Elasticsearch - Configuring security in Elasticsearch 开启用户名和密码访问

本文涉及的产品
检索分析服务 Elasticsearch 版,2核4GB开发者规格 1个月
应用实时监控服务-应用监控,每月50GB免费额度
应用实时监控服务-用户体验监控,每月100OCU免费额度
简介: Elasticsearch - Configuring security in Elasticsearch 开启用户名和密码访问

20190806092132811.jpg

概述


ES版本: 7.6

官方指导手册: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/configuring-security.html


翻译一下:

验证当前版本是否支持安全功能


是否打开安全设置


基于FIPS的一些验证


配置节点间通讯传输的安全性


配置内置用户的密码


选择用户验证用户身份的领域类型


设置角色和用户以控制对Elasticsearch的访问


启用审核以跟踪与Elasticsearch集群的尝试和成功的交互


如果只是启用账号密码, 只需要如下几个步骤


验证当前版本是否支持安全功能

是否打开安全设置

配置节点间通讯传输的安全性

配置内置用户的密码


实操


Step 1 验证当前版本是否支持安全功能


9cfe7828d39748e88b59a007ade007d0.png


ES的安全策略需要X-Pack插件的支持, 7.X以上版本X-Pack已经内置 ,我这里是7.6 ,所以忽略即可


Step 2 打开安全设置


98905ccb3016406bb9f408892a2a7411.png


xpack.security.enabled控制安全配置的开启, 默认情况下为false, 要想开启安全策略需要在所有集群中把改参数设置为true

ab5f53e7715a414db89a5b0c88930f95.png


Step 3 配置节点间通讯传输的安全性

ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]


仅仅开启安全设置再启动服务的时候会抛出错误, 因为传输网络层用于集群中节点之间的内部通信。启用安全功能后,必须使用TLS来确保节点之间的通信已加密。

为节点间通讯配置安全策略需要两个步骤:

  • 生成节点间安全策略使用的证书
  • 修改各个节点的安全配置


创建证书颁发机构


推荐方法是信任签署证书的证书颁发机构(CA)。

这样将节点添加到群集后,各个节点只需要使用由同一CA签名的证书,即可自动允许该节点加入群集。


证书中可以包含与节点的IP地址和DNS名称相对应的主题备用名称以便可以执行主机名验证。


为Elasticsearch集群创建发证机构,使用下面的步骤为集群创建一个CA授权证书 ./elasticsearch-certutil ca

[artisan@localhost bin]$ ./elasticsearch-certutil ca
future versions of Elasticsearch will require Java 11; your Java version from [/usr/java/jdk1.8.0_11/jre] does not meet this requirement
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]:    ①
Enter password for elastic-stack-ca.p12 :  ②
[artisan@localhost bin]$


①:此位置设置文档输出地址和名称。默认名称为elastic-stack-ca.p12。这个文件是PKCS#12密钥存储库,它包含您的CA的公共证书和用于为每个节点签署证书的私有密钥。 这里我敲得回车,使用默认


②:此位置设置证书的密码。计划将来向集群添加更多的节点,记住其密码。 这里我敲得回车 ,无密码。


如下

a92de6cb2ee347b19bf053013c5f971b.png

-rw-------. 1 artisan artisan 2524 Feb 17 14:19 elastic-stack-ca.p12

为Elasticsearch集群中的节点生成证书


使用下面的名称生成集群使用的生成节点证书。elastic-stack-ca.p12为上一步生成CA证书


-rw-------. 1 artisan artisan 2524 Feb 17 14:19 elastic-stack-ca.p12
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[artisan@localhost elasticsearch-7.6.2]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
future versions of Elasticsearch will require Java 11; your Java version from [/usr/java/jdk1.8.0_11/jre] does not meet this requirement
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file
    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.
    * All certificates generated by this tool will be signed by a certificate authority (CA).
    * The tool can automatically generate a new CA for you, or you can provide your own with the
         -ca or -ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate
If you specify any of the following options:
    * -pem (PEM formatted output)
    * -keep-ca-key (retain generated CA key)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) :   A
Please enter the desired output file [elastic-certificates.p12]:  B
Enter password for elastic-certificates.p12 :  C
Certificates written to /home/artisan/elasticsearch-7.6.2/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.


