Elasticsearch 7.7.0使用xpack认证

一. 证书配置: (证书需放至各Node的config目录下)

$ cd /opt/elasticsearch/
$ ./bin/elasticsearch-certutil ca
$ ./bin/elasticsearch-certutil cert -ca elastic-stack-ca.p12
$ mv elastic-stack-ca.p12 config/
$ mv elastic-certificates.p12 config/

二. 修改各Node配置文件:

$ grep -E -v "^#|^$" config/elasticsearch.yml
cluster.name: my-es
node.name: node-0
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
network.host: 192.168.3.120
http.port: 9200
transport.tcp.port: 9300
transport.tcp.compress: true
discovery.seed_hosts: ["docker0","docker1","docker2"]
cluster.initial_master_nodes: ["node-0","node-1", "node-2"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /opt/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /opt/elasticsearch/config/elastic-certificates.p12

三. 启动ES,设置内置账号密码:

  • 各节点启动

    $ ./bin/elasticsearch -d
  • 节点启动后在其中一台Node上设置内置账号密码

    $ ./bin/elasticsearch-setup-passwords interactive
  • 测试

    curl -XGET -u elastic http://192.168.3.120:9200/text/name/1
    Enter host password for user 'elastic':
    {"_index":"text","_type":"name","_id":"1","_version":2,"_seq_no":1,"_primary_term":5,"found":true,"_source":
    {
    "name":"Laoluo"
    }}
  • 修改elastic账户密码:
    curl -H "Content-Type: application/json" -XPUT -u elastic:YourOldPWD 'http://192.168.3.120:9200/_xpack/security/user/elastic/_password' -d '{         
    "password" : "YourNewPWD"
    }'

开启认证后,beat,logstash,kibana连接es以及访问es都需要认证。