• ES集群开启X-pack认证


    1.下载

    # wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.2-linux-x86_64.tar.gz
    

     2.解压并重命名

    # tar -zvxf elasticsearch-7.6.2-linux-x86_64.tar.gz -C /data/elastic/
    # mv /data/elastic/elasticsearch-7.6.2 /dat/elastic/node1
    

     实例一:

    3.由于es不允许root用户启动,因此需要创建普通用户,并把更改目录权限
    # useadd es
    # groupadd es
    # chown -R es:es /data/elastic/node1
    

     4.编辑配置文件

    # vim /data/elastic/node1/config/elasticsearch.yml
    bootstrap.system_call_filter: false
    processors: 4
    node.master: true
    node.data: true
    cluster.name: rizhiyi_security
    network.host: ip
    bootstrap.memory_lock: true
     
    path.data: data
    path.logs: logs
    http.port: 9200
    transport.tcp.port: 9300
    node.name: ip_9300
     
    discovery.seed_hosts: ["ip:9300", "ip:9301", "ip:9302"]
    cluster.initial_master_nodes: ["ip:9300", "ip:9301", "ip:9302"]
    

     5.配置JVM

    # vim /data/elastic/node1/config/jvm.options
    -Xms1g
    -Xmx1g
    -XX:+UseG1GC
    -XX:G1ReservePercent=25
    

     6.配置好后切换到普通用户启动

    # su - es
    # cd/data/elastic/node1
    # ./bin/elasticsearch -d
    

     7.启动的时候如果遇到问题可以考虑一下java环境是否配置好,elasticsearch的权限是否为普通用户,内存是否足够。 
    实例二、三:
    复制一份实例一的node1,命令为node2,node3,只需要把http.port:9200,transport.tcp.port:9300端口号更改即可其他步骤一样。。
    至此一个多实例es集群搭完
    elasticsearch x-pack安全认证登录/tcp启用TLS

    1. 生成CA证书,使用elasticsearch内部命令# bin/elasticsearch-certutil ca 

    2.为集群中每个节点生成证书和私钥

    # bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
    

     将产生新文件 elastic-certificates.p12。系统还会提示你输入密码,你可以输入证书和密钥的密码,也可以按Enter键将密码留空。默认情况下 elasticsearch-certutil 生成没有主机名信息的证书,这意味着你可以将证书用于集群中的每个节点,另外要关闭主机名验证。(elastic-certificates.p12生成后移动到config目录下) 

    3. 在所有节点elasticsearch.yml文件添加如下配置

    xpack.security.enabled:true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: ./elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: ./elastic-certificates.p12
    

    4. 启动主节点,建议用bin/elasticsearch运行,可以直观查看运行情况

    5. 主节点运行后,为集群设置密码。注:需要所有集群节点启动

    # bin/elasticsearch-setup-passwords auto #或者将auto替换为interactive进行手动修改
    

    6. 复制文件elasic-certificates.p12到其他节点

    7. 启动其他节点,可以在主节点运行中看到有其他节点加入

    8. 查看集群状态,因为启动x-pack功能,故查看集群状态时需要指定es用户# curl -u elastic IP:9200/_cat/nodes  -u指定用户名,回车需要输入密码
    9.在http启用TLS在所有节点elasticsearch.yml文件添加如下配置

    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: ./elastic-certificates.p12
    xpack.security.http.ssl.truststore.path: ./elastic-certificates.p12
    

     10.重启所有节点配置生效
    完整elasticsearch.yml文件

    botstrap.system_call_filter: false
    processors: 4
    node.master: true
    node.data: true
    cluster.name: rizhiyi_security
    network.host: ip
    bootstrap.memory_lock: true
    
    path.data: data
    path.logs: logs
    http.port: 9200
    transport.tcp.port: 9300
    node.name: ip_9300
    
    discovery.seed_hosts: ["ip:9300", "ip:9301", "ip:9302"]
    cluster.initial_master_nodes: ["ip:9300", "ip:9301", "ip:9302"]
    #开启安全认证登录
    xpack.security.enabled: true    
    
    ##tcp启用TSL
    xpack.security.transport.ssl.enabled: true    
    xpack.security.transport.ssl.verification_mode: certificate    
    xpack.security.transport.ssl.keystore.path: ./elastic-certificates.p12     
    xpack.security.transport.ssl.truststore.path: ./elastic-certificates.p12
    
    #http启用TLS
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: ./elastic-certificates.p12
    xpack.security.http.ssl.truststore.path: ./elastic-certificates.p12
    



  • 相关阅读:
    UVA10763交换学生
    UVA10763交换学生
    UVA10391复合词
    UVA10391复合词
    UVA10125和集
    UVA10125和集
    POJ3762 时间段用k次
    POJ3762 时间段用k次
    Win64 驱动内核编程-11.回调监控进线程句柄操作
    Win64 驱动内核编程-11.回调监控进线程句柄操作
  • 原文地址:https://www.cnblogs.com/jclty/p/12913996.html
Copyright © 2020-2023  润新知