1 用戶認(rèn)證介紹

默認(rèn)ES是沒(méi)有設(shè)置用戶認(rèn)證訪問(wèn)的，所以每次訪問(wèn)時(shí)，直接調(diào)相關(guān)API就能查詢和寫入數(shù)據(jù)?，F(xiàn)在做一個(gè)認(rèn)證，只有通過(guò)認(rèn)證的用戶才能訪問(wèn)和操作ES。

2 開(kāi)啟加密設(shè)置

1.生成證書(shū)文件

/usr/share/elasticsearch/bin/elasticsearch-certutil \
cert --days 3650 \
-out /etc/elasticsearch/config/elastic-certificates.p12 \
-pass ""輸入 Y 確認(rèn)

2.修改證書(shū)權(quán)限，可以發(fā)現(xiàn)是沒(méi)有讀權(quán)限的

[root@elk91~]# ll /etc/elasticsearch/config/
-rw------- 1 root elasticsearch 3596 Nov 22 10:54 elastic-certificates.p12
[root@elk91~]# chmod +r /etc/elasticsearch/config/elastic-certificates.p12
[root@elk91~]# 

3.elk91節(jié)點(diǎn)同步證書(shū)文件到其他節(jié)點(diǎn)

scp -r /etc/elasticsearch/config/ 10.0.0.92:/etc/elasticsearch/
scp -r /etc/elasticsearch/config/ 10.0.0.93:/etc/elasticsearch/

4.所有節(jié)點(diǎn)修改ES集群的配置文件 **/etc/elasticsearch/elasticsearch.yml **，在最后一行添加以下內(nèi)容

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: config/elastic-certificates.p12

5.所有節(jié)點(diǎn)重啟ES集群

systemctl restart elasticsearch.service

6.所有節(jié)點(diǎn)檢查集群節(jié)點(diǎn)端口是否監(jiān)聽(tīng)

[root@elk91~]# ss -ntl | grep '9[2|3]00'
LISTEN 0      4096               *:9300            *:*          
LISTEN 0      4096               *:9200            *:*

7.測(cè)試訪問(wèn)ES集群生效。ES集群加密成功，用戶無(wú)法直接訪問(wèn)，直接會(huì)拒絕，狀態(tài)碼為401

curl 10.0.0.93:9200
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“missing authentication credentials for REST request [/]”,“header”:{“WWW-Authenticate”:"Basic realm=“security” charset=“UTF-8"”}}],“type”:“security_exception”,“reason”:“missing authentication credentials for REST request [/]”,“header”:{“WWW-Authenticate”:"Basic realm=“security” charset=“UTF-8"”}},“status”:401}

3 設(shè)置客戶端訪問(wèn)ES

3.1 生成訪問(wèn)ES所需密碼

如果手動(dòng)輸入密碼非常繁瑣，要輸入8次。自動(dòng)生成比較省事

1.自動(dòng)生成ES的隨機(jī)密碼

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords  auto# 輸入 yChanged password for user apm_system
PASSWORD apm_system = LwZaR33f7BKl2vYK49zyChanged password for user kibana_system
PASSWORD kibana_system = ZR1gDykyGk50t55Dq7w9Changed password for user kibana
PASSWORD kibana = ZR1gDykyGk50t55Dq7w9Changed password for user logstash_system
PASSWORD logstash_system = Zx45S9uCJ4bSHmL3Hc4vChanged password for user beats_system
PASSWORD beats_system = Oi4DFzsFkFPx45g3MOa0Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = u7MupRNtSLZ5K6lpz7qxChanged password for user elastic
PASSWORD elastic = KZ0smMuIXcLEBfxGcqWW

2.使用用戶+密碼訪問(wèn)ES

[root@elk91~]# curl -u elastic:KZ0smMuIXcLEBfxGcqWW 10.0.0.93:9200/_cat/nodes
10.0.0.92 39 56 0 0.52 0.57 0.55 cdfhilmrstw - elk92
10.0.0.93 37 53 0 0.14 0.43 0.49 cdfhilmrstw - elk93
10.0.0.91 65 75 2 0.24 0.36 0.35 cdfhilmrstw * elk91

3.2 kibana訪問(wèn)ES

1.修改kibana的配置文件：/etc/kibana/kibana.yml，增加以下配置

elasticsearch.username: "kibana_system"
elasticsearch.password: "ZR1gDykyGk50t55Dq7w9"

2.重啟kibana

systemctl restart kibana.service

3.再次訪問(wèn)kibana，輸入 elastic + 密碼 即可登錄

3.3 filebeat訪問(wèn)ES

1.編寫filebeat配置文件后，在 output.elasticsearch 增加用戶認(rèn)證即可

cat > 17-tcp-to-es.yaml <<EOF
filebeat.inputs:
- type: tcphost: "0.0.0.0:9000"output.elasticsearch:hosts: - "http://10.0.0.91:9200"- "http://10.0.0.92:9200"- "http://10.0.0.93:9200"index: "zhiyong18-luckyboy-log-es-tls"# 在這里添加用戶認(rèn)證username: "elastic"password: "KZ0smMuIXcLEBfxGcqWW"setup.ilm.enabled: false
setup.template.name: "zhiyong18-luckyboy-modules"
setup.template.pattern: "zhiyong18-luckyboy-log*"
setup.template.overwrite: false
EOF

2.測(cè)試filebeat寫入成功

# 發(fā)送冊(cè)數(shù)數(shù)據(jù)
echo 'name: wzy' | nc 10.0.0.92 9000

可以查看到這條文檔

3.也可以在kibana上給es修改密碼

3.4 logstash訪問(wèn)ES

cat > 08-tcp-to-es_tls.conf <<EOF
input {tcp {port => 8888}
}output {stdout {}elasticsearch {hosts => ["http://10.0.0.91:9200","http://10.0.0.92:9200","http://10.0.0.93:9200"]index => "zhiyong18-luckyboy-es-tls-logstash-%{+yyyy.MM.dd}"user => "elastic"password => "123456"}
}
EOF

3.5 postman訪問(wèn)ES

:9200","http://10.0.0.93:9200"]index => "zhiyong18-luckyboy-es-tls-logstash-%{+yyyy.MM.dd}"user => "elastic"password => "123456"}
}
EOF

3.5 postman訪問(wèn)ES