elasticsearch开启安全认证步骤

1.创建证书

1
2
3
4
5
进入到es主目录下执行
./bin/elasticsearch-certutil ca Elasticsearch开启安全认证详细步骤
第一个证书名称默认,直接回车
第二个输入密码,直接回车
完成后会生成一个文件:elastic-stack-ca.p12

2.根据生成的证书创建秘钥

1
2
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
同样的步骤,一直回车下去会生成elastic-certificates.p12秘钥文件

3.开启认证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
依次把elastic-certificates.p12文件复制到各个节点的config目录下并授权
chown -R elastic:elastic elastic-certificates.p12

vim elasticsearch.yml

cluster.name: test-es
node.name: node-1  #每个节点名称不同
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["es1", "es2", "es3"]
cluster.initial_master_nodes: ["es1", "es2", "es3"]
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
cluster.routing.allocation.disk.watermark.flood_stage: 95%

#添加以下配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

4.启动es并创建密码

1
2
3
4
依次启动es之后在一个节点执行
./bin/elasticsearch-setup-passwords auto
会自动生成以下账户密码
elastic,apm_system,kibana,kibana_system,logstash_system,beats_system

至此ES开启认证完成