(一)、简介
21日,Elastic官方发布消息: Elastic Stack 新版本6.8.0 和7.1.0的核心安全功能现免费提供。
这意味着用户现在能够对网络流量进行加密、创建和管理用户、定义能够保护索引和集群级别访问权限的角色,并且使用 Spaces 为 Kibana
提供全面保护。 免费提供的核心安全功能如下:
TLS 功能。 可对通信进行加密;
文件和原生 Realm。 可用于创建和管理用户;
基于角色的访问控制。 可用于控制用户对集群 API 和索引的访问权限;
通过针对 Kibana Spaces 的安全功能,还可允许在Kibana 中实现多租户。
原先的ES安全认证是通过x-pack来实现的,下边是x-pack的发展历史:
5.X版本之前:没有x-pack,是独立的:security安全,watch查看,alert警告等独立单元。
5.X版本:对原本的安全,警告,监视,图形和报告做了一个封装,形成了x-pack。
6.3 版本之前:需要额外安装。
6.3版本及之后:已经集成在一起发布,无需额外安装,基础安全属于付费黄金版内容。
7.7 .1版本:基础安全免费。
相关功能网址:https://www.elastic.co/cn/subscriptions#request-info
(二)、安装配置Elasticsearch
1、ES安装(略)
2、配置TLS和身份验证
步骤1:在Elasticsearch主节点上配置TLS.
1、进入相应的目录
2、生产证书文件
[root@ES1-4 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca
[root@ES1-4 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[root@ES1-4 elasticsearch]# ll
total 540
drwxr-xr-x 2 root root 4096 Jun 28 10:42 bin
-rw------- 1 root root 3443 Jun 28 16:46 elastic-certificates.p12
-rw------- 1 root root 2527 Jun 28 16:43 elastic-stack-ca.p12
drwxr-xr-x 8 root root 96 Jun 28 10:42 jdk
drwxr-xr-x 3 root root 4096 Jun 28 10:42 lib
-rw-r--r-- 1 root root 13675 Jun 20 23:50 LICENSE.txt
drwxr-xr-x 30 root root 4096 Jun 28 10:42 modules
-rw-rw-r-- 1 root root 502598 Jun 20 23:56 NOTICE.txt
drwxr-xr-x 2 root root 6 Jun 21 00:04 plugins
-rw-r--r-- 1 root root 8478 Jun 20 23:50 README.textile
#####给生产的文件添加elasticsearch组权限
[root@ES1-4 elasticsearch]# chgrp elasticsearch /usr/share/elasticsearch/elastic-certificates.p12 /usr/share/elasticsearch/elastic-stack-ca.p12
#####给这两个文件赋640权限
[root@ES1-4 elasticsearch]# chmod 640 /usr/share/elasticsearch/elastic-certificates.p12 /usr/share/elasticsearch/elastic-stack-ca.p12
######把这两个文件移动端配置文件夹中
[root@ES1-4 elasticsearch]# mv /usr/share/elasticsearch/elastic-* /etc/elasticsearch/3、修改配置,添加验证配置文件
[root@ES1-4 elasticsearch]# vim /etc/elasticsearch/elasticsearch.yml
cluster.name: es
node.name: es-node1
node.data: true
node.master: true
node.attr.tag: hot
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/log
path.repo: [ "/data/daily","/data/weekly", ]
transport.tcp.compress: true
network.host: 192.168.4.215
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
cluster.initial_master_nodes: ["192.168.4.215","192.168.4.216"]
#discovery.seed_hosts: ["192.168.4.215","192.168.4.216"]
discovery.seed_hosts: ["192.168.4.215","192.168.4.216","192.168.4.217","192.168.4.218"]
#######优化配置
#bootstrap.memory_lock: true
#indices.breaker.request.limit: 10%
#index.merge.scheduler.max_thread_count: 1
#indices.queries.cache.size: 20%
#indices.requests.cache.size: 2%
#indices.fielddata.cache.size: 30%
node.attr.box_type: hot
######add to the end fro x-pack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p124、最后把证书文件复制到其他master节点并赋予相关的权限,并同步配置参数。
5、设置密码
[root@ES1-4 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Passwords do not match.
Try again.
