ElasticSearch7.X版本配置密码
概述
在生产环境访问ES需要使用密码,接下来可以按照下文配置一下,集群安装可以参考这篇文章Ubuntu系统二进制安装ElasticSearch7.17.x版本集群
操作前检查清单 (必须全部满足)
- 集群当前状态为green,无未分配分片、无节点离线
- 所有节点ES进程运行用户为es(非root)
- 所有节点防火墙已开放9200(HTTP)、9300(TCP内部通信)端口
- 已完成全集群快照备份,备份存储在独立于集群的存储介质上
- 所有节点时间同步(NTP正常,时间差≤1s)
密码配置步骤
步骤一:生成集群SSL证书(7.x强制要求)
7.x开启安全认证后,节点间TCP通信(transport层)必须启用SSL加密,否则节点无法互相通信,集群无法组建。证书在任意一台主节点上生成,再分发到所有节点。
1.1 生成CA根证书
在其中一台主节点执行即可
# 进入es安装目录,执行下面的命令
# 生成CA根证书,执行后按两次回车,无需设置密码,生成的文件为elastic-stack-ca.p12
root@master:/usr/local/elasticsearch# ./bin/elasticsearch-certutil ca
...
Please enter the desired output file [elastic-stack-ca.p12]: # 输入第一个回车
Enter password for elastic-stack-ca.p12 : # 输入第一个回车
# 执行成功后,当前目录会生成elastic-stack-ca.p12根证书文件。也就是es目录中
root@master:/usr/local/elasticsearch# ll
total 668
drwxr-xr-x 2 elasticsearch elasticsearch 4096 Nov 28 2024 bin
drwxr-xr-x 3 elasticsearch elasticsearch 4096 Apr 15 16:10 config
# 这就是根证书
-rw------- 1 root root 2672 Apr 16 11:17 elastic-stack-ca.p12
drwxr-xr-x 8 elasticsearch elasticsearch 4096 Nov 28 2024 jdk
drwxr-xr-x 3 elasticsearch elasticsearch 4096 Nov 28 2024 lib
-rw-r--r-- 1 elasticsearch elasticsearch 3860 Nov 28 2024 LICENSE.txt
drwxr-xr-x 2 elasticsearch elasticsearch 4096 Apr 15 16:10 logs
drwxr-xr-x 61 elasticsearch elasticsearch 4096 Nov 28 2024 modules
-rw-r--r-- 1 elasticsearch elasticsearch 640930 Nov 28 2024 NOTICE.txt
drwxr-xr-x 2 elasticsearch elasticsearch 4096 Nov 28 2024 plugins
-rw-r--r-- 1 elasticsearch elasticsearch 2710 Nov 28 2024 README.asciidoc
1.2 用CA生成节点通用证书
生产集群所有节点共用同一份证书即可,不用每个节点单独生成
# 执行之后,连续输入三次回车即可
root@master:/usr/local/elasticsearch# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
...
Enter password for CA (elastic-stack-ca.p12) : # 第一次回车
Please enter the desired output file [elastic-certificates.p12]: # 第二次回车
Enter password for elastic-certificates.p12 : # 第三次回车
...
# 查看一下
root@master:/usr/local/elasticsearch# ll
total 672
drwxr-xr-x 2 elasticsearch elasticsearch 4096 Nov 28 2024 bin
drwxr-xr-x 3 elasticsearch elasticsearch 4096 Apr 15 16:10 config
# 节点证书文件
-rw------- 1 root root 3596 Apr 16 11:22 elastic-certificates.p12
# 根证书文件
-rw------- 1 root root 2672 Apr 16 11:17 elastic-stack-ca.p12
drwxr-xr-x 8 elasticsearch elasticsearch 4096 Nov 28 2024 jdk
drwxr-xr-x 3 elasticsearch elasticsearch 4096 Nov 28 2024 lib
-rw-r--r-- 1 elasticsearch elasticsearch 3860 Nov 28 2024 LICENSE.txt
drwxr-xr-x 2 elasticsearch elasticsearch 4096 Apr 15 16:10 logs
drwxr-xr-x 61 elasticsearch elasticsearch 4096 Nov 28 2024 modules
-rw-r--r-- 1 elasticsearch elasticsearch 640930 Nov 28 2024 NOTICE.txt
drwxr-xr-x 2 elasticsearch elasticsearch 4096 Nov 28 2024 plugins
-rw-r--r-- 1 elasticsearch elasticsearch 2710 Nov 28 2024 README.asciidoc
1.3 证书分发到所有节点
将证书放到es安装目录中的config目录下
# 复制到config目录下
root@master:/usr/local/elasticsearch# cp elastic-certificates.p12 elastic-stack-ca.p12 ./config/
# 查看一下
root@master:/usr/local/elasticsearch# ll config/
total 56
# 节点证书
-rw------- 1 root root 3596 Apr 16 11:26 elastic-certificates.p12
-rw-rw---- 1 elasticsearch elasticsearch 199 Apr 15 16:10 elasticsearch.keystore
-rw-rw---- 1 elasticsearch elasticsearch 1042 Nov 28 2024 elasticsearch-plugins.example.yml
-rw-rw---- 1 elasticsearch elasticsearch 3627 Apr 15 15:25 elasticsearch.yml
# 根证书
-rw------- 1 root root 2672 Apr 16 11:26 elastic-stack-ca.p12
-rw-rw---- 1 elasticsearch elasticsearch 3404 Nov 28 2024 jvm.options
drwxr-x--- 2 elasticsearch elasticsearch 4096 Nov 28 2024 jvm.options.d
-rw-rw---- 1 elasticsearch elasticsearch 19304 Nov 28 2024 log4j2.properties
-rw-rw---- 1 elasticsearch elasticsearch 473 Nov 28 2024 role_mapping.yml
-rw-rw---- 1 elasticsearch elasticsearch 197 Nov 28 2024 roles.yml
