当前位置:   article > 正文

Elasticsearch:如何使用自定义的证书安装 Elastic Stack 8.x_elasticsearch 生成enrollment token

elasticsearch 生成enrollment token

在我之前的文章 “如何在 Linux,MacOS 及 Windows 上进行安装 Elasticsearch”,我详细描述了如何在各个平台中安装 Elastic Stack 8.x。在其中的文章中,我们大多采用默认的证书来安装 Elasticsearch。在今天的文章中,我们用自己创建的证书一步一步地来安装 Elastic Stack 8.x。我们可以参考之前的文章:

我们将在 Ubuntu 20.04 上来进行展示。我们将安装最新的 Elastic Stack 8.7.1。

如何使用自定义的证书安装 Elastic Stack 8.x

安装 Elasticsearch

我们首先在 Ubuntu 系统上参照文章 “Elasticsearch: 使用 Debian 安装包来安装 Elasticsearch 8.x” 来安装 Elasticsearch。当然,我们可以使用默认的证书来使得 Elasticsearch 顺利运行,这个是没有任何问题的。但是,在实际的部署中,有很多开发者希望使用自己的证书来进行安装,一方面可控,另一方可以延续之前的 7.x 的安装证书。

在我们运行如下的命令之后:

sudo apt-get update && sudo apt-get install elasticsearch
  1. parallels@liuxg:~$ sudo apt-get update && sudo apt-get install elasticsearch
  2. Hit:1 https://artifacts.elastic.co/packages/8.x/apt stable InRelease
  3. Hit:2 https://download.docker.com/linux/ubuntu focal InRelease
  4. Hit:3 http://ports.ubuntu.com/ubuntu-ports focal InRelease
  5. Get:4 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [114 kB]
  6. Get:5 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [108 kB]
  7. Get:6 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [114 kB]
  8. Get:7 http://ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 DEP-11 Metadata [275 kB]
  9. Get:8 http://ports.ubuntu.com/ubuntu-ports focal-updates/universe arm64 DEP-11 Metadata [408 kB]
  10. Get:9 http://ports.ubuntu.com/ubuntu-ports focal-backports/main arm64 DEP-11 Metadata [5,236 B]
  11. Get:10 http://ports.ubuntu.com/ubuntu-ports focal-backports/universe arm64 DEP-11 Metadata [30.5 kB]
  12. Get:11 http://ports.ubuntu.com/ubuntu-ports focal-security/main arm64 DEP-11 Metadata [59.8 kB]
  13. Get:12 http://ports.ubuntu.com/ubuntu-ports focal-security/universe arm64 DEP-11 Metadata [95.0 kB]
  14. Fetched 1,210 kB in 5s (246 kB/s)
  15. Reading package lists... Done
  16. N: Skipping acquire of configured file 'stable/binary-aarch64/Packages' as repository 'https://download.docker.com/linux/ubuntu focal InRelease' doesn't support architecture 'aarch64'
  17. Reading package lists... Done
  18. Building dependency tree
  19. Reading state information... Done
  20. The following NEW packages will be installed:
  21. elasticsearch
  22. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  23. Need to get 397 MB of archives.
  24. After this operation, 660 MB of additional disk space will be used.
  25. Get:1 https://artifacts.elastic.co/packages/8.x/apt stable/main arm64 elasticsearch arm64 8.7.1 [397 MB]
  26. Fetched 397 MB in 1min 24s (4,728 kB/s)
  27. Selecting previously unselected package elasticsearch.
  28. (Reading database ... 230412 files and directories currently installed.)
  29. Preparing to unpack .../elasticsearch_8.7.1_arm64.deb ...
  30. Creating elasticsearch group... OK
  31. Creating elasticsearch user... OK
  32. Unpacking elasticsearch (8.7.1) ...
  33. Setting up elasticsearch (8.7.1) ...
  34. --------------------------- Security autoconfiguration information ------------------------------
  35. Authentication and authorization are enabled.
  36. TLS for the transport and HTTP layers is enabled and configured.
  37. The generated password for the elastic built-in superuser is : xsYCh*5qOz7hSpkH-fHC
  38. If this node should join an existing cluster, you can reconfigure this with
  39. '/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
  40. after creating an enrollment token on your existing cluster.
  41. You can complete the following actions at any time:
  42. Reset the password of the elastic built-in superuser with
  43. '/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.
  44. Generate an enrollment token for Kibana instances with
  45. '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.
  46. Generate an enrollment token for Elasticsearch nodes with
  47. '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.
  48. -------------------------------------------------------------------------------------------------
  49. ### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
  50. sudo systemctl daemon-reload
  51. sudo systemctl enable elasticsearch.service
  52. ### You can start elasticsearch service by executing
  53. sudo systemctl start elasticsearch.service

