Elasticsearch 7.2 — 开启x-pack认证

关于 elasticsearch 7.2 的 x-pack 安全认证的东西我折腾了好久，遇到各种报错，很多都没记录下来，新东西坑比较多，折腾出来了才发现，原来是这样......以下仅供个人学习记录，话不多说，进入正文......

#### 简述

**为什么做es集群的身份认证**

Elasticsearch 在默认安装后，不提供任何形式的安全防护。生产环境中，错误的配置 network.host 导致公网可以访问ES集群，造成ES裸奔，当然，就是为了安全才做的啦

**网上一些免费的方案**

- 设置 Nginx 反向代理，具体可以参考我的[上一篇博客](https://erica.kkwen.cn/admin/write-post.php?cid=231 "上一篇博客")。但是呢，个人认为这种方式不太适合多机器的es集群呢

- 安装免费的 Security 插件，具体的我没有实际操作过，所以就不多说了，提供一些参考链接

Search Guard

https://search-guard.com/

ReadOnly REST

https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin

https://deepmind.t-salon.cc/article/1780

- X-Pack 的 Basic 版本，这也是今天的主题啦

2019年5月21日 es 7.x 开始，免费开放了一些的基础安全功能,如Security，具体不同版本的对比见下面的链接

https://www.elastic.co/cn/subscriptions

https://www.elastic.co/cn/what-is/elastic-stack-security

![](https://erica.kkwen.cn/usr/uploads/2019/08/622820843.png)

**身份认证 — Authentication**

一般的认证类型包括 提供用户名和密码 或者 提供密钥等，x-pack中使用的是Realms的认证服务，内置的Realms之免费的，用户名和密码保存在es中，而外部的Realms是收费的

**RBAC —— Role-based access control**

**RBAC**：即基于角色的访问控制，定义角色，分配权限，将角色分配给用户，构造成“用户-角色-权限”的授权模型，从而使这些用户拥有这些权限。

![](https://erica.kkwen.cn/usr/uploads/2019/08/3865565115.png)

```
User	The authenticated User
Role	A named set of permissions
Group	one or more groups to which a user belongs
Permission	A set of one or more privileges against a secured resource
Privilege	A named group of 1 or more actions that user may execute against a secured resource
		Cluster privileges(https://www.elastic.co/guide/en/elastic-stack-overview/7.2/security-privileges.html#privileges-list-cluster)
			all / monitor / manager / manage_index / manage_index_template / manage_rollup
		Indices privilegesedit(https://www.elastic.co/guide/en/elastic-stack-overview/7.2/security-privileges.html#privileges-list-indices)
			all / create / create_index / delete / delete_index / index / manage / read /write / view_index_metadata

```

**内置用户和角色**

| 用户                   | 角色                                                         |
| ---------------------- | ------------------------------------------------------------ |
| elastic                | Super user                                                   |
| kibana                 | The user that is used by Kibana to connect and communicate with Elasticsearch. |
| logstash_system        | The user that is used by Logstash when storing monitoring information in Elasticsearch. |
| beats_system           | The user that the different Beats use when storing monitoring information in Elasticsearch. |
| apm_system             | The user that the APM server uses when storing monitoring information in Elasticsearch. |
| remote_monitoring_user | The user that is used by Metricbeat when collecting and storing monitoring information in Elasticsearch |

**Security API**

Security API 文档链接：https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api-put-user.html

- **创建用户**

```
POST /_security/user/jacknich
{
  "password" : "j@rV1s",
  "roles" : [ "admin", "other_role1" ],
  "full_name" : "Jack Nicholson",
  "email" : "jacknich@example.com",
  "metadata" : {
    "intelligence" : 7
  }
}
```

#### 配置x-pack 的TLS和身份认证

**官方文档**：https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security

#### **环境**

```
docker version: 18.09.7
docker-compose version: 1.24.1
CentOS: 7.6.1810
Elasticsearch集群IP:
	master 192.168.0.3
	slave  192.168.0.4
```

**master节点 192.168.0.3**

因为各节点的证书需要一致，可以先构建一个基础镜像A，生成好证书，基于镜像A在进行后面的操作

我这里选择证书挂载出来，再上传到从节点上去，略显笨拙，欢迎大家有的办法分享给我呀

- 创建文件夹 certs并赋予777权限 用于挂载到容器中

```
[root@7a /data/elk/es7-master]# mkdir certs && chmod -R 777 certs
```

- 创建数据挂载卷目录，并给777权限

```
[root@7a /data/elk/es7-master]# mkdir -p /data/els/{data,logs}
[root@7a /data/elk/es7-master]# chmod -R 777 /data/els
```

- 目录结构

```
├── certs
│   └── elastic-certificates.p12
├── config
│   └── elasticsearch.yml
└── docker-compose.yml
```

- elasticsearch.yml

```
cluster.name: myels

node.name: master
node.master: true
node.data: true
network.host: 0.0.0.0
network.publish_host: 192.168.0.3
http.port: 9200
transport.tcp.port: 9300

discovery.seed_hosts:
  - 192.168.0.4:9301

cluster.initial_master_nodes:
  - master

path.data: /usr/share/elasticsearch/data
path.logs: /usr/share/elasticsearch/logs

http.cors.enabled: true
http.cors.allow-origin: "*"

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
```

