文章目录
- 概述
- 实操
- Step 1 验证当前版本是否支持安全功能
- Step 2 打开安全设置
- Step 3 配置节点间通讯传输的安全性
- 创建证书颁发机构
- 为Elasticsearch集群中的节点生成证书
- Step 4 修改 elasticsearch.yml配置
- 设置 用户名和密码
概述
ES版本: 7.6
官方指导手册: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/configuring-security.html
翻译一下:
-
验证当前版本是否支持安全功能
-
是否打开安全设置
-
基于FIPS的一些验证
-
配置节点间通讯传输的安全性
-
配置内置用户的密码
-
选择用户验证用户身份的领域类型
-
设置角色和用户以控制对Elasticsearch的访问
-
启用审核以跟踪与Elasticsearch集群的尝试和成功的交互
如果只是启用账号密码, 只需要如下几个步骤
- 验证当前版本是否支持安全功能
- 是否打开安全设置
- 配置节点间通讯传输的安全性
- 配置内置用户的密码
实操
Step 1 验证当前版本是否支持安全功能
ES的安全策略需要X-Pack插件的支持, 7.X以上版本X-Pack已经内置 ,我这里是7.6 ,所以忽略即可
Step 2 打开安全设置
xpack.security.enabled控制安全配置的开启, 默认情况下为false, 要想开启安全策略需要在所有集群中把改参数设置为true
Step 3 配置节点间通讯传输的安全性
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
仅仅开启安全设置再启动服务的时候会抛出错误, 因为传输网络层用于集群中节点之间的内部通信。启用安全功能后,必须使用TLS来确保节点之间的通信已加密。
为节点间通讯配置安全策略需要两个步骤:
-
生成节点间安全策略使用的证书
-
修改各个节点的安全配置
创建证书颁发机构
推荐方法是信任签署证书的证书颁发机构(CA)。
这样将节点添加到群集后,各个节点只需要使用由同一CA签名的证书,即可自动允许该节点加入群集。
证书中可以包含与节点的IP地址和DNS名称相对应的主题备用名称以便可以执行主机名验证。
为Elasticsearch集群创建发证机构,使用下面的步骤为集群创建一个CA授权证书 ./elasticsearch-certutil ca
[artisan@localhost bin]$ ./elasticsearch-certutil ca
future versions of Elasticsearch will require Java 11; your Java version from [/usr/java/jdk1.8.0_11/jre] does not meet this requirement
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: ①
Enter password for elastic-stack-ca.p12 : ②
[artisan@localhost bin]$
①:此位置设置文档输出地址和名称。默认名称为elastic-stack-ca.p12。这个文件是PKCS#12密钥存储库,它包含您的CA的公共证书和用于为每个节点签署证书的私有密钥。 这里我敲得回车,使用默认
②:此位置设置证书的密码。计划将来向集群添加更多的节点,记住其密码。 这里我敲得回车 ,无密码。
如下
-rw-------. 1 artisan artisan 2524 Feb 17 14:19 elastic-stack-ca.p12
为Elasticsearch集群中的节点生成证书
使用下面的名称生成集群使用的生成节点证书。elastic-stack-ca.p12为上一步生成CA证书。
-rw-------. 1 artisan artisan 2524 Feb 17 14:19 elastic-stack-ca.p12
过程如下,执行如下命令
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[artisan@localhost elasticsearch-7.6.2]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
future versions of Elasticsearch will require Java 11; your Java version from [/usr/java/jdk1.8.0_11/jre] does not meet this requirement
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA).
