xpack的安全功能 TLS 功能。 可对通信进行加密 文件和原生 Realm。 可用于创建和管理用户 基于角色的访问控制。 可用于控制用户对集群 API 和索引的访问权限 通过针对 Kibana Spaces 的安全功能,还可允许在Kibana 中实现多租户。
1 申请证书
两条命令均一路回车即可,不需要给秘钥再添加密码
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
2 证书copy到其他节点
scp /etc/elasticsearch/cert/elastic-certificates.p12 192.168.10.32:/etc/elasticsearch/cert/
scp /etc/elasticsearch/cert/elastic-certificates.p12 192.168.10.33:/etc/elasticsearch/cert/
chown elasticsearch.elasticsearch /etc/elasticsearch/cert/elastic-certificates.p12
3 修改elasticsearch配置文件
添加如下内容,重启elasticsearch
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/cert/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/cert/elastic-certificates.p12
service elasticsearch restart
4 为内置账号添加密码
为ES内置用户生成密码有两种方式:一是通过默认方式自动生成密码,一种是手动一个个用户输入密码;
设置默认密码命令:
./bin/elasticsearch-setup-passwords auto
手动输入密码命令:
./bin/elasticsearch-setup-passwords interactive
两种方式分别对内置用户:elastic、apm_system、kibana、logstash_system、beats_system、remote_monitoring_user,设置了密码。
5 验证
[root@es01 kibana]# curl -H "Content-Type: application/json" -u elastic:aka2velfFJGz178SExyi http://192.168.10.31:9200/_cluster/health?pretty
{
"cluster_name" : "my-application",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 11,
"active_shards" : 22,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
6 遇到的问题
问题:
遇到报错,解决办法
Your cluster health is currently RED.
This means that some cluster data is unavailable and your cluster is not fully functional.
It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.
Do you want to continue with the password setup process [y/N]y
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
Unexpected response code [503] from calling PUT http://192.168.10.31:9200/_security/user/apm_system/_password?pretty
Cause: Cluster state has not been recovered yet, cannot write to the [null] index
Possible next steps:
* Try running this tool again.
* Try running with the --verbose parameter for additional messages.
* Check the elasticsearch logs for additional error details.
* Use the change password API manually.
ERROR: Failed to set password for user [apm_system].
在elasticsearch.yml 配置文件中去除
discovery.seed_hosts 和cluster.initial_master_nodes.
然后添加discovery.type: single-node
重启服务,并重新设置密码发现成功了
https://blog.csdn.net/welisa/article/details/125747846
xpack破解
http://junyao.tech/posts/7a4f5f3c.html
https://shipengliang.com/software-exp/elasticsearch-7-x-%E7%A0%B4%E8%A7%A3%E8%AE%B0%E5%BD%95.html
https://www.cnblogs.com/dengbangpang/p/12945052.html
https://blog.csdn.net/lihongbao80/article/details/109573677
https://blog.csdn.net/u013008898/article/details/128601262
https://blog.csdn.net/snake2u/article/details/123368146
- 我的微信
- 这是我的微信扫一扫
- 我的微信公众号
- 我的微信公众号扫一扫