一、前言
上一篇《docker安装elasticsearch7.16.3集群》未配置身份认证,本篇将介绍如何给集群配置身份认证
二、配置
1、 连接集群中任意一个容器
docker exec -it 容器ID bash
2、为Elasticsearch集群创建一个证书颁发机构
bin/elasticsearch-certutil ca
3、为集群中的每个节点生成证书和私钥(过程需输入密码)
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
4、将生成的elastic-certificates.p12拷贝至每个es{编号}/data/cert下(此处省略winscp操作)
5、配置每个es目录下的elasticsearch.yml文件,开启认证
# ======================== Elasticsearch Configuration ========================= # # NOTE: Elasticsearch comes with reasonable defaults for most settings. # Before you set out to tweak and tune the configuration, make sure you # understand what are you trying to accomplish and the consequences. # # The primary way of configuring a node is via this file. This template lists # the most important settings you may want to configure for a production cluster. # # Please consult the documentation for further information on configuration options: # https://www.elastic.co/guide/en/elasticsearch/reference/index.html # # ---------------------------------- Cluster ----------------------------------- # # Use a descriptive name for your cluster: # #cluster.name: my-application # # ------------------------------------ Node ------------------------------------ # # Use a descriptive name for the node: # #node.name: node-1 # # Add custom attributes to the node: # #node.attr.rack: r1 # # ----------------------------------- Paths ------------------------------------ # # Path to directory where to store the data (separate multiple locations by comma): # #path.data: /path/to/data # # Path to log files: # #path.logs: /path/to/logs # # ----------------------------------- Memory ----------------------------------- # # Lock the memory on startup: # #bootstrap.memory_lock: true # # Make sure that the heap size is set to about half the memory available # on the system and that the owner of the process is allowed to use this # limit. # # Elasticsearch performs poorly when the system is swapping the memory. # # ---------------------------------- Network ----------------------------------- # # Set the bind address to a specific IP (IPv4 or IPv6): # #network.host: 192.168.0.1 #network.host: 0.0.0.0 # # Set a custom port for HTTP: # #http.port: 9200 # # For more information, consult the network module documentation. # # --------------------------------- Discovery ---------------------------------- # # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is ["127.0.0.1", "[::1]"] # #discovery.seed_hosts: ["host1", "host2"] # # Bootstrap the cluster using an initial set of master-eligible nodes: # #cluster.initial_master_nodes: ["node-1", "node-2"] # # For more information, consult the discovery and cluster formation module documentation. # # ---------------------------------- Gateway ----------------------------------- # # Block initial recovery after a full cluster restart until N nodes are started: # #gateway.recover_after_nodes: 3 # # For more information, consult the gateway module documentation. # # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: # #action.destructive_requires_name: true network.host: 0.0.0.0 # 同时设置bind_host和publish_host http.port: 9202 # rest客户端连接端口 transport.tcp.port: 9300 # 集群中节点互相通信端口 node.master: true # 设置master角色 node.data: true # 设置data角色 node.ingest: true # 设置ingest角色 在索引之前,对文档进行预处理,支持pipeline管道,相当于过滤器 node.max_local_storage_nodes: 1 http.cors.enabled: true # 跨域配置 http.cors.allow-origin: "*" # 跨域配置 # 开启 xpack 身份验证 xpack.security.enabled: true # 开启 ssl 认证 xpack.security.transport.ssl.enabled: true # ssl 证书模式 xpack.security.transport.ssl.verification_mode: certificate # 证书路径 xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/data/cert/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/data/cert/elastic-certificates.p12
5、如果在创建证书的过程中加了密码,需要将你的密码加入到你的Elasticsearch keystore中去。每个节点都需要(提前设置,因为启动后不太好修改)
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
6、替换对应es/config目录下的elasticsearch.yml
7、重新启动集群
8、连接集群中任意一个容器,设置所有账户密码
bin/elasticsearch-setup-passwords interactive
9、修改kibana.yml,并替换至/usr/kibana/config下
elasticsearch.username: "elastic" elasticsearch.password: "123456"
参考: https://zhuanlan.zhihu.com/p/91821035