* The tool can automatically generate a new CA for you, or you can provide your own with the
-ca or -ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -keep-ca-key (retain generated CA key)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) : A
Please enter the desired output file [elastic-certificates.p12]: B
Enter password for elastic-certificates.p12 : C
Certificates written to /home/artisan/elasticsearch-7.6.2/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
在输入命令后控制台会输出此命令的信息描述,然后你需要先执行{A}的操作然后执行{B}的操作,最后执行{C}的操作。
A : 输入elastic-stack-ca.p12 CA授权证书的密码 . 我这里敲得回车 ,因为上一步我没有设置密码
B : 此位置为需要输出证书位置。 我这里敲得回车,使用默认,使用当前路径
C : 此位置为证书的密码。使用空密码可以直接回车结束。
默认情况下,elasticsearch-certutil生成的证书中没有主机名信息。即集群中的任意节点使用此证书,但需要关闭主机名验证。
Step 4 修改 elasticsearch.yml配置
修改每个节点的
[artisan@localhost elasticsearch-7.6.2]$ ll
total 560
drwxr-xr-x. 2 artisan artisan 4096 Feb 14 15:46 bin
drwxr-xr-x. 2 artisan artisan 178 Feb 17 14:55 config
drwxrwxr-x. 3 artisan artisan 19 Feb 14 15:50 data
-rw-------. 1 artisan artisan 3440 Feb 17 14:50 elastic-certificates.p12
-rw-------. 1 artisan artisan 2524 Feb 17 14:19 elastic-stack-ca.p12
drwxr-xr-x. 9 artisan artisan 107 Feb 14 15:46 jdk
drwxr-xr-x. 3 artisan artisan 4096 Feb 14 15:46 lib
-rw-r--r--. 1 artisan artisan 13675 Feb 14 15:46 LICENSE.txt
drwxr-xr-x. 2 artisan artisan 4096 Feb 17 08:49 logs
drwxr-xr-x. 38 artisan artisan 4096 Feb 14 15:46 modules
-rw-r--r--. 1 artisan artisan 523209 Feb 14 15:46 NOTICE.txt
drwxr-xr-x. 2 artisan artisan 6 Feb 14 15:46 plugins
-rw-r--r--. 1 artisan artisan 8164 Feb 14 15:46 README.asciidoc
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$ mkdir cert
[artisan@localhost elasticsearch-7.6.2]$ mv elastic-certificates.p12 ./cert/
[artisan@localhost elasticsearch-7.6.2]$ mv elastic-stack-ca.p12 ./cert/
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$ ll
total 552
drwxr-xr-x. 2 artisan artisan 4096 Feb 14 15:46 bin
drwxrwxr-x. 2 artisan artisan 66 Feb 17 14:56 cert
drwxr-xr-x. 2 artisan artisan 178 Feb 17 14:55 config
drwxrwxr-x. 3 artisan artisan 19 Feb 14 15:50 data
drwxr-xr-x. 9 artisan artisan 107 Feb 14 15:46 jdk
drwxr-xr-x. 3 artisan artisan 4096 Feb 14 15:46 lib
-rw-r--r--. 1 artisan artisan 13675 Feb 14 15:46 LICENSE.txt
drwxr-xr-x. 2 artisan artisan 4096 Feb 17 08:49 logs
drwxr-xr-x. 38 artisan artisan 4096 Feb 14 15:46 modules
-rw-r--r--. 1 artisan artisan 523209 Feb 14 15:46 NOTICE.txt
drwxr-xr-x. 2 artisan artisan 6 Feb 14 15:46 plugins
-rw-r--r--. 1 artisan artisan 8164 Feb 14 15:46 README.asciidoc
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$ mv cert ./config/
[artisan@localhost elasticsearch-7.6.2]$ tree ./config/cert/
./config/cert/
├── elastic-certificates.p12
└── elastic-stack-ca.p12
0 directories, 2 files
[artisan@localhost elasticsearch-7.6.2]$ tree ./config/
./config/
├── cert
│ ├── elastic-certificates.p12
│ └── elastic-stack-ca.p12
├── elasticsearch.keystore
├── elasticsearch.yml
├── jvm.options
├── log4j2.properties
├── role_mapping.yml
├── roles.yml
├── users
└── users_roles
1 directory, 10 files
将elastic-stack-ca.p12文件(只需要此文件)复制到每个节点上的Elasticsearch配置目录中的一个目录中。比如我是放到了每个节点的config/cert目录下。
然后修改每个节点的elasticsearch.yml配置。
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: cert/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: cert/elastic-certificates.p12
xpack.security.transport.ssl.verification_mode 如果在elasticsearch-certutil cert命令中使用—dns或—ip选项,并且希望启用严格的主机名检查,此参数需要设置为full。这里我们没有使用严格的主机检查。
设置 用户名和密码
保证ES是启动状态。
如果elastic用户没有密码,则使用默认的引导密码。 使用bin/elasticsearch-setup-passwords interactive命令
[artisan@localhost elasticsearch-7.6.2]$ ./bin/elasticsearch-setup-passwords interactive
future versions of Elasticsearch will require Java 11; your Java version from [/usr/java/jdk1.8.0_11/jre] does not meet this requirement
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Passwords do not match.
Try again.
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
需要设置多个默认用户的信息,每个内置用户负责不同的内容。
elastic -----> 超级用户
kibana ----->负责Kibana连接Elasticsearch
logstash_system ----->Logstash将监控信息存储在Elasticsearch中时使用
beats_system ----->Beats在Elasticsearch中存储监视信息时使用
apm_system ----->APM服务器在Elasticsearch中存储监视信息时使用
remote_monitoring_user-----> Metricbeat用户在Elasticsearch中收集和存储监视信息时使用
无需重启,直接访问 http://ip:9200/ 弹出校验框, 输入 elastic 和 设置的密码 即可进入。
over over
