es-6.8.0以上版本开启权限认证x-pack配置

亲测es版本6.8.0
elasticsearch-6.8.0.tar.gz
启动ES
省略
设置ES内置用户及密码

1、先创建keystore文件 bin/elasticsearch-keystore create。
2、在Elasticsearch目录中运行命令:./bin/elasticsearch-setup-passwords interactive,回车之后为每一个用户设置独立的密码。记住ES实例必须启动。
3、你需要在后续步骤中使用这些内置用户,因此务必牢记前面设置的密码!

ES生成密钥
使用pem,执行以下命令

1、在/es安装目录/bin/下执行
./elasticsearch-certutil ca --days 720 --pem
执行后会在bin文件夹下生成根密钥:elastic-stack-ca.zip(默认zip包的名称)
2、解压根密钥,会生成一个 ca文件夹,包含ca.key,和ca.cert
3、在/es安装目录/bin/下执行
./elasticsearch-certutil cert --ca-cert ./ca/ca.crt --ca-key ./ca/ca.key --days 720 --pem
执行后会生成节点密钥:certificate-bundle.zip(默认zip包的名称)
4、解压后会生成 一个instance文件夹,包含instance.key,和instance.crt
5、将ca和instance两个文件夹 拷贝至 es的配置文件所在目录 config下创建文件夹x-pack,并将ca和instance文件夹 拷贝进去并且修改所属权限为es用户

ES 配置文件elasticsearch.yml

xpack.security.transport.ssl.enabled: true
xpack.ssl.key: x-pack/instance/instance.key
xpack.ssl.certificate: x-pack/instance/instance.crt
xpack.ssl.certificate_authorities: x-pack/ca/ca.crt
xpack.ssl.verification_mode: certificate
xpack.ssl.client_authentication: required

POM引入:

 <repositories>
        <!-- add the elasticsearch repo -->
        <repository>
            <id>elasticsearch-releases</id>
            <url>https://artifacts.elastic.co/maven</url>
            <releases>
                <enabled>true</enabled>
            </releases>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>
<!-- 引入ES -->
<dependency>
            <groupId>org.elasticsearch</groupId>
            <artifactId>elasticsearch</artifactId>
            <version>${elasticsearch.version}</version>
</dependency>
<!-- 引入ES-client -->
<dependency>
            <groupId>org.elasticsearch.client</groupId>
            <artifactId>transport</artifactId>
            <version>${elasticsearch.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>org.elasticsearch</groupId>
                    <artifactId>elasticsearch</artifactId>
                </exclusion>
            </exclusions>
</dependency>
<!-- 引入x-pack -->
<dependency>
            <groupId>org.elasticsearch.client</groupId>
            <artifactId>x-pack-transport</artifactId>
            <version>${elasticsearch.version}</version>
</dependency>

java客户端连接代码:

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
                    .put("cluster.name", "my-application")
                    .put("xpack.security.user", "elastic:pw123456")
                    .put("xpack.ssl.key", "/opt/cert/my-application/my-application.key")
                    .put("xpack.ssl.certificate", "/opt/cert/my-application/my-application.crt")
                    .put("xpack.ssl.certificate_authorities", "/opt/cert/ca/ca.crt")
                    .put("xpack.security.transport.ssl.verification_mode", "certificate")
                    .put("xpack.security.transport.ssl.enabled", "true")
                    .build());

注意:
xpack.security.transport.ssl.verification_mode 属性的值,es默认为 full,即为 全量验证,包含 对 dns、ip、实例名称,证书等等一系列的验证,当我们设置verification_mode的属性值为 certificate 的时候,意味着 只进行证书验证,由于生成密钥的时候 全程回车,所以此处 如果 java客户端 不添加该属性为 certificate ,则es日志会有以下报错信息:
“client did not trust this server’s certificate”
排错非常痛苦,酸爽!!!

#es主节点配置:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.ssl.key: x-pack/instance/instance.key
xpack.ssl.certificate: x-pack/instance/instance.crt
xpack.ssl.certificate_authorities: x-pack/ca/ca.crt
xpack.ssl.verification_mode: certificate
xpack.ssl.client_authentication: required
#verification_mode设置为 certificate (网上帖子所谓的:关闭host验证)
#当设置为 full的时候 会验证 dns 和 ip 没有设置dns和ip 会报错client did not trust this server’s certificate

es从节点配置:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: x-pack/instance/instance.key
xpack.security.transport.ssl.certificate: x-pack/instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: x-pack/ca/ca.crt

#es集群节点间通讯(集群节点发现)用tcp端口 (默认9300) 重要的事情说三遍
#es集群节点间通讯(集群节点发现)用tcp端口 (默认9300) 重要的事情说三遍
#es集群节点间通讯(集群节点发现)用tcp端口 (默认9300) 重要的事情说三遍

版权声明:本文为博主原创文章,遵循 CC 4.0 BY 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/LSY929981117/article/details/107714001

你可能感兴趣的:(x-pack,java,es,client)