ES安全认证

最早我们在用ES5.X版本的时候，XPack是独立于Es的，并且安全认证与权限认证是收费的，所以我们使用了Search Guard.

现在ES6.8和7.1以上版本已经自动继承了xpack组件并且基础的安全认证功能免费，更细力度的权限控制需要购买商业版本。

参考链接: Configure security for the Elastic Stack | Elasticsearch Guide [7.13] | Elastic

1.Minimal Security

基础安全认证，适用于单节点ES agent.

安全配置：

1. Enable xpack security并开启ssl transport认证

在elasticsearch.yml中添加如下配置:

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true 

discovery.type: single-node

2. 给ES内置的一系列用户创建密码:

1. 启动ES： ./bin/elasticsearch -d

2. 设置密码(auto or interactive): ./bin/elasticsearch-setup-passwords interactive //自动会打印出一大堆随机生成的密码， 我们这里选择的是手动:

eg:  Enter password for [elastic]: 123546 Reenter password for [elastic]: 123456 Changed password for user [elastic]

3. 重启ES，访问 http://hostname://9200时弹出登录框代表设置成功，使用刚刚设置的elastic账户和密码登陆。

3. 配置kibana连接ES

1. 添加ES认证用户名到kibana.yml文件中: 

    elasticsearch.username: "kibana_system"

2. 将kibana_system的密码添加到kibana的keystore:

../bin/kibana-keystore create

Created Kibana keystore in /elk/kibana/kibana-7.13.2-linux-x86_64/config/kibana.keystore

../bin/kibana-keystore add elasticsearch.password

Enter value for elasticsearch.password: ******

3.登陆http://hostname:5601

出现如下界面，则设置成功，使用elastic超级账户可以登陆进行权限管理。

ES配置：

节点信息: master & data 节点

node.name: node1

cluster.name: es-7.13.2

network.host: yourhostname

http.port: 9200

transport.port: 9300

node.master: true

node.data: true

node.ingest: false

discovery.seed_hosts: ["hostname:9300"]

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true //enable xpack security并开启ssl transport认证

discovery.type: single-node

Basic Security

适用于多节点集群

1. 生成证书

    1.创建证书授权

    ./bin/elasticsearch-certutil ca        es目录下会生成 elastic-stack-ca.p12 证书文件

    2.生成证书和私钥

     bin/elasticsearch-certutil cert--ca elastic-stack-ca.p12 es目录下会生成 elastic-certificates.p12 证书文件

    3.把elastic-certificates.p12 copy到每个ES节点的config目录下

    4.添加如下配置到ES yml里：

       xpack.security.transport.ssl.verification_mode: certificate

        xpack.security.transport.ssl.client_authentication: required

        xpack.security.transport.ssl.keystore.path: elastic-certificates.p12

        xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

2. 重启ES 和KIBANA

ES集群配置:

NODE1:

node.name: node1

cluster.name: es-7.13.2

network.host: yourhostname

http.port: 9200

transport.port: 9300

node.master: true

node.data: true

node.ingest: false

cluster.initial_master_nodes: ["node1"]

discovery.seed_hosts: ["xxxx:9300","xxxx:9400"]

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.client_authentication: required

xpack.security.transport.ssl.keystore.path: elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

NODE2:

node.name: node2

cluster.name: es-7.13.2

network.host: yourhostname

http.port: 9200

transport.port: 9400

node.master: false

node.data: true

node.ingest: false

cluster.initial_master_nodes: ["node1"]

discovery.seed_hosts: ["xxxx:9300","xxxx:9400"]

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.client_authentication: required

xpack.security.transport.ssl.keystore.path: elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Basic Security Plus Https

如果我们想进一步给ES添加HTTPS认证，我们可以做如下步骤：

1. 生成HTTP证书

./bin/elasticsearch-certutil http

When asked if you want to generate a CSR？ n.

When asked if you want to use an existing CA？  y.

Enter the path to your CA.  the absolute path of ca

Enter the password for your CA. input if you have

Enter an expiration value for your certificate. 5y

When asked if you want to generate one certificate per node y.

Each certificate will have its own private key, and will be issued for a specific hostname or IP address: your hostname,it's support *.

When prompted, enter the name of the first node in your cluster. Use the same node name that you used when generating node certificates.

Enter all hostnames used to connect to your first node. These hostnames will be added as DNS names in the Subject Alternative Name (SAN) field in your certificate.

List every hostname and variant used to connect to your cluster over HTTPS.

Enter the IP addresses that clients can use to connect to your node.

Repeat these steps for each additional node in your cluster. add note2, note3......

2. 添加 ssl http 配置

第一步会生成 elasticsearch-ssl-http.zip文件在ES目录下，其包含elasticsearch和kibana两个文件夹，es文件夹下又会包括所有节点的文件夹。

1. 将ES/Nodex 下的 http.p12 文件 copy到各个节点的config目录下

2.如果给每个节点生成证书时设置了密码需要添加到keystore

    ./bin/elasticsearch-keystoreaddxpack.security.http.ssl.keystore.secure_password

3. 添加如下配置到es yml文件：

    xpack.security.http.ssl.enabled: true

    xpack.security.http.ssl.keystore.path: "http.p12"

3. 重启ES 输入 https://hostname:9200 登陆认证

3. 配置Kibana

    1.将elasticsearch-ssl-http.zip中kibana目录中的elasticsearch-ca.pem copy到kibana/config目录

    2.添加配置到kibana.yml

        elasticsearch.hosts: ["https:hostname:9200"]

        elasticsearch.ssl.verificationMode: none //因为es那边设置了host ip之类的认证，所以设置为none，不然kibana无法访问es，es log中会报如下错误：http client did not trust this server's certificate

        elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]

     3. 重启kibana

集群配置

NODE1:

node.name: node1

cluster.name: es-7.13.2

network.host: youhostname

http.port: 9200

transport.port: 9300

node.master: true

node.data: true

node.ingest: false

cluster.initial_master_nodes: ["node1"]

discovery.seed_hosts: ["xxxx:9300","xxxx:9400"]

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.client_authentication: required

xpack.security.transport.ssl.keystore.path: elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.keystore.path: "http.p12"

NODE2

node.name: node2

cluster.name: es-7.13.2

network.host: 172.17.0.13

http.port: 9200

transport.port: 9400

node.master: false

node.data: true

node.ingest: false

cluster.initial_master_nodes: ["node1"]

discovery.seed_hosts: ["xxxx:9300","xxxx:9400"]

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.client_authentication: required

xpack.security.transport.ssl.keystore.path: elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.keystore.path: "http.p12"