xpack.security.enabled: true
一,开启x-pack权限认证
在elasticsearch.yml文件中配置
1 2 | xpack.security.enabled: true xpack.security.transport.ssl.enabled: true |
二,初始化密码
1 | ./elasticsearch-setup-passwords interactive |
三,生成密码报错
三台服务器,有两台设置失败,想起来这两台都是小内存,查下内存使用情况:
还剩下几十兆的空间,估计是内存原因。将vm.options内存改到512m,然并卵。
四,艰难的排错过程
1,加上-verbose选项查看日志信息
1 | ./elasticsearch-setup-passwords interactive -verbose |
发现有如下报错:
1 2 3 4 5 6 7 8 9 10 | Unexpected response code [503] from calling PUT http://localhost:9200/_securit ... retty Cause: Cluster state has not been recovered yet, cannot write to the [null] index Possible next steps: * Try running this tool again. * Try running with the --verbose parameter for additional messages. * Check the elasticsearch logs for additional error details. * Use the change password API manually. ERROR: Failed to set password for user [apm_system]. |
显然,data节点加入集群失败。
查看集群状态:
1 | http://47.105.109.31:9200/_cluster/health |
显示为:red。说明集群启动失败。
想起来,开启x-pack,结点直接如何认证呢?
2,然后一顿百度,找到了正确姿势,集群结点间需要通过证书认证。
2.1 生成证书
1 2 3 4 | // 生成证书 /usr/share/elasticsearch/bin/elasticsearch-certutil ca // 为结点签发证书 /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 |
生成的证书文件名默认是elastic-certificates.p12
2.2 将生成的证书拷贝到所有结点
1 | scp elastic-certificates.p12 [email protected]:/etc/elasticsearch/ |
2.3 修改配置文件 /etc/elasticsearch/elasticsearch.yml
1 2 3 4 5 | xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: none xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 |
2.4 重新启动es集群
在启动的过程中出现如下警告,不知原因。
1 | client did not trust this server's certificate |
五,集群es结点的加密通信
1,加密通信就是开启ssl,修改配置文件elasticsearch.yml文件,重启es即可。
1 2 3 | xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: elastic-certificates.p12 xpack.security.http.ssl.truststore.path: elastic-certificates.p12 |
2, 验证
1 2 3 4 5 | // 错误 http://ip:9200 // 正确 https://ip:9200 |
六,kibana与es的加密通信
第五步的时候,es已经支持ssl通信,现在只要配置kibana通过ssl访问es。
1,生成kibana认证
es用的认证文件是p12为后缀的,kibana的认证文件以pem结尾。通过openssl将p12文件转换为pem文件。
1 | openssl pkcs12 -in /etc/elasticsearch/elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem |
2,修改配置文件
1 2 3 4 5 | elasticsearch.username: "elastic" elasticsearch.password: "123456" elasticsearch.hosts: ["https://node-1:9200"] elasticsearch.ssl.verificationMode: certificate |
七,客户端与kibana的加密通信
1,生成加密文件
1 | sudo ./elasticsearch-certutil ca --pem |
生成的加密文件为elastic-stack-ca.zip,将该文件已到达kibana的配置文件下并解压。
1 2 | mv elastic-stack-ca.zip /usr/local/src/kibana/config/ unzip elastic-stack-ca.zip |
2,修改配置文件kibana.yml
1 2 3 | server.ssl.enabled: true server.ssl.certificate: /usr/local/src/kibana/kibana/config/ca/ca.crt server.ssl.key: /usr/local/src/kibana/kibana/config/ca/ca.key |
重新启动kibana。
5,验证
1 | https://47.5.6.1:5601/ |
参考文献1:elasticsearch7.4 免费启用x-pack插件 设置账号、权限 包含错误–ERROR: Failed to set password for user [apm_system]
参考文献2 es的内存问题
参考文献3 es xpack集群配置