開(kāi)啟ES用戶登陸驗(yàn)證,生成ca證書

1. 為集群創(chuàng)建一個(gè)ca機(jī)構(gòu)

elasticsearch-certutil ca
依次輸入回車（文件使用默認(rèn)名），密碼

2.  通過(guò)ca頒發(fā)證書

elasticsearch-certutil cert --ca elastic-stack-ca.p12 
回車（文件使用默認(rèn)名），密碼上一步密碼相同
 
elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
輸入第一步輸入的密碼
 
elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
輸入第一步輸入的密碼

3. 修改es的配置文件：elasticsearch.yml，添加如下配置

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12

4. 啟動(dòng)ES服務(wù)

./bin/elasticsearch -d

5. 執(zhí)行設(shè)置用戶名和密碼的命令,ES有六個(gè)默認(rèn)的用戶

./bin/elasticsearch-setup-passwords interactive

設(shè)置密碼在集群中任意一個(gè)elasticsearch節(jié)點(diǎn)執(zhí)行完成即可，如果執(zhí)行第二次，將會(huì)給出如下錯(cuò)誤提示：

如果需要更新密碼可以使用以下命令：

curl -H "Content-Type:application/json" -XPOST http://elastic:123456@192.168.43.139:9200/_xpack/security/user/elastic/_password -d { "password" : "qwer123" }

1. 查詢ES角色詳細(xì)權(quán)限

curl -XGET -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/role/superuser?pretty

cluster：設(shè)置集群權(quán)限

indices：設(shè)置索引權(quán)限

applications：應(yīng)用權(quán)限；
包含application、privileges、resources屬性

global：全局性的集群權(quán)限

run_as：賦予該role的用戶擁有其他用戶的權(quán)限

metadata：元數(shù)據(jù)

2. ES角色創(chuàng)建與更新

curl  -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/role/IDS_ES -H "Content-Type: application/json" -d{"cluster":["monitor","manage_index_templates","manage_ilm"],"indices":[{"names":["IDS_ES_*"],"privileges":["all"],"allow_restricted_indices": false}],"transient_metadata":{"enabled": true}}

3. ES角色清理緩存

curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/role/IDS_ES/_clear_cache?pretty

4. ES刪除角色

curl -XDELETE -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/role/IDS_ES?pretty

curl -XGET -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user?pretty

2. 創(chuàng)建ES用戶

curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user/IDS_ES -H "Content-Type: application/json" -d {
  "password" : "Kms9852HTVdxjzUNXX",
  "full_name" : "",
  "email" : "",
  "roles" : [ "IDS_ES" ],
  "metadata" : {
  }
}

3. ES更新用戶密碼

curl -H "Content-Type:application/json" -XPOST http://elastic:123456@192.168.43.139:9200/_xpack/security/user/elastic/_password -d { "password" : "qwer123" }

4. ES禁用用戶

curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user/IDS_ES/_disable

5. ES啟用用戶

curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user/IDS_ES/_enable

6. ES用戶刪除

curl -XDELETE -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user/IDS_ES?pretty

ES禁用http訪問(wèn)，啟用https訪問(wèn)

1） ./bin/elasticsearch-certutil ca # 生成elastic-stack-ca.p12文件

2） ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 # 生成elastic-certificates.p12文件，供elasticsearch使用

3） openssl pkcs12 -in elastic-stack-ca.p12 -out newfile.crt.pem -clcerts -nokeys # 生成newfile.crt.pem文件，供kibana使用，復(fù)制到對(duì)應(yīng)目錄下

4） ./bin/elasticsearch-certutil cert --pem elastic-stack-ca.p12 # 生成certificate-bundle.zip文件，包含ca/ca.crt，instance/instance.crt，instance/instance.key

Archive:  certificate-bundle.zip

creating: ca/

inflating: ca/ca.crt

creating: instance/

inflating: instance/instance.crt

inflating: instance/instance.key

5）修改配置文件elasticsearch.yml，添加如下配置

#enable xpack

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

# 下面的這幾項(xiàng) 用于 集群間 加密通信

xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12 

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12 
xpack.security.http.ssl.truststore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12

6） 修改kibana配置文件，kibana.yml

elasticsearch.hosts: ["https://localhost:9200"] # 注意https
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: ["/home/elasticsearch/kibana-6.8.2/config/newfile.crt.pem"]
elasticsearch.username: "kibana"
elasticsearch.password: "1io0K4VS7nkxpGwGwzHg"

7）重啟elasticsearch服務(wù)，查詢方式已改為https

curl  -u elastic:qwer123 -k https://@192.168.43.139:9200/_cat/health?v

相關(guān)閱讀：

劉能，公眾號(hào)：IT那活兒ES常用基礎(chǔ)操作命令及實(shí)踐

END

更多精彩干貨分享

點(diǎn)擊下方名片關(guān)注

IT那活兒