ElastiSearch集群配置用户密码

ES集群配置启动成功后,默认是没有密码的,经常被内部扫出安全漏洞,存在数据泄漏及篡改的风险。

集群证书设置

启用了x-pack模块,那么集群中的各节点之间通讯就必须安全认证。为了解决节点间通讯的认证问,我们需要制作证书。

不然直接生成密码的话, 会报

1
Cause: Cluster state has not been recovered yet, cannot write to the [null]index
1
elasticsearch-certutil  cert

按照提示一步一步生成elastic-certificates.p12 文件。

elasticsearch.yml设置

1
2
3
4
5
6
7
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

将生成的证书放在es根目录的config文件夹下,如 elasticsearch/config/elastic-certificates.p12。

集群中每个节点都进行同样的配置,重启所有节点。

Elasticsearch 有两个级别的通信,传输通信和 http 通信。 传输协议用于 Elasticsearch 节点之间的内部通信,http 协议用于客户端到 Elasticsearch 集群的通信。
个人认为上面只设置了内部传输协议直接的证书,所以只用cert生成 ,没有ca生成。

elasticsearch.yml设置里面也只设置了 xpack.security.transport.ssl, 没有设置xpack.security.http.ssl…

开始设置密码

在任意节点中执行

1
elasticsearch-setup-passwords interactive

按照提示一步一步输入密码即可设置成功。

验证密码

ES验证当然是用curl测试

输入如下命令,账号密码替换为自己的,正确输出如下信息即设置成功。

1
2
3
4
5
curl localhost:9200/_cat/nodes --user elastic:xxxxx

10.10.x.x 17 99 0 0.06 0.09 0.12 xxxx * es-node3
10.10.x.x 35 99 0 0.06 0.09 0.12 xxxx - es-node2
10.10.x.x 40 99 0 0.06 0.09 0.12 xxxx - es-node1

ES修改密码

  1. 使用curl命令修改密码
1
2
3
4
5
curl -XPUT -u elastic:xxx http://localhost:9200/_xpack/security/user/elastic/_password -H 
"Content-Type: application/json" -d '
{
  "password": "your passwd"
}'
  1. 密码忘记

进入es任意节点

1
2
3
4
5
6
/bin/elasticsearch-users useradd misspasswd -r superuser
Enter new password: 
ERROR: Invalid password...passwords must be at least [6] characters long
[root@cfeeab4bb0eb elasticsearch]# ./bin/elasticsearch-users useradd misspasswd -r superuser
Enter new password: 
Retype new password:

然后使用新建的用户执行1操作即可修改密码.

es docker-compose配置

https://github.com/shiguofu2012/scripts/blob/master/docker-compose/es.yml

运行准备:

  1. 创建目录,配置文件证书文件都是在宿主机器上的/root/data/es-7.5.1-{1,2,3}目录下
  2. 证书文件(证书生成见上文)/配置文件

配置文件1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cluster.name: test
node.name: es-node3
# network.bind_host: 0.0.0.0
network.host: 0.0.0.0
# network.publish_host: elasticsearch03
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true  
cluster.initial_master_nodes: ["es-node1", "es-node2", "es-node3"]
# 加host
discovery.seed_hosts: ["elasticsearch01","elasticsearch03", "elasticsearch02"] 


xpack.security.enabled: true          
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.type: PKCS12                                                                                              
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
version: '2.2'
services:
  elasticsearch01:
    image: elasticsearch:7.10.1
    container_name: es01
    networks:
      - shiguofu_net
    # environment:  放入配置文件
      # - discovery.type=single-node
      # - xpack.security.enabled=true
      # - xpack.license.self_generated.type=basic
      # - xpack.security.transport.ssl.enabled=true
    ports:
      - 9200:9200
      - 9201:9300
    volumes:
      - /root/data/es-7.5.1-1:/usr/share/elasticsearch/data
      - /usr/local/jdk:/usr/share/elasticsearch/jdk
      - /root/data/es-7.5.1-1/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
      - /root/data/es-7.5.1-1/es.yml:/usr/share/elasticsearch/config/elasticsearch.yml

  elasticsearch02:
    image: elasticsearch:7.10.1
    container_name: es02
    networks:
      - shiguofu_net
    # environment: 放入配置文件
      # - discovery.type=single-node
      # - xpack.security.enabled=true
      # - xpack.license.self_generated.type=basic
      # - xpack.security.transport.ssl.enabled=true
    ports:
      - 9300:9200
      - 9301:9300
    volumes:
      - /usr/local/jdk:/usr/share/elasticsearch/jdk
      - /root/data/es-7.5.1-2:/usr/share/elasticsearch/data
      - /root/data/es-7.5.1-2/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
      - /root/data/es-7.5.1-2/es.yml:/usr/share/elasticsearch/config/elasticsearch.yml
  elasticsearch03:
    image: elasticsearch:7.10.1
    container_name: es03
    networks:
      - shiguofu_net
    # environment:  放入配置文件
      # - discovery.type=single-node
      # - xpack.security.enabled=true
      # - xpack.license.self_generated.type=basic
      # - xpack.security.transport.ssl.enabled=true
    ports:
      - 6666:9200
      - 6667:9300
    volumes:
      - /root/data/es-7.5.1-3:/usr/share/elasticsearch/data
      - /root/data/es-7.5.1-3/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
      - /usr/local/jdk:/usr/share/elasticsearch/jdk
      - /root/data/es-7.5.1-3/es.yml:/usr/share/elasticsearch/config/elasticsearch.yml


  kibana:
    image: kibana:7.10.1
    container_name: kibana
    links:
      - elasticsearch01
    networks:
      - shiguofu_net
    environment:
      - ELASTICSEARCH_HOSTS="http://elasticsearch01:9200"
      - ELASTICSEARCH_USERNAME="elastic"
      - ELASTICSEARCH_PASSWORD="aeQwQKM0N0nY"
    depends_on:
      - elasticsearch01
    ports:
      - 5601:5601

networks:
  shiguofu_net:
    driver: bridge
    ipam:
      config:
        - subnet: 10.10.2.0/24