- docker-compose.yml

```
version: '3'
services:
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
    container_name: master
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    user: elasticsearch
    command:
      - /bin/sh
      - -c
      - |
        /usr/share/elasticsearch/bin/elasticsearch-certutil cert -out /usr/share/elasticsearch/config/certs/elastic-certificates.p12 -pass ""
         elasticsearch
    volumes:
      - /data/els/data:/usr/share/elasticsearch/data
      - /data/els/logs:/usr/share/elasticsearch/logs
      - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - /etc/localtime:/etc/localtime
      - ./certs/:/usr/share/elasticsearch/config/certs/
    ports:
      - 9200:9200
      - 9300:9300
```

- 启动

```
[root@7a /data/elk/es7-master]# docker-compose up -d
```

- 将certs目录面 elastic-certificates.p12 上传到 192.168.0.4机器上

```
[root@7a /data/elk/es7-master]# scp  certs/elastic-certificates.p12 root@192.168.0.4:/data/elk/es7-slave
```

- 创建集群密码，进入容器中执行命令

```
[root@7a /data/elk/es7-master]# docker exec -it master /bin/bash
$ bin/elasticsearch-setup-passwords auto # 自动创建密码
或者
$ bin/elasticsearch-setup-passwords interactive # 手动创建密码
```

**slave 节点 192.168.0.4**

- 目录结构

```
├── certs
│   └── elastic-certificates.p12
├── config
│   └── elasticsearch.yml
└── docker-compose.yml

```

- 创建文件夹 certs并赋予777权限 用于挂载到容器中

```
[root@7b /data/elk/es7-master]# mkdir certs
[root@7b /data/elk/es7-master]# mv elastic-certificates.p12 certs
[root@7b /data/elk/es7-master]# chmod -R 777 certs
```

- 创建数据挂载卷目录，并给777权限

```
[root@7b /data/elk/es7-master]# mkdir -p /data/els/{data,logs}
[root@7b /data/elk/es7-master]# chmod -R 777 /data/els
```

- elasticsearch.yml

```
cluster.name: "myels"
node.name: "slave"

node.master: false
node.data: true

network.host: 0.0.0.0
http.port: 9201
transport.tcp.port: 9301
network.publish_host: 192.168.0.4

path.data: /usr/share/elasticsearch/data
path.logs: /usr/share/elasticsearch/logs

# 需要注意的是，此配置文件中使用9301作为内部通信端口，所以下面的discovery.seed_hosts写192.168.0.3机器的时候要带上9200端口，不然默认就是9301，造成无法发现master节点
discovery.seed_hosts: ["192.168.0.3:9300"]
cluster.initial_master_nodes:
  - master

http.cors.enabled: true
http.cors.allow-origin: "*"

- docker-compose.yml

```
version: '3'
services:
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
    container_name: slave
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    volumes:
      - /data/els/data:/usr/share/elasticsearch/data
      - /data/els/logs:/usr/share/elasticsearch/logs
      - ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./certs/:/usr/share/elasticsearch/config/certs/
    ports:
      - 9201:9201
      - 9301:9301
```

- 启动即可

```
[root@7b /data/elk/es7-master]# docker-compose up -d
```

#### 附 Dockerfile

上面没有添加es分词插件之类的，如果想要添加插件，可以使用挂载的方式或者使用Dockerfile，下面是直接使用Dockerfile开启x-pack，按需修改

```
FROM elasticsearch:7.2.0
LABEL maintainer="Erica"

ENV LANG C.UTF-8
ENV TIMEZONE Asia/Shanghai

ADD ./config/elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml
ADD plugins /usr/share/elasticsearch/plugins
RUN ln -snf /usr/share/zoneinfo/$TIMEZONE /etc/localtime && echo $TIMEZONE > /etc/timezone
USER elasticsearch 
RUN mkdir /usr/share/elasticsearch/config/certs/ && /usr/share/elasticsearch/bin/elasticsearch-certutil cert -out /usr/share/elasticsearch/config/certs/elastic-certificates.p12 -pass ""

EXPOSE 9100 9200 9300
CMD ["elasticsearch"]
```

#### 参考

```
https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security
https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api-put-user.html
https://www.elastic.co/guide/en/elastic-stack-overview/7.2/authorization.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api.html
https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin
https://deepmind.t-salon.cc/article/1780
https://www.elastic.co/cn/subscriptions
https://www.elastic.co/cn/what-is/elastic-stack-security
```

Elasticsearch 7.2 — 开启x-pack认证

发表评论取消回复

sqlalchemy.exc.InternalError 1071

linux基础命令

centos7中shadowsocks的安装和配置

Question:SettingWithCopyWarning: A value is trying to be set on a copy of a slice from a DataFrame

eval()

centos7 yum install mongodb

gogs私服搭建笔记

es开启x-pack认证之后，eshead无法访问

docker笔记(1)——docker安装、原理、基础命令

Question:SettingWithCopyWarning: A value is trying to be set on a copy of a slice from a DataFrame

发表评论 取消回复

发表评论取消回复