-rw-rw---- 1 elasticsearch elasticsearch 0 Nov 28 2024 users
-rw-rw---- 1 elasticsearch elasticsearch 0 Nov 28 2024 users_roles
修改一下证书所属的用户及用户组
root@master:/usr/local/elasticsearch# chown elasticsearch:elasticsearch -R /usr/local/elasticsearch
将证书分发到其它节点
root@master:/usr/local/elasticsearch/config# scp elastic-certificates.p12 elastic-stack-ca.p12 root@node01:`pwd`
root@master:/usr/local/elasticsearch/config# scp elastic-certificates.p12 elastic-stack-ca.p12 root@node02:`pwd`
验证其它所有节点对应目录下是否存在该文件,且所属用户和用户组是否正确
步骤省略
1.4 所有节点添加ES配置
所有节点添加下面的配置
# 修改配置文件
root@master:~# vim /usr/local/elasticsearch/config/elasticsearch.yml
# -------------------------- 安全认证配置(所有节点统一添加) --------------------------
# 开启X-Pack安全认证
xpack.security.enabled: true
# 开启节点间传输层SSL加密(7.x强制要求,不开启启动报错)
xpack.security.transport.ssl.enabled: true
# 证书校验模式:生产建议用certificate(只校验证书合法性,不校验主机名),避免节点 hostname/IP 变更导致通信失败
xpack.security.transport.ssl.verification_mode: certificate
# 证书路径
xpack.security.transport.ssl.keystore.path: /usr/local/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/local/elasticsearch/config/elastic-certificates.p12
# 【可选但生产推荐】开启HTTP层SSL加密,防止密码、数据明文传输
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /usr/local/elasticsearch/config/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /usr/local/elasticsearch/config/elastic-certificates.p12
1.5 所有节点顺序停止
因为开启安全后,未开安全的节点和开了安全的节点无法通信,所以不能滚动重启,必须全停后再启动:
所有节点停止
root@master:~# systemctl stop elasticsearch.service
# 检查是否全部停止
root@master:~# ss -lntup | grep -E '9200|9300'
所有节点启动
root@master:~# systemctl start elasticsearch.service
# 检查状态
root@master:~# systemctl status elasticsearch.service
● elasticsearch.service - elasticsearch service
Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2026-04-16 11:46:49 CST; 13s ago
Docs: https://www.cnblogs.com/huangSir-devops
Main PID: 2349699 (java)
Tasks: 89 (limit: 9830)
Memory: 32.0G
CGroup: /system.slice/elasticsearch.service
├─2349699 /usr/local/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.enco
└─2350027 /usr/local/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
1.6 设置所有内置用户密码
elasticsearch中所有内置用户如下:
| 用户 | 作用 | 保存要求 |
|---|---|---|
| elastic | 超级管理员用户,拥有所有权限 | 务必保存在安全的密码管理工具中 |
| kibana_system | Kibana连接ES专用用户 | 配置Kibana时需要用到 |
| logstash_system | Logstash连接ES监控专用用户 | 配置Logstash监控时需要用到 |
| beats_system | Filebeat/Metricbeat等Beats组件连接ES专用用户 | 配置Beats时需要用到 |
| apm_system | APM监控组件连接ES专用用户 | 配置APM时需要用到 |
| remote_monitoring_user | 远程集群监控专用用户 | 跨集群监控时需要用到 |
设置内置用户密码分为两种方式
- 由系统自动生成
这种方式完全随机,不好维护
elasticsearch-setup-passwords auto
- 自定义设置密码
我们使用第二种方式
elasticsearch-setup-passwords interactive
实操:
root@master:/usr/local/elasticsearch# ./bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
root@master:/usr/local/elasticsearch#
使用密码访问测试:
# -k忽略证书不安全
# -u指定用户名和密码
root@master:/usr/local/elasticsearch# curl -k -u 'elastic:!Xinxin123' https://localhost:9200/_cluster/health?pretty
{
"cluster_name" : "elasticsearch-v7",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 8,
"active_shards" : 16,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
故障解决
访问报错
因为我们使用的是自签证书,证书不被信任,所以报错,访问时加上-k选项即可,忽略自签名证书错误
root@master:/usr/local/elasticsearch# curl -u 'elastic:!Xinxin123' https://localhost:9200/_cluster/health?pretty
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
修改密码报错
证书用的是自签名证书,证书里没有写入你的服务器 IP / 域名。
可以使用./bin/elasticsearch-setup-passwords interactive -E xpack.security.http.ssl.verification_mode=certificate 来解决
root@master:/usr/local/elasticsearch# ./bin/elasticsearch-setup-passwords interactive