上面显示了 elastic 超级用户的密码已经 kibana 的 enrollment token 等信息。如果这个时候我们直接启动 elasticsearch 服务,那么它将顺利启动并运行。假如你之前已经生成过自己的证书,那么这个时候,你可以直接进行配置 config/elasticsearch.yml 文件即可。如果你没有,请阅读下一节来创建自己的证书。

创建证书

创建根证书

我们使用如下的命令来生成根证书:

/usr/share/elasticsearch/bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip

我们去 Elasticsearch 的配置文件目录进行查看:

  1. root@ubuntu2004:/usr/share/elasticsearch/config/certs# pwd
  2. /usr/share/elasticsearch/config/certs
  3. root@ubuntu2004:/usr/share/elasticsearch/config/certs# ls
  4. ca.zip

我们接下来解压缩上面得到的 ca.zip 文件:

  1. root@ubuntu2004:/usr/share/elasticsearch# pwd
  2. /usr/share/elasticsearch
  3. root@ubuntu2004:/usr/share/elasticsearch# unzip config/certs/ca.zip -d config/certs
  4. Archive: config/certs/ca.zip
  5. creating: config/certs/ca/
  6. inflating: config/certs/ca/ca.crt
  7. inflating: config/certs/ca/ca.key

上面显示,ca.zip 含有两个文件 ca.crt 及 ca.key。

为各个 节点生成证书文件

我们在 /usr/share/elasticsearch/config/certs 目录底下创建一个 instances.yml 文件,它将包含我们要使用 SSL 保护的不同节点的实例。就我而言,我的机器的情况如下:

  1. root@ubuntu2004:/usr/share/elasticsearch# ifconfig | grep inet
  2. inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
  3. inet 192.168.0.8 netmask 255.255.255.0 broadcast 192.168.0.255
  4. inet6 fe80::d246:4880:928b:f508 prefixlen 64 scopeid 0x20<link>
  5. inet 127.0.0.1 netmask 255.0.0.0
  6. inet6 ::1 prefixlen 128 scopeid 0x10<host>
  7. root@ubuntu2004:/usr/share/elasticsearch# hostname
  8. ubuntu2004

如上所示,我当前的机器的 IP 地址为 192.168.0.8,而我的 hostname 是 ubuntu2004。我们甚至可以在 /etc/hosts 中添加如下的项:

  1. 127.0.0.1 localhost
  2. 192.168.0.8 parallels
  3. 192.168.0.8 ubuntu2004

这样当我们 ping ubuntu2004 时,它的响应是:

  1. ping ubuntu2004
  2. PING ubuntu2004 (192.168.0.8) 56(84) bytes of data.
  3. 64 bytes from parallels (192.168.0.8): icmp_seq=1 ttl=64 time=0.112 ms
  4. 64 bytes from parallels (192.168.0.8): icmp_seq=2 ttl=64 time=0.250 ms

/usr/share/elasticsearch/config/certs/instances.yml

  1. instances:
  2. - name: elasticsearch1
  3. dns:
  4. - localhost
  5. - ubuntu2004
  6. ip:
  7. - "192.168.0.8"
  8. - name: elasticsearch2
  9. dns:
  10. - localhost
  11. - ubuntu2204
  12. ip:
  13. - "192.168.0.9"
  14. - name: elasticsearch3
  15. dns:
  16. - localhost
  17. - mac
  18. ip:
  19. - "192.168.0.3"
  20. - name: "kibana"
  21. ip:
  22. - "192.168.0.8"

在上面,我们列举了三个节点的 Elasticsearch。根据你实际的使用情况,你可以添加或减少。在本文的实例中,我将创建一个单节点的 IP 地址为 192.168.0.8 的 Elasticsearch 集群。我们使用如下的命令:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key
  1. root@ubuntu2004:/usr/share/elasticsearch# pwd
  2. /usr/share/elasticsearch
  3. root@ubuntu2004:/usr/share/elasticsearch# ls config/certs/
  4. ca ca.zip instances.yml
  5. root@ubuntu2004:/usr/share/elasticsearch# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key
  6. root@ubuntu2004:/usr/share/elasticsearch# ls config/certs
  7. ca ca.zip certs.zip instances.yml

从上面,我们可以看出来它生成了一个叫做 certs.zip 的文件。

我们接下来使用如下的命令来解压缩上面得到的 certs.zip 文件:

  1. root@ubuntu2004:/usr/share/elasticsearch# pwd
  2. /usr/share/elasticsearch
  3. root@ubuntu2004:/usr/share/elasticsearch# ls config/certs/
  4. ca ca.zip instances.yml
  5. root@ubuntu2004:/usr/share/elasticsearch# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key
  6. root@ubuntu2004:/usr/share/elasticsearch# ls config/certs
  7. ca ca.zip certs.zip instances.yml
  8. root@ubuntu2004:/usr/share/elasticsearch# unzip config/certs/certs.zip -d config/certs
  9. Archive: config/certs/certs.zip
  10. creating: config/certs/elasticsearch1/
  11. inflating: config/certs/elasticsearch1/elasticsearch1.crt
  12. inflating: config/certs/elasticsearch1/elasticsearch1.key
  13. creating: config/certs/elasticsearch2/
  14. inflating: config/certs/elasticsearch2/elasticsearch2.crt
  15. inflating: config/certs/elasticsearch2/elasticsearch2.key
  16. creating: config/certs/elasticsearch3/
  17. inflating: config/certs/elasticsearch3/elasticsearch3.crt
  18. inflating: config/certs/elasticsearch3/elasticsearch3.key
  19. creating: config/certs/kibana/
  20. inflating: config/certs/kibana/kibana.crt
  21. inflating: config/certs/kibana/kibana.key

如上所示,我们可以看到所有生成的证书文件:

  1. root@ubuntu2004:/usr/share/elasticsearch# tree -L 4 config/
  2. config/
  3. └── certs
  4. ├── ca
  5. │   ├── ca.crt
  6. │   └── ca.key
  7. ├── ca.zip
  8. ├── certs.zip
  9. ├── elasticsearch1
  10. │   ├── elasticsearch1.crt
  11. │   └── elasticsearch1.key
  12. ├── elasticsearch2
  13. │   ├── elasticsearch2.crt
  14. │   └── elasticsearch2.key
  15. ├── elasticsearch3
  16. │   ├── elasticsearch3.crt
  17. │   └── elasticsearch3.key
  18. ├── instances.yml
  19. └── kibana
  20. ├── kibana.crt
  21. └── kibana.key

我们接下来把上面生成的证书拷贝到 /etc/elasticsearch/certs 下面去。

  1. root@ubuntu2004:/usr/share/elasticsearch# pwd
  2. /usr/share/elasticsearch
  3. root@ubuntu2004:/usr/share/elasticsearch# cd config/certs/
  4. root@ubuntu2004:/usr/share/elasticsearch/config/certs# ls
  5. ca ca.zip certs.zip elasticsearch1 elasticsearch2 elasticsearch3 instances.yml kibana
  6. root@ubuntu2004:/usr/share/elasticsearch/config/certs# cp -R ca /etc/elasticsearch/certs/
  7. root@ubuntu2004:/usr/share/elasticsearch/config/certs# cp -R elasticsearch1 /etc/elasticsearch/certs/

这样在 /etc/elasticsearch/certs 下的文件如下:

  1. root@ubuntu2004:/etc/elasticsearch/certs# ls
  2. ca elasticsearch1 http_ca.crt http.p12 transport.p12
  3. root@ubuntu2004:/etc/elasticsearch/certs# tree -L 2
  4. .
  5. ├── ca
  6. │   ├── ca.crt
  7. │   └── ca.key
  8. ├── elasticsearch1
  9. │   ├── elasticsearch1.crt
  10. │   └── elasticsearch1.key
  11. ├── http_ca.crt
  12. ├── http.p12
  13. └── transport.p12

请注意上面的 http_ca.crt,http.p12 及 transport.p12 是安装时默认生成的证书文件。

我们接下来修改证书文件的权限:

  1. chown -R root:elasticsearch ca
  2. chown -R root:elasticsearch elasticsearch1/
  1. root@ubuntu2004:/etc/elasticsearch# cd certs
  2. root@ubuntu2004:/etc/elasticsearch/certs# ls -alh
  3. total 40K
  4. drwxr-x--- 4 root elasticsearch 4.0K May 12 17:35 .
  5. drwxr-s--- 4 root elasticsearch 4.0K May 12 17:40 ..
  6. drwxr-xr-x 2 root root 4.0K May 12 17:35 ca
  7. drwxr-xr-x 2 root root 4.0K May 12 17:35 elasticsearch1
  8. -rw-rw---- 1 root elasticsearch 1.9K May 12 16:12 http_ca.crt
  9. -rw-rw---- 1 root elasticsearch 9.8K May 12 16:12 http.p12
  10. -rw-rw---- 1 root elasticsearch 5.7K May 12 16:12 transport.p12
  11. root@ubuntu2004:/etc/elasticsearch/certs# chown -R root:elasticsearch ca
  12. root@ubuntu2004:/etc/elasticsearch/certs# chown -R root:elasticsearch elasticsearch1/
  13. root@ubuntu2004:/etc/elasticsearch/certs# ls -alh
  14. total 40K
  15. drwxr-x--- 4 root elasticsearch 4.0K May 12 17:35 .
  16. drwxr-s--- 4 root elasticsearch 4.0K May 12 17:40 ..
  17. drwxr-xr-x 2 root elasticsearch 4.0K May 12 17:35 ca
  18. drwxr-xr-x 2 root elasticsearch 4.0K May 12 17:35 elasticsearch1
  19. -rw-rw---- 1 root elasticsearch 1.9K May 12 16:12 http_ca.crt
  20. -rw-rw---- 1 root elasticsearch 9.8K May 12 16:12 http.p12
  21. -rw-rw---- 1 root elasticsearch 5.7K May 12 16:12 transport.p12
  22. root@ubuntu2004:/etc/elasticsearch/certs# ls -alh ca
  23. total 16K
  24. drwxr-xr-x 2 root elasticsearch 4.0K May 12 17:35 .
  25. drwxr-x--- 4 root elasticsearch 4.0K May 12 17:35 ..
  26. -rw-r--r-- 1 root elasticsearch 1.2K May 12 17:35 ca.crt
  27. -rw-r--r-- 1 root elasticsearch 1.7K May 12 17:35 ca.key

配置 Elasticsearch 节点

在上面我们已经生成了 Elasticsearch 及 Kibana 的证书文件。我们接下来使用上面的文件来对 Elasticsearch 进行配置:

/etc/elasticsearch/elasticsearch.yml

  1. cluster.name: es-demo
  2. network.host: 192.168.0.8
  3. http.port: 9200
  4. # Enable security features
  5. xpack.security.enabled: true
  6. xpack.security.enrollment.enabled: true
  7. # Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
  8. xpack.security.http.ssl:
  9. enabled: true
  10. key: /etc/elasticsearch/certs/elasticsearch1/elasticsearch1.key
  11. certificate: /etc/elasticsearch/certs/elasticsearch1/elasticsearch1.crt
  12. certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
  13. verification_mode: certificate
  14. # Enable encryption and mutual authentication between cluster nodes
  15. xpack.security.transport.ssl:
  16. enabled: true
  17. key: /etc/elasticsearch/certs/elasticsearch1/elasticsearch1.key
  18. certificate: /etc/elasticsearch/certs/elasticsearch1/elasticsearch1.crt
  19. certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
  20. verification_mode: certificate

我们需要做如上的配置。

启动 Elasticsearch

我们使用如下的命令来启动 elasticsearch 服务:

  1. root@ubuntu2004:~# service elasticsearch status
  2. ● elasticsearch.service - Elasticsearch
  3. Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
  4. Active: inactive (dead)
  5. Docs: https://www.elastic.co
  6. root@ubuntu2004:~# service elasticsearch start
  7. root@ubuntu2004:~# service elasticsearch status
  8. ● elasticsearch.service - Elasticsearch
  9. Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
  10. Active: active (running) since Fri 2023-05-12 17:59:43 CST; 2s ago
  11. Docs: https://www.elastic.co
  12. Main PID: 29755 (java)
  13. Tasks: 79 (limit: 9379)
  14. Memory: 4.2G
  15. CGroup: /system.slice/elasticsearch.service
  16. ├─29755 /usr/share/elasticsearch/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.scri>
  17. ├─29814 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.n>
  18. └─29840 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-aarch64/bin/controller
  19. May 12 17:59:34 ubuntu2004 systemd[1]: Starting Elasticsearch...
  20. May 12 17:59:43 ubuntu2004 systemd[1]: Started Elasticsearch.

