概述
一、部署es集群
二、生成证书和密钥
1、/usr/share/elasticsearch/bin/elasticsearch-certutil ca
2、/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
一路回车默认就行了
3、证书部署脚本
生成证书以后,要复制到集群每个节点,并修改yml配置文件,然后重启
#配置证书存放目录
mkdir /etc/elasticsearch/certs
mv /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/certs
chmod -R elasticsearch:elasticsearch /etc/elasticsearch/certs
#修改yml配置文件
echo "xpack.security.audit.enabled: true" >> /etc/elasticsearch/elasticsearch.yml
echo "xpack.security.enabled: true" >> /etc/elasticsearch/elasticsearch.yml
echo "xpack.license.self_generated.type: basic" >> /etc/elasticsearch/elasticsearch.yml
echo "xpack.security.transport.ssl.enabled: true" >> /etc/elasticsearch/elasticsearch.yml
echo "xpack.security.transport.ssl.verification_mode: certificate" >> /etc/elasticsearch/elasticsearch.yml
echo "xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12" >> /etc/elasticsearch/elasticsearch.yml
echo "xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12" >> /etc/elasticsearch/elasticsearch.yml
4、在master节点设置所有默认账号的密码
执行命令
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
然后一路y确认
最后输入密码
5、修改kibana.yml
echo "elasticsearch.username: "elastic"" >> /etc/kibana/kibana.yml
echo "elasticsearch.password: "XXXX"" >> /etc/kibana/kibana.yml
systemctl restart kibana
注:
1)es集群里,只用在一个master节点配置即可
2)此方式只能使用一次,第二次执行时修改密码会报错
Unexpected response code [503] from calling PUT http://39.104.166.15:9201/_security/user/apm_system/_password?pretty
Cause: Cluster state has not been recovered yet, cannot write to the [null] index
Possible next steps:
* Try running this tool again.
* Try running with the --verbose parameter for additional messages.
* Check the elasticsearch logs for additional error details.
* Use the change password API manually.
ERROR: Failed to set password for user [apm_system].
3)如果第一次设置密码出现此报错可尝试自动生成密码
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
4)如果已经执行过了,只能尝试调用RestFull修改,这个我还没尝试过,后面补文档
5)一定要先设置集群间证书认证,再设置账号密码,不然会报错无法获取集群状态而设置不了。
6)证书一定要方式在es的certs目录里,且将其赋予其elasticsearch用户和用户组,否则会报错。
[2020-12-14T02:48:25,120][ERROR][o.e.b.Bootstrap ] [es01] Exception
java.security.AccessControlException: access denied ("java.io.FilePermission" "/es_data" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]
at java.security.AccessController.checkPermission(AccessController.java:1036) ~[?:?]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.10.0.jar:7.10.0]
[2020-12-14T02:48:25,131][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [es01] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.security.AccessControlException: access denied ("java.io.FilePermission" "/es_data" "read")
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/es_data" "read")
最后
以上就是隐形西装为你收集整理的es安全组端口_10、es集群开启x-pack安全验证的全部内容,希望文章能够帮你解决es安全组端口_10、es集群开启x-pack安全验证所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
发表评论 取消回复