12:00:45.112 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [100.89.161.128]; the server provided a certificate with subject name [CN=instance] and fingerprint [840c27f021914b9e7c7e907cf514dbf11186e681]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [3dcf29a717a030ff66562a12159bd9414780229a] {trusted issuer}) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is trusted in this ssl context ([xpack.security.http.ssl])
java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:138) ~[?:?]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:83) ~[elasticsearch-ssl-config-7.17.26.jar:7.17.26]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1310) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1422) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:586) ~[?:?]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:141) ~[?:?]
at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) ~[x-pack-core-7.17.26.jar:7.17.26]
at java.security.AccessController.doPrivileged(AccessController.java:571) [?:?]
at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) [x-pack-core-7.17.26.jar:7.17.26]
at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.execute(CommandLineHttpClient.java:116) [x-pack-security-7.17.26.jar:7.17.26]
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:327) [x-pack-security-7.17.26.jar:7.17.26]
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$InteractiveSetup.execute(SetupPasswordTool.java:199) [x-pack-security-7.17.26.jar:7.17.26]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:77) [elasticsearch-7.17.26.jar:7.17.26]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112) [elasticsearch-cli-7.17.26.jar:7.17.26]
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:95) [elasticsearch-cli-7.17.26.jar:7.17.26]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112) [elasticsearch-cli-7.17.26.jar:7.17.26]
at org.elasticsearch.cli.Command.main(Command.java:77) [elasticsearch-cli-7.17.26.jar:7.17.26]
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:128) [x-pack-security-7.17.26.jar:7.17.26]
SSL connection to https://100.89.161.128:9200/_security/_authenticate?pretty failed: No subject alternative names present
Please check the elasticsearch SSL settings under xpack.security.http.ssl.
ERROR: Failed to establish SSL connection to elasticsearch at https://100.89.161.128:9200/_security/_authenticate?pretty.
补充:kibana使用用户名和密码连接elasticsearch
方式一:在kibana配置文件中修改以下配置即可:
root@master:/usr/local/kibana/config# vim kibana.yml
# 这里地址要加https
elasticsearch.hosts: ["https://master:9200","https://node01:9200","https://node02:9200"]
# 用户名和密码
elasticsearch.username: "kibana_system"
elasticsearch.password: "!Xinxin123"
# 忽略自签名证书
elasticsearch.ssl.verificationMode: none
# 重启kibana
root@master:/usr/local/kibana/config# systemctl restart kibana.service
连接kibana
输入elasticsearch的用户名和密码即可
方式二:加密存储密码,不要明文写在yml中
# 进入Kibana安装目录
root@master:/usr/local/kibana/config# cd /usr/local/kibana
# 创建密钥库(首次执行会提示确认,直接回车即可)
root@master:/usr/local/kibana# ./bin/kibana-keystore create
Created Kibana keystore in /data00/software/kibana-7.17.12-linux-x86_64/config/kibana.keystore
# 添加kibana_system密码,执行后输入你设置的密码即可
root@master:/usr/local/kibana# ./bin/kibana-keystore add elasticsearch.password
Enter value for elasticsearch.password: **********
#修改kibana配置文件
root@master:/usr/local/kibana/config# vim kibana.yml
# 这里地址要加https
elasticsearch.hosts: ["https://master:9200","https://node01:9200","https://node02:9200"]
# elaticsearch的连接用户
elasticsearch.username: "kibana_system"
# 忽略自签名证书
elasticsearch.ssl.verificationMode: none
# 重启kibana
root@master:/usr/local/kibana/config# systemctl restart kibana.service
连接kibana
输入elasticsearch的用户名和密码即可
本文来自博客园,作者:huangSir-devops,转载请注明原文链接:https://www.cnblogs.com/huangSir-devops/p/19876405,微信Vac6666666,欢迎交流
浙公网安备 33010602011771号