在输入命令后控制台会输出此命令的信息描述,然后你需要先执行{A}的操作然后执行{B}的操作,最后执行{C}的操作。


A : 输入elastic-stack-ca.p12 CA授权证书的密码 . 我这里敲得回车 ,因为上一步我没有设置密码


B : 此位置为需要输出证书位置。 我这里敲得回车,使用默认,使用当前路径


C : 此位置为证书的密码。使用空密码可以直接回车结束。


默认情况下,elasticsearch-certutil生成的证书中没有主机名信息。即集群中的任意节点使用此证书,但需要关闭主机名验证。


Step 4 修改 elasticsearch.yml配置

修改每个节点的

[artisan@localhost elasticsearch-7.6.2]$ ll
total 560
drwxr-xr-x.  2 artisan artisan   4096 Feb 14 15:46 bin
drwxr-xr-x.  2 artisan artisan    178 Feb 17 14:55 config
drwxrwxr-x.  3 artisan artisan     19 Feb 14 15:50 data
-rw-------.  1 artisan artisan   3440 Feb 17 14:50 elastic-certificates.p12
-rw-------.  1 artisan artisan   2524 Feb 17 14:19 elastic-stack-ca.p12
drwxr-xr-x.  9 artisan artisan    107 Feb 14 15:46 jdk
drwxr-xr-x.  3 artisan artisan   4096 Feb 14 15:46 lib
-rw-r--r--.  1 artisan artisan  13675 Feb 14 15:46 LICENSE.txt
drwxr-xr-x.  2 artisan artisan   4096 Feb 17 08:49 logs
drwxr-xr-x. 38 artisan artisan   4096 Feb 14 15:46 modules
-rw-r--r--.  1 artisan artisan 523209 Feb 14 15:46 NOTICE.txt
drwxr-xr-x.  2 artisan artisan      6 Feb 14 15:46 plugins
-rw-r--r--.  1 artisan artisan   8164 Feb 14 15:46 README.asciidoc
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$ mkdir cert
[artisan@localhost elasticsearch-7.6.2]$ mv elastic-certificates.p12 ./cert/
[artisan@localhost elasticsearch-7.6.2]$ mv elastic-stack-ca.p12  ./cert/
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$ ll
total 552
drwxr-xr-x.  2 artisan artisan   4096 Feb 14 15:46 bin
drwxrwxr-x.  2 artisan artisan     66 Feb 17 14:56 cert
drwxr-xr-x.  2 artisan artisan    178 Feb 17 14:55 config
drwxrwxr-x.  3 artisan artisan     19 Feb 14 15:50 data
drwxr-xr-x.  9 artisan artisan    107 Feb 14 15:46 jdk
drwxr-xr-x.  3 artisan artisan   4096 Feb 14 15:46 lib
-rw-r--r--.  1 artisan artisan  13675 Feb 14 15:46 LICENSE.txt
drwxr-xr-x.  2 artisan artisan   4096 Feb 17 08:49 logs
drwxr-xr-x. 38 artisan artisan   4096 Feb 14 15:46 modules
-rw-r--r--.  1 artisan artisan 523209 Feb 14 15:46 NOTICE.txt
drwxr-xr-x.  2 artisan artisan      6 Feb 14 15:46 plugins
-rw-r--r--.  1 artisan artisan   8164 Feb 14 15:46 README.asciidoc
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$ mv cert  ./config/
[artisan@localhost elasticsearch-7.6.2]$ tree ./config/cert/
./config/cert/
├── elastic-certificates.p12
└── elastic-stack-ca.p12
0 directories, 2 files
[artisan@localhost elasticsearch-7.6.2]$ tree ./config/
./config/
├── cert
│   ├── elastic-certificates.p12
│   └── elastic-stack-ca.p12
├── elasticsearch.keystore
├── elasticsearch.yml
├── jvm.options
├── log4j2.properties
├── role_mapping.yml
├── roles.yml
├── users
└── users_roles
1 directory, 10 files


将elastic-stack-ca.p12文件(只需要此文件)复制到每个节点上的Elasticsearch配置目录中的一个目录中。比如我是放到了每个节点的config/cert目录下。

