elasticsearch加账号密码登录

1. Elastic安全措施有3种

1.1 Minimal security

适用: Elasticsearch 开发模式

1.2 Basic security

适用: Elasticsearch 生产环境

1.3 Basic security + TLS for REST

更好的安全性: basic security + TLS for REST

2. 最小安全设置: minimal security for ES

2.1 先决条件

1. 安装了Elasticsearch;
2. 安装了Kibana;

2.2 配置几个环境变量

%ES_HOME%=ES安装目录
ES_PATH_CONF=%ES_HOME%/config
%KIB_HOME%=Kibana安装目录
KIB_PATH_CONF=%KIB_HOME%/config

配置如截图

2.3 elasticsearch.yml配置

2.3.1 启用es安全特性:

xpack.security.enabled: true

单节点的话, 此处可确保节点不会无意中连接到其他集群

discovery.type: single-node

2.3.3 为内置用户设置密码

1.开一个窗口启动es(配置完后重新开)

./bin/elasticsearch

2.另开窗口执行elasticsearch-setup-passwords

bin/elasticsearch-setup-passwords interactive

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y

Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

上面的20来行, 可以重复输入你的密码即可~ 同时你可以多瞅一眼这里有个user[kibana_system], 它下面有提及

2.4 kibana.yml配置

2.4.1 yml中加入kibana_system用户

elasticsearch.username: "kibana_system"
# 设置为任意文本字符串，默认情况下，Kibana在启动时生成一个随机键，这会导致重新启动时挂起的报表失败，将此设置配置为在重启时使用相同的键
xpack.reporting.encryptionKey: "just_need_a_fixed_string"
xpack.security.encryptionKey: "something_at_least_32_characters"
# 如果没指定加密密钥，Kibana会在启动时自动生成一个随机密钥。这样每次重启无法解密上次的加密数据,所以要指定
xpack.encryptedSavedObjects.encryptionKey: "min-32-byte-long-strong-encryption-key"

下面3个如果不指定, kibana启动会warning

之前已经创建了内置kibana_system用户和密码(前面输入了的, 记得吧)。
Kibana执行一些后台任务，就需要使用kibana_system用户。

2.4.2 创建kibana的keystore

./bin/kibana-keystore create

2.4.3 将kibana_system用户的密码添加到Kibana的keystore中:

./bin/kibana-keystore add elasticsearch.password

2.4.4 重启kibana即可

./bin/kibana

http://localhost:5601 再访问, 就需要账号密码了, 用elastic+密码即可

2.4的整个流程es必须是开着的

参考资料: 官方文档:Configure security for the Elastic Stack

Set up basic security for the Elastic Stack