前提:已安装elasticsearch,并可使用http:ip:9200访问
参考:Centos7安装elasticsearch7.14.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
参数说明:
xpack.security.enabled:表示开启xpack认证机制。
xpack.security.transport.ssl.enabled:这条如果不配,es将起不来,会报如下错误:
Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
这里需要为4个用户分别设置密码,elastic, kibana, logstash_system,beats_system。(interactive 手动设置, auto 自动生成密码 )
bin/elasticsearch-setup-passwords interactive
下面的方式是自动生成密码 , 自动生成相对安全
bin/elasticsearch-setup-passwords auto
其他修改密码命令如下:
curl -H "Content-Type:application/json" -XPOST -u elastic 'http://127.0.0.1:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "xxxx" }'
3.1、可通过命令行访问:
例子1:curl -XGET -u elastic 'localhost:9200/_xpack/security/user?pretty'
例子2:curl 127.0.0.1:9200 -u elastic
3.2、可通过浏览器访问
Kibana连接时kibana.yml配置文件增加
elasticsearch.username: "elastic"
elasticsearch.password: "xxxx"
Kibana访问需要输入账号密码
[2023-02-07T22:11:31,657][WARN ][o.e.t.TcpTransport ] [node-1] exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/0:0:0:0:0:0:0:1:60820, profile=default}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common
[ELASITCSEARCH 开启认证后,报DECODEREXCEPTION: JAVAX.NET.SSL.SSLHANDSHAKEEXCEPTION: NO AVAILABLE AUTHENTIC异常]
解决办法:
解决方法主要参考了
Encrypting communications in Elasticsearch | Elasticsearch Guide [6.3] | Elastic。
总体意思是TCP通信,使用ssl加密通信。
第一步:在ES的根目录生成CA证书
bin/elasticsearch-certutil ca中间需要设置密码,直接回车可以不设置(慎重考虑)。
第二步:使用第一步生成的证书,产生p12**
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p123、在config目录创建certs目录,拷贝p12文件至certs目录
4、配置:elasticsearch.yml
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p125、重启ES
其他参考:
参考:https://blog.csdn.net/weixin_45367149/article/details/108388846