ElasticSearch集群加密
系列 - ElasticSearch学习
目录
ElasticSearch 集群加密
1.准备证书
Note
只需要在一台节点上生成证书,然后拷贝到其他节点即可。
2.1 生成证书
创建证书目录并生成证书:
mkdir /etc/elasticsearch/config/
cd /usr/share/elasticsearch/bin/
./elasticsearch-certutil cert --days 3650 -out /etc/elasticsearch/config/elastic-certificates.p12 -pass ""2.2 证书权限
给证书添加可读权限:
chmod +r /etc/elasticsearch/config/elastic-certificates.p122.拷贝证书
将生成的证书拷贝到其他节点:
scp -r /etc/elasticsearch/config/ 192.168.109.32:/etc/elasticsearch/
scp -r /etc/elasticsearch/config/ 192.168.109.33:/etc/elasticsearch/3.修改配置文件
所有节点修改 ElasticSearch 配置文件:
cat <<'EOF' >> /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: config/elastic-certificates.p12
EOF
tail -5 /etc/elasticsearch/elasticsearch.yml4.重启服务
所有节点重启 ElasticSearch 服务:
systemctl restart elasticsearch && netstat -anutp | grep "9[2|3]00"5.访问集群测试
正常访问集群服务及接口:
curl 10.0.0.93:9200
curl 10.0.0.93:9200/_cat/nodes
Note
我们发现此时不能访问 ElasticSearch 集群各节点,报错如下(说明集群加密成功):
curl: (7) Failed to connect to 10.0.0.93 port 9200 after 21031 ms: Couldn't connect to server6.生成随机密码
Tip
现在生成的密码,后面我们可以使用 Kibana 进行修改。
6.1 密码输出到屏幕
生成随机密码并输出到屏幕:
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
# 输出内容(包含密码,重要信息请注意密码安全(特别是 elastic 密码)。)
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
Changed password for user apm_system
PASSWORD apm_system = Cl0FxDlaZGELWp0ZPo97
Changed password for user kibana_system
PASSWORD kibana_system = v0rPE1hse9nwbBqiLu76
Changed password for user kibana
PASSWORD kibana = v0rPE1hse9nwbBqiLu76
Changed password for user logstash_system
PASSWORD logstash_system = D7HavNhf5tO89GKI48tH
Changed password for user beats_system
PASSWORD beats_system = 9NO9YMuLBLQJ5JoB6VMj
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = KS3xY3rCGPHrg2uwvyr9
Changed password for user elastic
PASSWORD elastic = 3TNu27fggMiTLRVpYoUL
6.2 密码输出到文件
生成随机密码并输出到指定文件(推荐方式):
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b > /root/passwords.txt6.3 重新生成密码
重新生成密码步骤:
- 将所有节点 ElasticSearch 配置文件中添加的
xpack.security.*配置注释并重启服务。 - 任一节点执行
curl -X DELETE "http://localhost:9200/.security*"命令。 - 重新执行密码生成命令。
7.访问加密集群
使用生成的随机密码访问加密集群:
curl -u elastic:3TNu27fggMiTLRVpYoUL 192.168.109.33:9200/_cat/nodes