我们可以看到 elasticsearch 服务已经启动。我们可以通过如下的命令来查看它的日志:

journalctl -u elasticsearch

我们使用如下的命令来检查安装是否成功:

curl -k -u elastic:xsYCh*5qOz7hSpkH-fHC https://192.168.0.8:9200

在上面,请用在安装时提供的 elastic 超级用户密码来进行替换:

  1. curl -k -u elastic:xsYCh*5qOz7hSpkH-fHC https://192.168.0.8:9200
  2. {
  3. "name" : "ubuntu2004",
  4. "cluster_name" : "es-demo",
  5. "cluster_uuid" : "2-rpYdtJQeOifbwljN2LHA",
  6. "version" : {
  7. "number" : "8.7.1",
  8. "build_flavor" : "default",
  9. "build_type" : "deb",
  10. "build_hash" : "f229ed3f893a515d590d0f39b05f68913e2d9b53",
  11. "build_date" : "2023-04-27T04:33:42.127815583Z",
  12. "build_snapshot" : false,
  13. "lucene_version" : "9.5.0",
  14. "minimum_wire_compatibility_version" : "7.17.0",
  15. "minimum_index_compatibility_version" : "7.0.0"
  16. },
  17. "tagline" : "You Know, for Search"
  18. }

很显然,我们的安装时成功的。

安装 Kibana

我们可以参考文章 “Kibana:使用 Debian 安装包来安装 Kibana 8.x” 来安装 Kibana。由于我们已经修改了 Elasticsearch 的证书,我们需要对 Kibana 进行配置。在运行如下的命令之后:

sudo apt-get update && sudo apt-get install kibana
  1. root@ubuntu2004:~# sudo apt-get update && sudo apt-get install kibana
  2. Hit:1 https://download.docker.com/linux/ubuntu focal InRelease
  3. Hit:2 https://artifacts.elastic.co/packages/8.x/apt stable InRelease
  4. Hit:3 http://ports.ubuntu.com/ubuntu-ports focal InRelease
  5. Get:4 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [114 kB]
  6. Hit:5 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease
  7. Hit:6 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease
  8. Fetched 114 kB in 2s (46.4 kB/s)
  9. Reading package lists... Done
  10. N: Skipping acquire of configured file 'stable/binary-aarch64/Packages' as repository 'https://download.docker.com/linux/ubuntu focal InRelease' doesn't support architecture 'aarch64'
  11. Reading package lists... Done
  12. Building dependency tree
  13. Reading state information... Done
  14. The following NEW packages will be installed:
  15. kibana
  16. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  17. Need to get 255 MB of archives.
  18. After this operation, 716 MB of additional disk space will be used.
  19. Get:1 https://artifacts.elastic.co/packages/8.x/apt stable/main arm64 kibana arm64 8.7.1 [255 MB]
  20. Fetched 255 MB in 17s (14.9 MB/s)
  21. Selecting previously unselected package kibana.
  22. (Reading database ... 231678 files and directories currently installed.)
  23. Preparing to unpack .../kibana_8.7.1_arm64.deb ...
  24. Unpacking kibana (8.7.1) ...
  25. Setting up kibana (8.7.1) ...
  26. Restarting kibana service... OK

我们针对 Kibana 进行配置。首先,我们把证书拷贝过来:

  1. root@ubuntu2004:/usr/share/elasticsearch/config/certs# pwd
  2. /usr/share/elasticsearch/config/certs
  3. root@ubuntu2004:/usr/share/elasticsearch/config/certs# ls
  4. ca ca.zip certs.zip elasticsearch1 elasticsearch2 elasticsearch3 instances.yml kibana
  5. root@ubuntu2004:/usr/share/elasticsearch/config/certs# cp -R ca /etc/kibana/certs/
  6. root@ubuntu2004:/usr/share/elasticsearch/config/certs# cp -R kibana /etc/kibana/certs/

