当前位置: 首页 > 工具软件 > X-Pack > 使用案例 >

elastic部署开启认证x-pack

匡翰
2023-12-01

elastic集群:

es在6.8以后逐渐开放x-pack功能,所以集群可以开启认证功能。(es不能使用root运行)

集群搭建:

设置好集群角色,集群的备份仓库

vim /usr/local/elastic/config/elasticsearch.yml
cluster.name: my-application
network.host: ip
path.repo: xxxx
path.data: data
path.logs: logs
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: [“ip:9300”, “ip:9301”, “ip:9302”]
cluster.initial_master_nodes: [“ip:9300”, “ip:9301”, “ip:9302”]

#开启安全认证登录
xpack.security.enabled:true
##tcp启用TSL
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: ./elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: ./elastic-certificates.p12

首先生成证书:

生成CA证书,使用elasticsearch内部命令
elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12
一般证书在解压的elastic的首层目录,然后将所有的证书传到每个节点的esconfig目录下

设置密码:

将每个节点的es启动
然后elasticsearch-setup-passwords auto 也可以interactive进行手动修改
然后将证书重新拷贝到每个节点

启用https:

#http启用TLS
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: ./elastic-certificates.p12
xpack.security.http.ssl.truststore.path: ./elastic-certificates.p12

kibana连接es https:

openssl pkcs12 -in config/certs/elastic-stack-ca.p12 -clcerts -nokeys -chain -out elastic-stack-ca.pem

配置kibana与es https通信:
elasticsearch.ssl.certificateAuthorities: config/certs/old/elastic-stack-ca.pem
elasticsearch.ssl.verificationMode: certificate
配置kibana与es的用户密码认证:
xpack.security.enabled: true
elasticsearch.username: “kibana”
elasticsearch.password: “your passwd”

 类似资料: