elastic集群：

es在6.8以后逐渐开放x-pack功能，所以集群可以开启认证功能。（es不能使用root运行）

集群搭建：

设置好集群角色，集群的备份仓库

vim /usr/local/elastic/config/elasticsearch.yml
cluster.name: my-application
network.host: ip
path.repo: xxxx
path.data: data
path.logs: logs
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: [“ip:9300”, “ip:9301”, “ip:9302”]
cluster.initial_master_nodes: [“ip:9300”, “ip:9301”, “ip:9302”]

#开启安全认证登录
xpack.security.enabled:true
##tcp启用TSL
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: ./elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: ./elastic-certificates.p12

首先生成证书：

生成CA证书，使用elasticsearch内部命令
elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12
一般证书在解压的elastic的首层目录，然后将所有的证书传到每个节点的esconfig目录下

设置密码：

将每个节点的es启动
然后elasticsearch-setup-passwords auto 也可以interactive进行手动修改
然后将证书重新拷贝到每个节点

启用https：

#http启用TLS
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: ./elastic-certificates.p12
xpack.security.http.ssl.truststore.path: ./elastic-certificates.p12

kibana连接es https:

openssl pkcs12 -in config/certs/elastic-stack-ca.p12 -clcerts -nokeys -chain -out elastic-stack-ca.pem

配置kibana与es https通信：
elasticsearch.ssl.certificateAuthorities: config/certs/old/elastic-stack-ca.pem
elasticsearch.ssl.verificationMode: certificate
配置kibana与es的用户密码认证：
xpack.security.enabled: true
elasticsearch.username: “kibana”
elasticsearch.password: “your passwd”