我们可以在 Kibana 的配置文件目录看到文件:

  1. root@ubuntu2004:/etc/kibana/certs# ls -alh
  2. total 16K
  3. drwxr-sr-x 4 root kibana 4.0K May 14 10:27 .
  4. drwxr-s--- 3 root kibana 4.0K May 14 10:22 ..
  5. drwxr-sr-x 2 root kibana 4.0K May 14 09:59 ca
  6. drwxr-sr-x 2 root kibana 4.0K May 12 18:17 kibana
  7. root@ubuntu2004:/etc/kibana/certs# tree -L 2
  8. .
  9. ├── ca
  10. │   ├── ca.crt
  11. │   └── ca.key
  12. └── kibana
  13. ├── kibana.crt
  14. └── kibana.key

我们可以利用上面的证书文件来配置 /etc/kibana/kibana.yml 文件。上面显示我们的证书文件的所有权是 root:kibana。如果你有不对的,请进行相应修改。

创建 elastic/kibana 服务账号

根据文档 https://www.elastic.co/guide/en/elasticsearch/reference/current/service-accounts.html,我们创建一个 elastic/kibana 服务账号。我们在 terminal 下打入如下的命令:

  1. root@ubuntu2004:/usr/share/elasticsearch/bin# ls
  2. elasticsearch elasticsearch-geoip elasticsearch-setup-passwords
  3. elasticsearch-certgen elasticsearch-keystore elasticsearch-shard
  4. elasticsearch-certutil elasticsearch-node elasticsearch-sql-cli
  5. elasticsearch-cli elasticsearch-plugin elasticsearch-sql-cli-8.7.1.jar
  6. elasticsearch-create-enrollment-token elasticsearch-reconfigure-node elasticsearch-syskeygen
  7. elasticsearch-croneval elasticsearch-reset-password elasticsearch-users
  8. elasticsearch-env elasticsearch-saml-metadata systemd-entrypoint
  9. elasticsearch-env-from-file elasticsearch-service-tokens
  10. root@ubuntu2004:/usr/share/elasticsearch/bin# ./elasticsearch-service-tokens --help
  11. Manages elasticsearch service account file-tokens
  12. Commands
  13. --------
  14. create - Create a file token for specified service account and token name
  15. delete - Remove a file token for specified service account and token name
  16. list - List file tokens for the specified service account
  17. Non-option arguments:
  18. command
  19. Option Description
  20. ------ -----------
  21. -E <KeyValuePair> Configure a setting
  22. -h, --help Show help
  23. -s, --silent Show minimal output
  24. -v, --verbose Show verbose output
  1. root@ubuntu2004:/usr/share/elasticsearch/bin# ./elasticsearch-service-tokens create elastic/kibana kibana-token
  2. SERVICE_TOKEN elastic/kibana/kibana-token = AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYS10b2tlbjpBQlVPWWpGRlNVQ2hhMWdlNzBpUXZn

我们记下这个 service token。将在下面的配置中使用。

我们是使用如下的命令来把上面的 service token 放进 keystore。我们可以在如下的地址发现已经存在一个叫做 kibana.keystore 的文件。我们无需去重新创建这个文件。

  1. root@ubuntu2004:/etc/kibana# ls
  2. certs kibana.keystore kibana.yml node.options

参考链接 https://www.elastic.co/guide/en/kibana/current/secure-settings.html。我们打入如下的命令:

root@ubuntu2004:/usr/share/kibana/bin# ./kibana-keystore list

上面显示还没有任何的值在里面。我们使用如下的命令:

  1. root@ubuntu2004:/usr/share/kibana/bin# pwd
  2. /usr/share/kibana/bin
  3. root@ubuntu2004:/usr/share/kibana/bin# ./kibana-keystore list
  4. root@ubuntu2004:/usr/share/kibana/bin# ./kibana-keystore add elasticsearch.serviceAccountToken
  5. Enter value for elasticsearch.serviceAccountToken: ************************************************************************
  6. root@ubuntu2004:/usr/share/kibana/bin# ./kibana-keystore list
  7. elasticsearch.serviceAccountToken

