<p>X-Pack是Elastic Stack扩展功能,提供安全性,警报,监视,报告,机器学习和许多其他功能。 ES7.0+之后,默认情况下,当安装Elasticsearch时,会自动安装X-Pack,无需单独再安装。自6.8以及7.1+版本之后,基础级安全永久免费。
从上面启动ES并访问我们可以发现在访问ES过程中我们没有任何安全认证就可以直接访问并操作ES,这在生产环境下如果端口号向外暴露的话对数据安全性无法得到保障。当然还有其它解决方案比如使用nginx作代理防护这里就不作过多介绍。</p>
<h3>1、ElasticSearch开启X-Pack</h3>
<p>生成节点证书:(只需要生成一个,其他节点共用一个即可)</p>
<p>借助elasticsearch-certutil命令生成证书:</p>
<pre><code class='language-shell' lang='shell'>#进入主节点容器内部,生成证书文件:
docker exec -it es-node1 /bin/bash
#切换到bin目录下
cd bin
#执行命令,在config文件下生成证书
elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
#将生成的证书,拷贝到宿主机目录下的3个节点中去(挂在文件):
docker cp es-node1:/usr/share/elasticsearch/config/elastic-certificates.p12 /Users/yupeng/elasticsearch/es1/config/
docker cp es-node1:/usr/share/elasticsearch/config/elastic-certificates.p12 /Users/yupeng/elasticsearch/es2/config/
docker cp es-node1:/usr/share/elasticsearch/config/elastic-certificates.p12 /Users/yupeng/elasticsearch/es3/config/
</code></pre>
<p>配置通信证书:(配置文件elasticsearch.yml)</p>
<pre><code class='language-shell' lang='shell'>xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
</code></pre>
<p>停止并删除之前的容器实例,重新运行elasticsearch容器,需要挂载证书文件:</p>
<pre><code class='language-shell' lang='shell'>docker run -d --name es-node1 --net esnet -p 9210:9210 -p 9310:9310 -v /Users/yupeng/elasticsearch/es1/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /Users/yupeng/elasticsearch/es1/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 -v /Users/yupeng/elasticsearch/es1/data/:/usr/share/elasticsearch/data -e ES_JAVA_OPTS="-Xms256m -Xmx256m" elasticsearch:7.2.0
docker run -d --name es-node2 --net esnet -p 9211:9211 -p 9311:9311 -v /Users/yupeng/elasticsearch/es2/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /Users/yupeng/elasticsearch/es1/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 -v /Users/yupeng/elasticsearch/es2/data/:/usr/share/elasticsearch/data -e ES_JAVA_OPTS="-Xms256m -Xmx256m" elasticsearch:7.2.0
docker run -d --name es-node3 --net esnet -p 9212:9212 -p 9312:9312 -v /Users/yupeng/elasticsearch/es3/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /Users/yupeng/elasticsearch/es1/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 -v /Users/yupeng/elasticsearch/es3/data/:/usr/share/elasticsearch/data -e ES_JAVA_OPTS="-Xms256m -Xmx256m" elasticsearch:7.2.0
</code></pre>
<p>重新设置密码,执行设置用户名和密码的命令,需要为4个用户分别设置密码:elastic、kibana、logstash_system、beats_system</p>
<p>a、可以自动设置密码</p>
<pre><code class='language-shell' lang='shell'>#进入主节点容器内部,生成证书文件:
docker exec -it es-node1 /bin/bash
#切换到bin目录下
cd bin
#执行命令,自动生成密码(随机)
elasticsearch-setup-passwords auto
</code></pre>
<p>b、也可以手动设置密码</p>
<pre><code class='language-shell' lang='shell'>#进入主节点容器内部,生成证书文件:
docker exec -it es-node1 /bin/bash
#切换到bin目录下
cd bin
#执行命令,生成自己设置的密码
elasticsearch-setup-passwords interactive
</code></pre>
<h3>2、Kibina配置修改</h3>
<p>访问Kibina地址,同样需要输入用户名及密码:</p>
<pre><code class='language-shell' lang='shell'>elasticsearch.username: "elastic"
#自己设置的或者自动生成的密码
elasticsearch.password: "xxxxxxxx"
</code></pre>
<p> </p>