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
####分别设置 elastic、apm_system、kibana、logstash_system、beats_system、remote_monitoring_user账号的密码。下边是输入刚才输入的用户名和密码进行查看
[root@ES1-4 elasticsearch]# curl 192.168.4.215:9200/_cat/indices?v -u elastic
Enter host password for user 'elastic':
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .security-7 7phIYLTcTbugIbSimRI03g 1 0 6 0 19.3kb 19.3kb(三)、其他节点的安装和配置。
其他节点的配置最简单的方法是将主节点的配置目录完全拷贝到其他节点配置目录中。也就是说其他节点是通过证书来进行通信的,二验证则是加入后自动同步验证配置的。
[root@ES2-4 ~]# scp -r /etc/elasticsearch/* [email protected]:/etc/elasticsearch
[email protected]'s password:
elastic-certificates.p12 100% 3451 3.4KB/s 00:00
elastic-certificates.p12 100% 3451 3.4KB/s 00:00
elasticsearch.keystore 100% 199 0.2KB/s 00:00
elasticsearch.yml 100% 875 0.9KB/s 00:00
elasticsearch.yml20190627 100% 534 0.5KB/s 00:00
elasticsearch.yml.bak 100% 2847 2.8KB/s 00:00
elasticsearch.yml.rpmsave 100% 534 0.5KB/s 00:00
jvm.options 100% 3596 3.5KB/s 00:00
log4j2.properties 100% 17KB 16.8KB/s 00:00
role_mapping.yml 100% 473 0.5KB/s 00:00
roles.yml 100% 197 0.2KB/s 00:00
users 100% 0 0.0KB/s 00:00
users_roles 100% 0 0.0KB/s 00:00
[root@ES2-4 ~]# curl -u elastic:123456@123456 http://192.168.4.216:9200/_cat/nodes?pretty
192.168.4.218 51 83 5 0.05 0.03 0.05 mdi - es-node4
192.168.4.216 42 80 11 0.08 0.05 0.05 mdi - es-node2
192.168.4.215 35 73 7 0.01 0.03 0.05 mdi * es-node1
192.168.4.217 35 36 48 1.37 0.37 0.16 mdi - es-node3#########节点二配置
[root@ES2-4 ~]# cat /etc/elasticsearch/elasticsearch.yml
cluster.name: es
node.name: es-node2
node.data: true
node.master: true
node.attr.tag: hot
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/log
path.repo: [ "/data/daily","/data/weekly" ]
transport.tcp.compress: true
network.host: 192.168.4.216
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
transport.tcp.port: 9300
discovery.seed_hosts: ["192.168.4.216","192.168.4.215","192.168.4.217","192.168.4.218"]
cluster.initial_master_nodes: ["192.168.4.215","192.168.4.216","192.168.4.217"]
node.attr.box_type: hot
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12
###########节点三配置
[root@ES3-4 log]# cat /etc/elasticsearch/elasticsearch.yml
cluster.name: es
node.name: es-node3
node.data: true
node.master: true
node.attr.tag: hot
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/log
path.repo: [ "/data/daily","/data/weekly" ]
transport.tcp.compress: true
network.host: 192.168.4.217
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
transport.tcp.port: 9300
discovery.seed_hosts: ["192.168.4.216","192.168.4.215","192.168.4.217","192.168.4.218"]
cluster.initial_master_nodes: ["192.168.4.215","192.168.4.216","192.168.4.217"]
node.attr.box_type: hot
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12
###########节点四配置
[root@ES4-4 ~]# cat /etc/elasticsearch/elasticsearch.yml
cluster.name: es
node.name: es-node4
node.data: true
node.master: true
node.attr.tag: hot
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/log
path.repo: [ "/data/daily","/data/weekly" ]
transport.tcp.compress: true
network.host: 192.168.4.218
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
transport.tcp.port: 9300
discovery.seed_hosts: ["192.168.4.216","192.168.4.215","192.168.4.217","192.168.4.218"]
cluster.initial_master_nodes: ["192.168.4.215","192.168.4.216","192.168.4.217"]
node.attr.box_type: hot
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12
(四)、配置kibana
1、kibana安装略
2、配置kibana.yml文件如下
[root@otrs004097 elasticsearch]# grep '^[a-Z]' /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.4.97"
server.name: "192.168.4.97"
elasticsearch.hosts: ["http://192.168.4.97:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "xxxx"3、配置如下:
图二
图三
具体可以参考如下:
https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security
https://www.server-world.info/en/note?os=CentOS_7&p=elasticstack7&f=12