配置 Kibana

/etc/kibana/kibana.yml

  1. server.port: 5601
  2. server.host: "0.0.0.0"
  3. server.publicBaseUrl: "https://ubuntu2004:5601"
  4. server.ssl.enabled: true
  5. server.ssl.certificate: /etc/kibana/certs/kibana/kibana.crt
  6. server.ssl.key: /etc/kibana/certs/kibana/kibana.key
  7. elasticsearch.hosts: ["https://192.168.0.8:9200"]
  8. elasticsearch.ssl.verificationMode: full
  9. elasticsearch.ssl.certificateAuthorities: [/etc/kibana/certs/ca/ca.crt]

我们接下来启动 kibana 服务:

service kibana start

我们查看它的状态:

我们回到 Elasticsearch 的配置目录:

  1. root@ubuntu2004:/etc/elasticsearch# ls -al
  2. total 76
  3. drwxr-s--- 4 root elasticsearch 4096 May 12 18:41 .
  4. drwxr-xr-x 150 root root 12288 May 12 16:49 ..
  5. drwxr-x--- 4 root elasticsearch 4096 May 12 17:35 certs
  6. -rw-rw---- 1 root elasticsearch 536 May 12 16:12 elasticsearch.keystore
  7. -rw-rw---- 1 root elasticsearch 1042 Apr 27 12:37 elasticsearch-plugins.example.yml
  8. -rw-rw---- 1 root elasticsearch 4375 May 12 17:59 elasticsearch.yml
  9. -rw-rw---- 1 root elasticsearch 2623 Apr 27 12:37 jvm.options
  10. drwxr-s--- 2 root elasticsearch 4096 Apr 27 12:37 jvm.options.d
  11. -rw-rw---- 1 root elasticsearch 17770 Apr 27 12:37 log4j2.properties
  12. -rw-rw---- 1 root elasticsearch 473 Apr 27 12:37 role_mapping.yml
  13. -rw-rw---- 1 root elasticsearch 197 Apr 27 12:37 roles.yml
  14. -rw------- 1 root elasticsearch 140 May 12 18:41 service_tokens
  15. -rw-rw---- 1 root elasticsearch 0 Apr 27 12:37 users
  16. -rw-rw---- 1 root elasticsearch 0 Apr 27 12:37 users_roles
  17. root@ubuntu2004:/etc/elasticsearch# chown elasticsearch service_tokens
  18. root@ubuntu2004:/etc/elasticsearch# ls -alh
  19. total 76K
  20. drwxr-s--- 4 root elasticsearch 4.0K May 12 18:41 .
  21. drwxr-xr-x 150 root root 12K May 12 16:49 ..
  22. drwxr-x--- 4 root elasticsearch 4.0K May 12 17:35 certs
  23. -rw-rw---- 1 root elasticsearch 536 May 12 16:12 elasticsearch.keystore
  24. -rw-rw---- 1 root elasticsearch 1.1K Apr 27 12:37 elasticsearch-plugins.example.yml
  25. -rw-rw---- 1 root elasticsearch 4.3K May 12 17:59 elasticsearch.yml
  26. -rw-rw---- 1 root elasticsearch 2.6K Apr 27 12:37 jvm.options
  27. drwxr-s--- 2 root elasticsearch 4.0K Apr 27 12:37 jvm.options.d
  28. -rw-rw---- 1 root elasticsearch 18K Apr 27 12:37 log4j2.properties
  29. -rw-rw---- 1 root elasticsearch 473 Apr 27 12:37 role_mapping.yml
  30. -rw-rw---- 1 root elasticsearch 197 Apr 27 12:37 roles.yml
  31. -rw------- 1 elasticsearch elasticsearch 140 May 12 18:41 service_tokens
  32. -rw-rw---- 1 root elasticsearch 0 Apr 27 12:37 users
  33. -rw-rw---- 1 root elasticsearch 0 Apr 27 12:37 users_roles

修改过后,我们再次重新启动 elasticsearch 服务:

service elasticsearch restart

我们再次重新启动 kibana 服务:

service kibana restart

我们再查看 kibana 服务的状态:

这次我们没有看到错误信息了。

我们在浏览器中打入地址 https://localhost:5601

 

 

这样就成功地登录 Kibana 了。

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/人工智能uu/article/detail/775761
推荐阅读
相关标签
  

闽ICP备14008679号