docker安装elasticsearch7.16.3集群 配置身份认证

一、前言

    上一篇《docker安装elasticsearch7.16.3集群》未配置身份认证，本篇将介绍如何给集群配置身份认证

二、配置

1、 连接集群中任意一个容器

docker exec -it 容器ID bash

2、为Elasticsearch集群创建一个证书颁发机构

bin/elasticsearch-certutil ca

3、为集群中的每个节点生成证书和私钥（过程需输入密码）

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

4、将生成的elastic-certificates.p12拷贝至每个es{编号}/data/cert下（此处省略winscp操作）

5、配置每个es目录下的elasticsearch.yml文件，开启认证

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /path/to/data
#
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
#network.host: 192.168.0.1
#network.host: 0.0.0.0
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

network.host: 0.0.0.0 # 同时设置bind_host和publish_host
http.port: 9202  # rest客户端连接端口
transport.tcp.port: 9300  # 集群中节点互相通信端口
node.master: true # 设置master角色
node.data: true # 设置data角色
node.ingest: true # 设置ingest角色 在索引之前，对文档进行预处理，支持pipeline管道，相当于过滤器
node.max_local_storage_nodes: 1 
http.cors.enabled: true # 跨域配置
http.cors.allow-origin: "*" # 跨域配置

# 开启 xpack 身份验证
xpack.security.enabled: true
# 开启 ssl 认证
xpack.security.transport.ssl.enabled: true
# ssl 证书模式
xpack.security.transport.ssl.verification_mode: certificate
# 证书路径
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/data/cert/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/data/cert/elastic-certificates.p12

5、如果在创建证书的过程中加了密码，需要将你的密码加入到你的Elasticsearch keystore中去。每个节点都需要（提前设置，因为启动后不太好修改）

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

6、替换对应es/config目录下的elasticsearch.yml

7、重新启动集群

8、连接集群中任意一个容器，设置所有账户密码

bin/elasticsearch-setup-passwords interactive

9、修改kibana.yml，并替换至/usr/kibana/config下

elasticsearch.username: "elastic"
elasticsearch.password: "123456"

参考： https://zhuanlan.zhihu.com/p/91821035