全文检索示例:Elasticsearch开启基本权限认证(4)

简介

本文介绍如何用把我们将在基于docker搭建Elasticsearch环境章节搭建的Elasticsearch环境开启基本权限认证功能

• 环境介绍
  系统：centos7.6 ，IP：192.168.1.14

软件	版本
docker	1.3.1
docker-compose	1.18.0
elasticsearch	6.8.3
kibana	6.8.3

停掉相关服务

# 停止kibana容器
[root@localhost kibana]# docker stop kibana
kibana
# 停止es01容器
[root@localhost kibana]# docker stop es01
es01
# 验证容器是否停止
[root@localhost kibana]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                NAMES
10778d49f1c1        nginx               "nginx -g 'daemon ..."   2 days ago          Up 15 minutes       0.0.0.0:80->80/tcp   nginx
# 如上所示，只有一个nginx还在运行，kinana和es01已经停止运行

启用ES基本认证

官方参考地址：Enable Elasticsearch security features
在es的docker-compose.yml中添加如下配置

# 启用认证功能
xpack.security.enabled=true
# 开启认证节点间交流需要基于TLS，设置 single-node发现模式，能够推迟TLS
discovery.type=single-node

[root@localhost ~]# vim /root/docker-compose/elasticsearch/docker-compose.yml

添加完成后，docker-compose.yml完整内容如下

version: '2.2'
services:
  es:
    image: huanqingdong/elasticsearch:6.8.3-ik
    container_name: es01
    hostname: docker-14
    restart: always
    environment:
      - node.name=es01
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - xpack.security.enabled=true
      - discovery.type=single-node
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - data:/usr/share/elasticsearch/data
    ports:
      - 9200:9200
    networks:
      - net
    extra_hosts:
      - "ikserver:192.168.1.14"
volumes:
  data:
    driver: local

networks:
  net:

为内置用户设置密码

官方参考地址：Create passwords for built-in users

# 启动es容器,因为上一步修改了docker-compose.yml文件，所以使用docker-compose来启动
[root@localhost ~]# cd /root/docker-compose/elasticsearch
[root@localhost elasticsearch]# docker-compose up -d 
Recreating es01 ... done

# 进入容器
[root@localhost elasticsearch]# docker exec -it es01 bash
# 以交互方式设置密码，如下第一个提示输入y，其余的密码我都设置成了123456
[root@docker-14 elasticsearch]# ./bin/elasticsearch-setup-passwords interactive   
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

# 设置完成后退出容器
[root@docker-14 elasticsearch]# exit
exit

设置kinana

官方参考地址：Add the built-in user to Kibana
设置kibana连接elasticsearch使用的账号密码，有两种方式

• 在kibana.yml中使用明文配置
• 使用keystore存储账号密码

此处选用在kibana.yml中使用明文配置这种方式进行设置，如果你想使用keystore，可以参考官方文档进行配置

在kibana的docker-compose.yml中添加如下两项配置

# 指定用户名
ELASTICSEARCH_USERNAME: "kibana"
# 指定密码，由于我的密码是纯数字，而kibana要求这个是字符串，
# 所以我的密码123456外面多括了一层小括号，如果密码为字符串，则直接‘密码即可’
# 如果写‘123456’会报ATAL  ValidationError: child "elasticsearch" fails because [child "password" fails because ["password" must be a string]]
ELASTICSEARCH_PASSWORD: '"123456"'

[root@localhost ~]# vim /root/docker-compose/kibana/docker-compose.yml

添加完成后，docker-compose.yml完整内容如下

version: '2.2'
services:
  kibana:
    container_name: kibana
    image: kibana:6.8.3
    restart: always
    environment:
      ELASTICSEARCH_HOSTS: http://192.168.1.14:9200
      ELASTICSEARCH_USERNAME: "kibana"
      ELASTICSEARCH_PASSWORD: '"123456"'
      I18N_LOCALE: zh-CN
    ports:
      - 5601:5601
    networks:
      - net
networks:
  net:

启动kibana验证

# 启动kibana
[root@localhost elasticsearch]# cd /root/docker-compose/kibana/
[root@localhost kibana]# docker-compose up -d 
Recreating kibana ... done

# 查看kibana日志
docker logs -f kibana
# 当出现以下两句则说明启动成功
{
     "type":"log","@timestamp":"2019-10-17T13:36:14Z","tags":["listening","info"],"pid":1,"message":"Server running at http://0:5601"}
{
     "type":"log","@timestamp":"2019-10-17T13:36:14Z","tags":["status","plugin:[email protected]","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}

在浏览器中输入kibana地址http://192.168.1.14:5601,出现如下界面，需要我们输入账号密码登入

账号输入elastic（es的超级管理员）,密码输入123456进行登入

登入成功后进入kibana首页，如下所示：

至此es的基本认证功能开启完毕