Elasticsearch7.2免費安全功能安裝和配置
(一)、簡介
21日,Elastic官方發佈消息: Elastic Stack 新版本6.8.0 和7.1.0的核心安全功能現免費提供。
這意味着用戶如今可以對網絡流量進行加密、建立和管理用戶、定義可以保護索引和集羣級別訪問權限的角色,而且使用 Spaces 爲 Kibana
提供全面保護。 免費提供的核心安全功能以下:
TLS 功能。 可對通訊進行加密;
文件和原生 Realm。 可用於建立和管理用戶;
基於角色的訪問控制。 可用於控制用戶對集羣 API 和索引的訪問權限;
經過針對 Kibana Spaces 的安全功能,還可容許在Kibana 中實現多租戶。node
原先的ES安全認證是經過x-pack來實現的,下邊是x-pack的發展歷史:
5.X版本以前:沒有x-pack,是獨立的:security安全,watch查看,alert警告等獨立單元。
5.X版本:對本來的安全,警告,監視,圖形和報告作了一個封裝,造成了x-pack。
6.3 版本以前:須要額外安裝。
6.3版本及以後:已經集成在一塊兒發佈,無需額外安裝,基礎安全屬於付費黃金版內容。
7.7 .1版本:基礎安全免費。
相關功能網址:https://www.elastic.co/cn/subscriptions#request-infobootstrap
(二)、安裝配置Elasticsearch
一、ES安裝(略)
二、配置TLS和身份驗證
步驟1:在Elasticsearch主節點上配置TLS.
一、進入相應的目錄
二、生產證書文件vim
[root@ES1-4 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca [root@ES1-4 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 [root@ES1-4 elasticsearch]# ll total 540 drwxr-xr-x 2 root root 4096 Jun 28 10:42 bin -rw------- 1 root root 3443 Jun 28 16:46 elastic-certificates.p12 -rw------- 1 root root 2527 Jun 28 16:43 elastic-stack-ca.p12 drwxr-xr-x 8 root root 96 Jun 28 10:42 jdk drwxr-xr-x 3 root root 4096 Jun 28 10:42 lib -rw-r--r-- 1 root root 13675 Jun 20 23:50 LICENSE.txt drwxr-xr-x 30 root root 4096 Jun 28 10:42 modules -rw-rw-r-- 1 root root 502598 Jun 20 23:56 NOTICE.txt drwxr-xr-x 2 root root 6 Jun 21 00:04 plugins -rw-r--r-- 1 root root 8478 Jun 20 23:50 README.textile #####給生產的文件添加elasticsearch組權限 [root@ES1-4 elasticsearch]# chgrp elasticsearch /usr/share/elasticsearch/elastic-certificates.p12 /usr/share/elasticsearch/elastic-stack-ca.p12 #####給這兩個文件賦640權限 [root@ES1-4 elasticsearch]# chmod 640 /usr/share/elasticsearch/elastic-certificates.p12 /usr/share/elasticsearch/elastic-stack-ca.p12 ######把這兩個文件移動端配置文件夾中 [root@ES1-4 elasticsearch]# mv /usr/share/elasticsearch/elastic-* /etc/elasticsearch/
三、修改配置,添加驗證配置文件安全
[root@ES1-4 elasticsearch]# vim /etc/elasticsearch/elasticsearch.yml cluster.name: es node.name: es-node1 node.data: true node.master: true node.attr.tag: hot path.data: /data/elasticsearch/data path.logs: /data/elasticsearch/log path.repo: [ "/data/daily","/data/weekly", ] transport.tcp.compress: true network.host: 192.168.4.215 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" cluster.initial_master_nodes: ["192.168.4.215","192.168.4.216"] #discovery.seed_hosts: ["192.168.4.215","192.168.4.216"] discovery.seed_hosts: ["192.168.4.215","192.168.4.216","192.168.4.217","192.168.4.218"] #######優化配置 #bootstrap.memory_lock: true #indices.breaker.request.limit: 10% #index.merge.scheduler.max_thread_count: 1 #indices.queries.cache.size: 20% #indices.requests.cache.size: 2% #indices.fielddata.cache.size: 30% node.attr.box_type: hot ######add to the end fro x-pack xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
四、最後把證書文件複製到其餘master節點並賦予相關的權限,並同步配置參數。網絡
五、設置密碼app
[root@ES1-4 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Passwords do not match. Try again. Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic] ####分別設置 elastic、apm_system、kibana、logstash_system、beats_system、remote_monitoring_user帳號的密碼。下邊是輸入剛纔輸入的用戶名和密碼進行查看 [root@ES1-4 elasticsearch]# curl 192.168.4.215:9200/_cat/indices?v -u elastic Enter host password for user 'elastic': health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open .security-7 7phIYLTcTbugIbSimRI03g 1 0 6 0 19.3kb 19.3kb
(三)、其餘節點的安裝和配置。
其餘節點的配置最簡單的方法是將主節點的配置目錄徹底拷貝到其餘節點配置目錄中。也就是說其餘節點是經過證書來進行通訊的,二驗證則是加入後自動同步驗證配置的。cors
