificates.p12 : esadmin 

-rw-------  1 esadmin esadmin   3596 Jun 29 16:28 elastic-certificates.p12
-rw-------  1 esadmin esadmin   2656 Jun 29 16:26 elastic-stack-ca.p12

--证书和私钥放入配置文件中。

--3.配置密钥。

/esdb/esapp/esapp9201/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password


/esdb/esapp/esapp9201/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

--4.拷贝其他节点

--停止节点后才能拷贝到目标位置。
cd /esdb/esapp/esapp9201/config
cp elastic-certificates.p12 elasticsearch.keystore elastic-stack-ca.p12 /esdb/esapp/esapp9202/config/
cp elastic-certificates.p12 elasticsearch.keystore elastic-stack-ca.p12 /esdb/esapp/esapp9203/config/

5.配置通信证书(每个节点)

cat >> /esdb/esapp/esapp9201/config/elasticsearch.yml << EOF
EOF
cat >> /esdb/esapp/esapp9202/config/elasticsearch.yml << EOF
EOF
cat >> /esdb/esapp/esapp9203/config/elasticsearch.yml << EOF
EOF

6.重启所有的ES节点

ps -ef|grep java|grep esapp|awk '{print $2}'|xargs kill -9

/esdb/esapp/esapp9201/bin/elasticsearch &
/esdb/esapp/esapp9202/bin/elasticsearch &
/esdb/esapp/esapp9203/bin/elasticsearch &

--7.验证

访问es； 
[esadmin@oracle1 ~]$ curl http://192.168.1.7:9201/_cat/nodes?v 
curl: (7) Failed connect to 192.168.1.7:9201; Connection refused

8.重置密码。

elastic用户和其他一些系统内置用户的密码设置。
在主节点上面重新设置密码。
需要为7个用户分别设置密码:elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user 

[esadmin@oracle1 bin]$ /esdb/esapp/esapp9203/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]: esadmin
Reenter password for [elastic]: esadmin
Enter password for [apm_system]: esadmin
Reenter password for [apm_system]: esadmin
Enter password for [kibana_system]: esadmin
Reenter password for [kibana_system]: esadmin
Enter password for [logstash_system]: esadmin
Reenter password for [logstash_system]: esadmin
Enter password for [beats_system]: esadmin
Reenter password for [beats_system]: esadmin
Enter password for [remote_monitoring_user]: esadmin
Reenter password for [remote_monitoring_user]: esadmin
Changed password for user [apm_system] 
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

9.验证。

现在kibana 通过:elastic/esadmin 可以登陆访问。

--现在只能通过哦主节点连接
curl -u elastic:esadmin 'http://192.168.1.7:9203/_cat/nodes?v' 
ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.1.7           75          64   2    0.05    0.21     0.44 dilmt     *      esdb-node-3
192.168.1.7           51          64   2    0.05    0.21     0.44 dilmt     -      esdb-node-2

[esadmin@oracle1 config]$ curl -u elastic http://192.168.1.7:9203/_cat/nodes?v
Enter host password for user 'elastic': esadmin
ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.1.7           57          64   7    0.10    0.24     0.46 dilmt     *      esdb-node-3
192.168.1.7           74          64  10    0.10    0.24     0.46 dilmt     -      esdb-node-2