ElastiSearch集群配置用户密码
ES集群配置启动成功后,默认是没有密码的,经常被内部扫出安全漏洞,存在数据泄漏及篡改的风险。
集群证书设置 启用了x-pack模块,那么集群中的各节点之间通讯就必须安全认证。为了解决节点间通讯的认证问,我们需要制作证书。
不然直接生成密码的话, 会报
1 Cause: Cluster state has not been recovered yet, cannot write to the [null]index
1 elasticsearch-certutil cert
按照提示一步一步生成elastic-certificates.p12 文件。
elasticsearch.yml设置 1 2 3 4 5 6 7 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.truststore.type: PKCS12 xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
将生成的证书放在es根目录的config文件夹下,如 elasticsearch/config/elastic-certificates.p12。
集群中每个节点都进行同样的配置,重启所有节点。
Elasticsearch 有两个级别的通信,传输通信和 http 通信。 传输协议用于 Elasticsearch 节点之间的内部通信,http 协议用于客户端到 Elasticsearch 集群的通信。 个人认为上面只设置了内部传输协议直接的证书,所以只用cert生成 ,没有ca生成。
elasticsearch.yml设置里面也只设置了 xpack.security.transport.ssl, 没有设置xpack.security.http.ssl…
开始设置密码 在任意节点中执行
1 elasticsearch-setup-passwords interactive
按照提示一步一步输入密码即可设置成功。
验证密码 ES验证当然是用curl测试
输入如下命令,账号密码替换为自己的,正确输出如下信息即设置成功。
1 2 3 4 5 curl localhost:9200/_cat/nodes --user elastic:xxxxx 10.10.x.x 17 99 0 0.06 0.09 0.12 xxxx * es-node3 10.10.x.x 35 99 0 0.06 0.09 0.12 xxxx - es-node2 10.10.x.x 40 99 0 0.06 0.09 0.12 xxxx - es-node1
ES修改密码
使用curl命令修改密码
1 2 3 4 5 curl -XPUT -u elastic:xxx http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d ' { "password": "your passwd" }'
密码忘记
进入es任意节点
1 2 3 4 5 6 /bin/elasticsearch-users useradd misspasswd -r superuser Enter new password: ERROR: Invalid password...passwords must be at least [6] characters long [root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd misspasswd -r superuser Enter new password: Retype new password:
然后使用新建的用户执行1操作即可修改密码.
es docker-compose配置 https://github.com/shiguofu2012/scripts/blob/master/docker-compose/es.yml
运行准备:
创建目录,配置文件证书文件都是在宿主机器上的/root/data/es-7.5.1-{1,2,3}目录下
证书文件(证书生成见上文)/配置文件
配置文件1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 cluster.name: test node.name: es-node3 # network.bind_host: 0.0.0.0 network.host: 0.0.0.0 # network.publish_host: elasticsearch03 http.port: 9200 transport.tcp.port: 9300 http.cors.enabled: true http.cors.allow-origin: "*" node.master: true node.data: true cluster.initial_master_nodes: ["es-node1", "es-node2", "es-node3"] # 加host discovery.seed_hosts: ["elasticsearch01","elasticsearch03", "elasticsearch02"] xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.truststore.type: PKCS12 xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 version: '2.2' services: elasticsearch01: image: elasticsearch:7.10.1 container_name: es01 networks: - shiguofu_net # environment: 放入配置文件 # - discovery.type=single-node # - xpack.security.enabled=true # - xpack.license.self_generated.type=basic # - xpack.security.transport.ssl.enabled=true ports: - 9200:9200 - 9201:9300 volumes: - /root/data/es-7.5.1-1:/usr/share/elasticsearch/data - /usr/local/jdk:/usr/share/elasticsearch/jdk - /root/data/es-7.5.1-1/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 - /root/data/es-7.5.1-1/es.yml:/usr/share/elasticsearch/config/elasticsearch.yml elasticsearch02: image: elasticsearch:7.10.1 container_name: es02 networks: - shiguofu_net # environment: 放入配置文件 # - discovery.type=single-node # - xpack.security.enabled=true # - xpack.license.self_generated.type=basic # - xpack.security.transport.ssl.enabled=true ports: - 9300:9200 - 9301:9300 volumes: - /usr/local/jdk:/usr/share/elasticsearch/jdk - /root/data/es-7.5.1-2:/usr/share/elasticsearch/data - /root/data/es-7.5.1-2/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 - /root/data/es-7.5.1-2/es.yml:/usr/share/elasticsearch/config/elasticsearch.yml elasticsearch03: image: elasticsearch:7.10.1 container_name: es03 networks: - shiguofu_net # environment: 放入配置文件 # - discovery.type=single-node # - xpack.security.enabled=true # - xpack.license.self_generated.type=basic # - xpack.security.transport.ssl.enabled=true ports: - 6666:9200 - 6667:9300 volumes: - /root/data/es-7.5.1-3:/usr/share/elasticsearch/data - /root/data/es-7.5.1-3/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 - /usr/local/jdk:/usr/share/elasticsearch/jdk - /root/data/es-7.5.1-3/es.yml:/usr/share/elasticsearch/config/elasticsearch.yml kibana: image: kibana:7.10.1 container_name: kibana links: - elasticsearch01 networks: - shiguofu_net environment: - ELASTICSEARCH_HOSTS="http://elasticsearch01:9200" - ELASTICSEARCH_USERNAME="elastic" - ELASTICSEARCH_PASSWORD="aeQwQKM0N0nY" depends_on: - elasticsearch01 ports: - 5601:5601 networks: shiguofu_net: driver: bridge ipam: config: - subnet: 10.10.2.0/24