es在6.8以后逐渐开放x-pack功能,所以集群可以开启认证功能。(es不能使用root运行)
设置好集群角色,集群的备份仓库
vim /usr/local/elastic/config/elasticsearch.yml
cluster.name: my-application
network.host: ip
path.repo: xxxx
path.data: data
path.logs: logs
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: [“ip:9300”, “ip:9301”, “ip:9302”]
cluster.initial_master_nodes: [“ip:9300”, “ip:9301”, “ip:9302”]
#开启安全认证登录
xpack.security.enabled:true
##tcp启用TSL
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: ./elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: ./elastic-certificates.p12
生成CA证书,使用elasticsearch内部命令
elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12
一般证书在解压的elastic的首层目录,然后将所有的证书传到每个节点的esconfig目录下
将每个节点的es启动
然后elasticsearch-setup-passwords auto 也可以interactive进行手动修改
然后将证书重新拷贝到每个节点
#http启用TLS
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: ./elastic-certificates.p12
xpack.security.http.ssl.truststore.path: ./elastic-certificates.p12
openssl pkcs12 -in config/certs/elastic-stack-ca.p12 -clcerts -nokeys -chain -out elastic-stack-ca.pem
配置kibana与es https通信:
elasticsearch.ssl.certificateAuthorities: config/certs/old/elastic-stack-ca.pem
elasticsearch.ssl.verificationMode: certificate
配置kibana与es的用户密码认证:
xpack.security.enabled: true
elasticsearch.username: “kibana”
elasticsearch.password: “your passwd”