ElasticSearch 7创建用户

一背景介绍

我们直接安装的ES默认是没有账号与密码的，输入ES服务器的ip:端口，直接就能返回结果，非常不安全：

因此需要设置账号密码。

我这里的实验环境：

二创建用户

2.1 在ES节点上设置用户密码

2.1.1 在其中一个节点上生成认证文件

必须要生成认证文件，且ES配置文件里要引用这些生成的认证文件，否则启动ES的时候，日志会报错：Caused by: javax.net.ssl.SSLHandshakeException: No available authentication scheme。

虽然ES看起来启动成功了，但是集群状态是异常的。

2.1.1.1 生成CA证书

[EsUser@localhost ~]$ elasticsearch-certutil ca

……

Please enter the desired output file [elastic-stack-ca.p12]: #这里直接回车即可

Enter password for certs : #这里直接回车即可，不要设置密码

设置完毕后，会在/usr/local/elasticsearch-7.6.2下看到新生成的文件：

elastic-stack-ca.p12

假如在生成证书的时候设置了密码，会导致无法启动ES，报错：

ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to create trust manager]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.];

Likely root cause: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

2.1.1.2 生成p12证书

#使用第一步生成的证书，生成p12秘钥

elasticsearch-certutil cert --ca elastic-stack-ca.p12

下面三项直接回车即可：

……

Enter password for CA (elastic-stack-ca.p12) :

Please enter the desired output file [elastic-certificates.p12]:

Enter password for elastic-certificates.p12 : #这里直接回车即可，不要设置密码，否则后面ES会启动不了

Certificates written to /usr/local/elasticsearch-7.6.2/elastic-certificates.p12

设置完毕后，会在/usr/local/elasticsearch-7.6.2下看到新生成的文件：

elastic-certificates.p12

#拷贝p12秘钥文件

cd /usr/local/ElasticSearch/config

mkdir certs

cp /usr/local/elasticsearch-7.6.2/elastic-certificates.p12 certs/

2.1.2 将p12认证文件拷贝到其他节点上

示例：

scp /usr/local/ElasticSearch/config/certs/elastic-certificates.p12 192.168.144.202:/usr/local/ElasticSearch/config/certs/elastic-certificates.p12

scp /usr/local/ElasticSearch/config/certs/elastic-certificates.p12 192.168.144.245:/usr/local/ElasticSearch/config/certs/elastic-certificates.p12

2.1.3 修改所有ES节点的配置文件

vi /usr/local/ElasticSearch/config/elasticsearch.yml

添加：

1
2
3
4
5
6
7
8
9

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

2.1.4 重启各ES节点

关闭命令略。

启动命令：elasticsearch -d

2.1.5 设置密码

#前提条件

想要成功设置密码的话，必须确保集群状态正常才行,否则密码设置会失败。

/usr/local/ElasticSearch/bin/elasticsearch-setup-passwords interactive

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.

You will be prompted to enter passwords as the process progresses.

Please confirm that you would like to continue [y/N]y

Enter password for [elastic]:

Reenter password for [elastic]:

Enter password for [apm_system]:

Reenter password for [apm_system]:

Enter password for [kibana]:

Reenter password for [kibana]:

Enter password for [logstash_system]:

Reenter password for [logstash_system]:

Enter password for [beats_system]:

Reenter password for [beats_system]:

Enter password for [remote_monitoring_user]:

Reenter password for [remote_monitoring_user]:

Changed password for user [apm_system]

Changed password for user [kibana]

Changed password for user [logstash_system]

Changed password for user [beats_system]

Changed password for user [remote_monitoring_user]

Changed password for user [elastic]