[root@ES2-4 ~]# scp -r /etc/elasticsearch/* root@192.168.4.217:/etc/elasticsearch root@192.168.4.217's password: elastic-certificates.p12 100% 3451 3.4KB/s 00:00 elastic-certificates.p12 100% 3451 3.4KB/s 00:00 elasticsearch.keystore 100% 199 0.2KB/s 00:00 elasticsearch.yml 100% 875 0.9KB/s 00:00 elasticsearch.yml20190627 100% 534 0.5KB/s 00:00 elasticsearch.yml.bak 100% 2847 2.8KB/s 00:00 elasticsearch.yml.rpmsave 100% 534 0.5KB/s 00:00 jvm.options 100% 3596 3.5KB/s 00:00 log4j2.properties 100% 17KB 16.8KB/s 00:00 role_mapping.yml 100% 473 0.5KB/s 00:00 roles.yml 100% 197 0.2KB/s 00:00 users 100% 0 0.0KB/s 00:00 users_roles 100% 0 0.0KB/s 00:00 [root@ES2-4 ~]# curl -u elastic:123456@123456 http://192.168.4.216:9200/_cat/nodes?pretty 192.168.4.218 51 83 5 0.05 0.03 0.05 mdi - es-node4 192.168.4.216 42 80 11 0.08 0.05 0.05 mdi - es-node2 192.168.4.215 35 73 7 0.01 0.03 0.05 mdi * es-node1 192.168.4.217 35 36 48 1.37 0.37 0.16 mdi - es-node3
#########節點二配置 [root@ES2-4 ~]# cat /etc/elasticsearch/elasticsearch.yml cluster.name: es node.name: es-node2 node.data: true node.master: true node.attr.tag: hot path.data: /data/elasticsearch/data path.logs: /data/elasticsearch/log path.repo: [ "/data/daily","/data/weekly" ] transport.tcp.compress: true network.host: 192.168.4.216 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" transport.tcp.port: 9300 discovery.seed_hosts: ["192.168.4.216","192.168.4.215","192.168.4.217","192.168.4.218"] cluster.initial_master_nodes: ["192.168.4.215","192.168.4.216","192.168.4.217"] node.attr.box_type: hot xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12 ###########節點三配置 [root@ES3-4 log]# cat /etc/elasticsearch/elasticsearch.yml cluster.name: es node.name: es-node3 node.data: true node.master: true node.attr.tag: hot path.data: /data/elasticsearch/data path.logs: /data/elasticsearch/log path.repo: [ "/data/daily","/data/weekly" ] transport.tcp.compress: true network.host: 192.168.4.217 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" transport.tcp.port: 9300 discovery.seed_hosts: ["192.168.4.216","192.168.4.215","192.168.4.217","192.168.4.218"] cluster.initial_master_nodes: ["192.168.4.215","192.168.4.216","192.168.4.217"] node.attr.box_type: hot xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12 ###########節點四配置 [root@ES4-4 ~]# cat /etc/elasticsearch/elasticsearch.yml cluster.name: es node.name: es-node4 node.data: true node.master: true node.attr.tag: hot path.data: /data/elasticsearch/data path.logs: /data/elasticsearch/log path.repo: [ "/data/daily","/data/weekly" ] transport.tcp.compress: true network.host: 192.168.4.218 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" transport.tcp.port: 9300 discovery.seed_hosts: ["192.168.4.216","192.168.4.215","192.168.4.217","192.168.4.218"] cluster.initial_master_nodes: ["192.168.4.215","192.168.4.216","192.168.4.217"] node.attr.box_type: hot xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12
(四)、配置kibana
一、kibana安裝略
二、配置kibana.yml文件以下curl
[root@otrs004097 elasticsearch]# grep '^[a-Z]' /etc/kibana/kibana.yml server.port: 5601 server.host: "192.168.4.97" server.name: "192.168.4.97" elasticsearch.hosts: ["http://192.168.4.97:9200"] elasticsearch.username: "elastic" elasticsearch.password: "xxxx"
三、配置以下:
圖二
圖三jvm
具體能夠參考以下:
https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security
https://www.server-world.info/en/note?os=CentOS_7&p=elasticstack7&f=12elasticsearch
相關文章
- 1. Elasticsearch7.2集羣的安全性配置
- 2. Window7 IIS功能的安裝和配置
- 3. 免安裝免配置 還免費的Spark 集羣 --Databrickes Spark Clould
- 4. Linux安裝elasticsearch7.2和kibana7.2最新教程
- 5. Xshell免費安裝
- 6. PS2020-免費安裝
- 7. Mysql5.7 免安裝安裝配置
- 8. mysql5.7.18免安裝版的配置安裝
- 9. MySQL安裝與配置(免安裝版)
- 10. python3.8 免安裝版 pip安裝配置。
- 更多相關文章...
- • Git 安裝配置 - Git 教程
- • MySQL免安裝版配置教程 - MySQL教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
