同城网站开发,最先进的深圳网站建设,网站投注员怎么做,百度免费推广方法在之前文章中我们介绍了Elasticsearch安全与权限控制#xff0c;本篇文章我们将详细介绍 启用登录认证与SSL加密实践配置操作 。 1 为什么需要安全加固#xff1f; Elasticsearch默认不启用安全功能#xff0c;会导致以下风险#xff1a; 未授权访问#xff1a;任何人都能… 在之前文章中我们介绍了Elasticsearch安全与权限控制本篇文章我们将详细介绍 启用登录认证与SSL加密实践配置操作 。 1 为什么需要安全加固 Elasticsearch默认不启用安全功能会导致以下风险 未授权访问任何人都能读取/修改数据数据泄露网络传输未加密可能被窃听合规性风险不符合企业安全审计要求 2 环境准备 ES版本Elasticsearch 7.10.1操作系统CentOS 7.9 3 配置步骤
3.1 生成SSL证书 # 进入ES安装目录
cd /export/home/elasticsearch-7.10.1/# 生成CA证书
/export/home/elasticsearch-7.10.1/bin/elasticsearch-certutil ca --pass # 生成节点证书
/export/home/elasticsearch-7.10.1/bin/elasticsearch-certutil cert \
--ca /export/home/elasticsearch-7.10.1/elastic-stack-ca.p12 \
--ip 192.168.10.33,192.168.10.34,192.168.10.35,127.0.0.1 \
--dns node3,node4,node5,localhost# 创建证书目录
mkdir config/certs# 部署证书同时在其余节点上创建相同目录并拷贝证书过去
mv elastic-certificates.p12 config/certs/ 3.2 修改elasticsearch.yml #编辑elasticsearch.yml文件增加如下内容cat /export/home/elasticsearch-7.10.1/config/elasticsearch.ymlEOF
# 安全核心配置
# HTTP层SSL
xpack.security.http.ssl:enabled: trueverification_mode: certificatekeystore.path: certs/elastic-certificates.p12truststore.path: certs/elastic-certificates.p12# 传输层SSL
xpack.security.transport.ssl:enabled: trueverification_mode: certificatekeystore.path: certs/elastic-certificates.p12truststore.path: certs/elastic-certificates.p12
EOF# 重启elasticsearch服务
ps -ef |grep elasticsearch-7.10.1|grep -v grep |awk {print $2}|xargs kill -9
/export/home/elasticsearch-7.10.1/bin/elasticsearch -d 3.3 设置内置用户密码 # 交互式设置密码
/export/home/elasticsearch-7.10.1/bin/elasticsearch-setup-passwords interactive# 自动生成密码输出需保存
/export/home/elasticsearch-7.10.1/bin/elasticsearch-setup-passwords auto 涉及的主要用户 elastic超级管理员kibana_systemKibana服务账号logstash_systemLogstash连接账号 4 验证配置
4.1 检查HTTPS访问 curl -k -u elastic:Lahmy1c https://192.168.10.33:9200 正常应返回包含tagline : You Know, for Search的JSON [lianggjnode4 config]$ curl -k -u elastic:Lahmy1c https://192.168.10.33:9200
{name : node4,cluster_name : my_es_cluster,cluster_uuid : 6JC1NLZXTWymb5WiLPvjaA,version : {number : 7.10.1,build_flavor : default,build_type : tar,build_hash : 1c34507e66d7db1211f66f3513706fdf548736aa,build_date : 2020-12-05T01:00:33.671820Z,build_snapshot : false,lucene_version : 8.7.0,minimum_wire_compatibility_version : 6.8.0,minimum_index_compatibility_version : 6.0.0-beta1},tagline : You Know, for Search
}
[lianggjnode4 config]$ 4.2 测试用户权限 # 尝试未授权访问
curl https://192.168.10.33:9200/_cat/indices# 使用正确凭证访问
curl -k -u elastic:Lahmy1c https://192.168.10.33:9200/_security/user [lianggjnode4 config]$ curl https://192.168.10.33:9200/_cat/indices
curl: (60) Peers certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a bundleof Certificate Authority (CA) public keys (CA certs). If the defaultbundle file isnt adequate, you can specify an alternate fileusing the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented inthe bundle, the certificate verification probably failed due to aproblem with the certificate (it might be expired, or the name mightnot match the domain name in the URL).
If youd like to turn off curls verification of the certificate, usethe -k (or --insecure) option.
[lianggjnode4 config]$ curl -k -u elastic:Lahmy1c https://192.168.10.33:9200/_security/user
{elastic:{username:elastic,roles:[superuser],full_name:null,email:null,metadata:{_reserved:true},enabled:true},kibana:{username:kibana,roles:[kibana_system],full_name:null,email:null,metadata:{_deprecated:true,_deprecated_reason:Please use the [kibana_system] user instead.,_reserved:true},enabled:true},kibana_system:{username:kibana_system,roles:[kibana_system],full_name:null,email:null,metadata:{_reserved:true},enabled:true},logstash_system:{username:logstash_system,roles:[logstash_system],full_name:null,email:null,metadata:{_reserved:true},enabled:true},beats_system:{username:beats_system,roles:[beats_system],full_name:null,email:null,metadata:{_reserved:true},enabled:true},apm_system:{username:apm_system,roles:[apm_system],full_name:null,email:null,metadata:{_reserved:true},enabled:true},remote_monitoring_user:{username:remote_monitoring_user,roles:[remote_monitoring_collector,remote_monitoring_agent],full_name:null,email:null,metadata:{_reserved:true},enabled:true}}[lianggjnode4 config]$ 5 Kibana集成配置 # PKCS12文件中提取CA证书
cd /export/home/elasticsearch-7.10.1/config/certs
openssl pkcs12 -in elastic-certificates.p12 -out ca.pem -nodes# 编辑修改kibana.yml添加如下内容
cat /export/home/kibana-7.10.1-linux-x86_64/config/kibana.ymlEOF
elasticsearch.hosts: [https://192.168.10.33:9200,https://192.168.10.34:9200,https://192.168.10.35:9200]
elasticsearch.username: kibana_system
elasticsearch.password: Lahmy1c
elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.certificateAuthorities: [/export/home/elasticsearch-7.10.1/config/certs/ca.pem]
EOF# 重启
ps -ef |grep esmagent|grep -v grep |awk {print $2}|xargs kill -9
nohup ./bin/kibana kibana.log 6 常见问题解决
6.1 证书错误 PKIX path validation failed: java.security.cert.CertPathValidatorException 解决方案 确认所有节点使用相同CA签发证书在客户端添加--cacert参数 curl --cacert /path/to/ca.crt https://es-node:9200 6.2 密码重置 bin/elasticsearch-reset-password -u elastic 6.3 临时关闭安全仅开发 xpack.security.enabled: false
xpack.security.http.ssl.enabled: false 7 附常用安全命令 # 查看用户列表
GET /_security/user# 创建自定义角色
POST /_security/role/my_admin
{cluster: [myindx],indices: [{names: [myindex-*],privileges: [read, write]}]
}
