1. Elastic安全措施有3种
1.1 Minimal security
适用: Elasticsearch 开发模式
1.2 Basic security
适用: Elasticsearch 生产环境
1.3 Basic security + TLS for REST
更好的安全性: basic security + TLS for REST
2. 最小安全设置: minimal security for ES
2.1 先决条件
- 安装了Elasticsearch;
- 安装了Kibana;
2.2 配置几个环境变量
%ES_HOME%=ES安装目录
ES_PATH_CONF=%ES_HOME%/config
%KIB_HOME%=Kibana安装目录
KIB_PATH_CONF=%KIB_HOME%/config
配置如截图
2.3 elasticsearch.yml配置
2.3.1 启用es安全特性:
xpack.security.enabled: true
单节点的话, 此处可确保节点不会无意中连接到其他集群
discovery.type: single-node
2.3.3 为内置用户设置密码
1.开一个窗口启动es(配置完后重新开)
./bin/elasticsearch
2.另开窗口执行elasticsearch-setup-passwords
bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]yEnter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
上面的20来行, 可以重复输入你的密码即可~ 同时你可以多瞅一眼这里有个user[kibana_system], 它下面有提及
2.4 kibana.yml配置
2.4.1 yml中加入kibana_system用户
elasticsearch.username: "kibana_system"
# 设置为任意文本字符串,默认情况下,Kibana在启动时生成一个随机键,这会导致重新启动时挂起的报表失败,将此设置配置为在重启时使用相同的键
xpack.reporting.encryptionKey: "just_need_a_fixed_string"
xpack.security.encryptionKey: "something_at_least_32_characters"
# 如果没指定加密密钥,Kibana会在启动时自动生成一个随机密钥。这样每次重启无法解密上次的加密数据,所以要指定
xpack.encryptedSavedObjects.encryptionKey: "min-32-byte-long-strong-encryption-key"
下面3个如果不指定, kibana启动会warning
之前已经创建了内置kibana_system用户和密码(前面输入了的, 记得吧)。
Kibana执行一些后台任务,就需要使用kibana_system用户。
2.4.2 创建kibana的keystore
./bin/kibana-keystore create
2.4.3 将kibana_system用户的密码添加到Kibana的keystore中:
./bin/kibana-keystore add elasticsearch.password
2.4.4 重启kibana即可
./bin/kibana
http://localhost:5601 再访问, 就需要账号密码了, 用elastic+密码即可
2.4的整个流程es必须是开着的