ES集群开启X-pack认证
1.下载
# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.2-linux-x86_64.tar.gz
2.解压并重命名
# tar -zvxf elasticsearch-7.6.2-linux-x86_64.tar.gz -C /data/elastic/ # mv /data/elastic/elasticsearch-7.6.2 /dat/elastic/node1
实例一:
3.由于es不允许root用户启动,因此需要创建普通用户,并把更改目录权限 # useadd es # groupadd es # chown -R es:es /data/elastic/node1
4.编辑配置文件
# vim /data/elastic/node1/config/elasticsearch.yml bootstrap.system_call_filter: false processors: 4 node.master: true node.data: true cluster.name: rizhiyi_security network.host: ip bootstrap.memory_lock: true path.data: data path.logs: logs http.port: 9200 transport.tcp.port: 9300 node.name: ip_9300 discovery.seed_hosts: ["ip:9300", "ip:9301", "ip:9302"] cluster.initial_master_nodes: ["ip:9300", "ip:9301", "ip:9302"]
5.配置JVM
# vim /data/elastic/node1/config/jvm.options -Xms1g -Xmx1g -XX:+UseG1GC -XX:G1ReservePercent=25
6.配置好后切换到普通用户启动
# su - es # cd/data/elastic/node1 # ./bin/elasticsearch -d
7.启动的时候如果遇到问题可以考虑一下java环境是否配置好,elasticsearch的权限是否为普通用户,内存是否足够。
实例二、三:
复制一份实例一的node1,命令为node2,node3,只需要把http.port:9200,transport.tcp.port:9300端口号更改即可其他步骤一样。。
至此一个多实例es集群搭完
elasticsearch x-pack安全认证登录/tcp启用TLS
1. 生成CA证书,使用elasticsearch内部命令# bin/elasticsearch-certutil ca
2.为集群中每个节点生成证书和私钥
# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
将产生新文件 elastic-certificates.p12。系统还会提示你输入密码,你可以输入证书和密钥的密码,也可以按Enter键将密码留空。默认情况下 elasticsearch-certutil 生成没有主机名信息的证书,这意味着你可以将证书用于集群中的每个节点,另外要关闭主机名验证。(elastic-certificates.p12生成后移动到config目录下)
3. 在所有节点elasticsearch.yml文件添加如下配置
xpack.security.enabled:true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: ./elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: ./elastic-certificates.p12
4. 启动主节点,建议用bin/elasticsearch运行,可以直观查看运行情况
5. 主节点运行后,为集群设置密码。注:需要所有集群节点启动
# bin/elasticsearch-setup-passwords auto #或者将auto替换为interactive进行手动修改
6. 复制文件elasic-certificates.p12到其他节点
7. 启动其他节点,可以在主节点运行中看到有其他节点加入
8. 查看集群状态,因为启动x-pack功能,故查看集群状态时需要指定es用户# curl -u elastic IP:9200/_cat/nodes -u指定用户名,回车需要输入密码
9.在http启用TLS在所有节点elasticsearch.yml文件添加如下配置
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: ./elastic-certificates.p12 xpack.security.http.ssl.truststore.path: ./elastic-certificates.p12
10.重启所有节点配置生效
完整elasticsearch.yml文件
botstrap.system_call_filter: false processors: 4 node.master: true node.data: true cluster.name: rizhiyi_security network.host: ip bootstrap.memory_lock: true path.data: data path.logs: logs http.port: 9200 transport.tcp.port: 9300 node.name: ip_9300 discovery.seed_hosts: ["ip:9300", "ip:9301", "ip:9302"] cluster.initial_master_nodes: ["ip:9300", "ip:9301", "ip:9302"] #开启安全认证登录 xpack.security.enabled: true ##tcp启用TSL xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: ./elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: ./elastic-certificates.p12 #http启用TLS xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: ./elastic-certificates.p12 xpack.security.http.ssl.truststore.path: ./elastic-certificates.p12
