赞
踩
说明:
1)安全要求开启密码认证访问
2)es集群和单点设置密码认证有区别
3)es重新设置elastic密码有两种方法
4)请注意es版本以及操作步骤
【elasticsearch单点设置密码认证】 第一、单点es认证(版本号:7.4.2) # 修改配置文件 http.cors.enabled: true http.cors.allow-origin: "*" http.cors.allow-headers: Authorization xpack.security.enabled: true xpack.security.transport.ssl.enabled: true # 重启es服务 systemctl restart elasticsearch.service systemctl status elasticsearch.service # 生成密码 bin/elasticsearch-setup-passwords interactive # 设置es密码认证 账号:elastic 密码:xxxx # 重新设置密码 说明: 1)已知elastic密码执行以下命令: curl -H "Content-Type:application/json" -XPOST -u elastic 'http://x.x.x.x:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "xxxx" }' # 查看master和node节点 http://x.x.x.x:9200/_cat/nodes?v # 查看索引 http://x.x.x.x:9200/_cat/indices?v # 访问验证 http://x.x.x.x:9200/_cat 账号:elastic 密码:xxxx
【elasticsearch集群设置密码认证】 第二、elastic集群设置密码认证(版本号:7.4.2) 1、设置ssl证书(选择其中一台es节点执行) cd /usr/local/elasticsearch/ mkdir config/certs # 生成CA证书,设置成空密码(回车即可) bin/elasticsearch-certutil ca # 生成秘钥证书 bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv *.p12 config/certs # 修改权限 chown -R bgyuser.bgyuser /usr/local/elasticsearch/* # 打包certs证书拷贝到剩下的es节点 cd /usr/local/elasticsearch/config/ zip -r certs.zip certs 2、es节点添加密码 bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password 说明: 1)设置成空密码(回车即可) 2)每台es节点都要执行以上两条命令添加密码 3、修改elasticsearch.yml添加以下配置项 # 设置为true以开启X-Pack安全功能 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate #存放elastic-certificates.p12文件路径 xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 说明: 1)es节点每台都需要更改,请注意ssl证书路径和权限问题 3、重启es服务 systemctl restart elasticsearch.service systemctl status elasticsearch.service 4、手动设置密码 说明: 1)请确认所有es集群的节点服务都启动正常, 2)请选择其中一台es节点执行以下命令 3)所有账号的密码可以设置一样,设置成功如下图所示: cd /usr/local/elasticsearch/ bin/elasticsearch-setup-passwords interactive # 设置es密码认证 账号:elastic 密码:xxxx 5、访问验证 http://x.x.x.x:9200/_cat 账号:elastic 密码:xxx # 查看master和node节点 curl -X GET -u elastic "http://x.x.x.x:9200/_cat/nodes?v" -H 'Content-Type: application/json' 6、重置elastic密码(第一种) curl -H "Content-Type:application/json" -XPOST -u elastic 'http://x.x.x.x:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "xxxx" }' 说明: 1)该命令是已知elastic密码重新设置 7、重置elastic密码(第二种) # 修改elasticsearch.yml修改以下配置 xpack.security.enabled: false # 重启es服务 systemctl restart elasticsearch.service systemctl status elasticsearch.service # 查看.security-7索引 curl -X GET "http://x.x.x.x:9200/_cat/indices" -H 'Content-Type: application/json' |grep "security-7" # 删除.security-7索引 curl -X DELETE http://x.x.x.x:9200/.security-7 返回结果: {"acknowledged":true} 说明: 1)删除.security-7索引成功 # 修改elasticsearch.yml修改以下配置 xpack.security.enabled: true # 重启es服务 systemctl restart elasticsearch.service systemctl status elasticsearch.service # 手动设置密码 cd /usr/local/elasticsearch/ bin/elasticsearch-setup-passwords interactive # 设置es密码认证 账号:elastic 密码:新密码 说明: 1)忘记es认证密码设置完成
图一:
图二、
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。