然后修改每个节点的elasticsearch.yml配置。

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate  
xpack.security.transport.ssl.keystore.path: cert/elastic-certificates.p12   
xpack.security.transport.ssl.truststore.path: cert/elastic-certificates.p12  


xpack.security.transport.ssl.verification_mode 如果在elasticsearch-certutil cert命令中使用—dns或—ip选项,并且希望启用严格的主机名检查,此参数需要设置为full。这里我们没有使用严格的主机检查。


设置 用户名和密码


保证ES是启动状态。

如果elastic用户没有密码,则使用默认的引导密码。 使用bin/elasticsearch-setup-passwords interactive命令


[artisan@localhost elasticsearch-7.6.2]$ ./bin/elasticsearch-setup-passwords interactive
future versions of Elasticsearch will require Java 11; your Java version from [/usr/java/jdk1.8.0_11/jre] does not meet this requirement
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Passwords do not match.
Try again.
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$
[artisan@localhost elasticsearch-7.6.2]$

需要设置多个默认用户的信息,每个内置用户负责不同的内容。

elastic  -----> 超级用户
kibana  ----->负责Kibana连接Elasticsearch
logstash_system ----->Logstash将监控信息存储在Elasticsearch中时使用
beats_system  ----->Beats在Elasticsearch中存储监视信息时使用
apm_system  ----->APM服务器在Elasticsearch中存储监视信息时使用
remote_monitoring_user----->  Metricbeat用户在Elasticsearch中收集和存储监视信息时使用


无需重启,直接访问 http://ip:9200/ 弹出校验框, 输入 elastic 和 设置的密码 即可进入。

over over

相关实践学习
使用阿里云Elasticsearch体验信息检索加速
通过创建登录阿里云Elasticsearch集群,使用DataWorks将MySQL数据同步至Elasticsearch,体验多条件检索效果,简单展示数据同步和信息检索加速的过程和操作。
ElasticSearch 入门精讲
ElasticSearch是一个开源的、基于Lucene的、分布式、高扩展、高实时的搜索与数据分析引擎。根据DB-Engines的排名显示,Elasticsearch是最受欢迎的企业搜索引擎,其次是Apache Solr(也是基于Lucene)。 ElasticSearch的实现原理主要分为以下几个步骤: 用户将数据提交到Elastic Search 数据库中 通过分词控制器去将对应的语句分词,将其权重和分词结果一并存入数据 当用户搜索数据时候,再根据权重将结果排名、打分 将返回结果呈现给用户 Elasticsearch可以用于搜索各种文档。它提供可扩展的搜索,具有接近实时的搜索,并支持多租户。
相关文章
|
8月前
|
搜索推荐 Java 数据处理
Elasticsearch搜索分析引擎本地部署与远程访问
Elasticsearch搜索分析引擎本地部署与远程访问
|
8月前
|
安全 大数据 API
elasticsearch|大数据|elasticsearch的api部分实战操作以及用户和密码的管理
elasticsearch|大数据|elasticsearch的api部分实战操作以及用户和密码的管理
343 0
|
7月前
|
数据库 索引
Elasticsearch索引别名:管理与优化数据访问
Elasticsearch索引别名:管理与优化数据访问
118 2
|
Java Linux 数据安全/隐私保护
百度搜索:蓝易云【centos7系统安装elasticsearch8.7.0,并设置密码访问教程。】
现在,您已经成功安装并设置密码访问Elasticsearch 8.7.0。您可以使用设置的密码来访问和管理Elasticsearch实例。
221 1
|
7月前
ElasticSearch绑定IP访问
ElasticSearch绑定IP访问
105 0
|
7月前
|
Java 数据安全/隐私保护 Windows
ElasticSearch设置密码Windows
ElasticSearch设置密码Windows
301 0
|
8月前
|
安全 数据安全/隐私保护
Elasticsearch7.10.0添加访问密码
Elasticsearch7.10.0添加访问密码
187 1
单机elasticsearch设置远程访问
我这里是在虚拟机安装的es,虚拟机系统用的是优麒麟20.04
|
8月前
|
安全 大数据 API
elasticsearch|大数据|kibana的安装(https+密码)
elasticsearch|大数据|kibana的安装(https+密码)
305 0
|
8月前
|
安全 Java 大数据
elasticsearch|大数据|elasticsearch低版本集群的部署安装和安全增强---密码设置问题
elasticsearch|大数据|elasticsearch低版本集群的部署安装和安全增强---密码设置问题
89 0