[大数据]elasticsearch-7.4.2+opendistro鉴权配置

设备 应用部署 路径

1 | 192.168.1.54 | elasticsearch自带jdk、elasticsearch-7.4.2、opendistro相关插件、kibana | /data/apps

2 | 192.168.1.67 | elasticsearch自带jdk、elasticsearch-7.4.2、opendistro相关插件 | /data/apps

3 | 192.168.1.59 | elasticsearch自带jdk、elasticsearch-7.4.2、opendistro相关插件 | /data/apps

4 | 192.168.1.63 | elasticsearch自带jdk、elasticsearch-7.4.2、opendistro相关插件 | /data/apps

4.应用列表

1.安装步骤

添加es管理用户

groupadd elasticsearch && useradd -d /home/elasticsearch -m elasticsearch -g elasticsearch

设置数据存储目录

mkdir -p /data{0..10}/es && chown -R elasticsearch:elasticsearch /data{0..10}/es

创建应用目录

mkdir -p /data/apps

修改打开文件句柄

echo "* soft nofile 1000000" >> /etc/security/limits.conf

echo "* hard nofile 1000000" >> /etc/security/limits.conf

echo "* soft nproc 1000000" >> /etc/security/limits.conf

echo "* hard nproc 1000000" >> /etc/security/limits.conf

echo "* soft memlock unlimited" >> /etc/security/limits.conf

echo "* hard memlock unlimited" >> /etc/security/limits.conf

sed -i 's/4096/1000000/' /etc/security/limits.d/20-nproc.conf

内核参数设置

cat >> /etc/sysctl.conf << EOF

net.ipv4.conf.all.send_redirects=0

net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.default.secure_redirects=0

net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.default.rp_filter=1

net.ipv6.conf.all.accept_ra=0

net.ipv6.conf.default.accept_ra=0

net.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.default.accept_redirects=0

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_fin_timeout=10

net.ipv4.tcp_max_syn_backlog = 32768

net.ipv4.tcp_max_tw_buckets = 180000

net.ipv4.tcp_rmem = 4096 87380 4194304

net.ipv4.tcp_wmem = 4096 16384 4194304

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.core.netdev_max_backlog = 500000

fs.nr_open = 2500000

vm.zone_reclaim_mode = 0

vm.max_map_count = 655360

vm.swappiness=0

EOF

执行生效

sysctl -p

1.esasticsearch 的下载路径

https://www.elastic.co/cn/downloads/past-releases#elasticsearch

2kibana的下载地址

https://www.elastic.co/cn/downloads/past-releases#kibana

3.huawei 国内镜像源网站

https://mirrors.huaweicloud.com/

在其中一个节点上下载

下载elasticsearch 和 kibana

cd /data/apps

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-linux-x86_64.tar.gz

wget https://artifacts.elastic.co/downloads/kibana/kibana-7.4.2-linux-x86_64.tar.gz

tar -zxvf elasticsearch-7.4.2-linux-x86_64.tar.gz

tar -zxvf kibana-7.4.2-linux-x86_64.tar.gz

elasticsearch 赋权限

ln -s /data/apps/elasticsearch-7.4.2 /data/apps/elasticsearch

chown elasticsearch:elasticsearch -R /data/apps/elasticsearch-7.4.2

chown elasticsearch:elasticsearch -R /data/apps/elasticsearch

修改jdk环境使用elasticsearch-7X自带的jdk

cd /data/apps/elasticsearch

vim bin/elasticsearch #source "`dirname "$0"`"/elasticsearch-env上一行增加内容

#配置为elasticsearch自带jdk

export JAVA_HOME=/data/apps/elasticsearch/jdk

export PATH=$JAVA_HOME/bin:$PATH

#添加jdk判断

if [ -x "$JAVA_HOME/bin/java" ]; then

JAVA="/data/apps/elasticsearch/jdk/bin/java"

else

JAVA=`which java`

fi

下载elasticsearch的 opendistro 加密相关插件

mkdir -p pack #创建文件下载目录

cd pack

wget -N https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-alerting/opendistro_alerting-1.4.0.0.zip

wget -N https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-1.4.0.0.zip

wget -N https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-sql/opendistro_sql-1.4.0.0.zip

下载kibana 的 opendistro 加密相关插件

wget -N https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-alerting/opendistro-alerting-1.4.0.0.zip

wget -N https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-1.4.0.0.zip

下载elasticsearch的常用插件

wget -N https://artifacts.elastic.co/downloads/elasticsearch-plugins/analysis-icu/analysis-icu-7.4.2.zip

wget -N https://artifacts.elastic.co/downloads/elasticsearch-plugins/analysis-kuromoji/analysis-kuromoji-7.4.2.zip

wget -N https://artifacts.elastic.co/downloads/elasticsearch-plugins/analysis-nori/analysis-nori-7.4.2.zip

wget -N https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingest-attachment/ingest-attachment-7.4.2.zip

wget -N https://github.com/medcl/elasticsearch-analysis-pinyin/releases/download/v7.4.2/elasticsearch-analysis-pinyin-7.4.2.zip

wget -N https://github.com/medcl/elasticsearch-analysis-stconvert/releases/download/v7.4.2/elasticsearch-analysis-stconvert-7.4.2.zip

wget -N https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v7.4.2/elasticsearch-analysis-ik-7.4.2.zip

到es安装目录中安装 opendistro 加密插件

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/opendistro_sql-1.4.0.0.zip"

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/opendistro_alerting-1.4.0.0.zip"

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/opendistro_security-1.4.0.0.zip"

到es安装目录中安装常用插件

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/analysis-icu-7.4.2.zip"

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/analysis-kuromoji-7.4.2.zip"

su - elasticsearch -c "cd /data/apps/elasticsearch && "bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/analysis-nori-7.4.2.zip

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/elasticsearch-analysis-ik-7.4.2.zip"

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/ingest-attachment-7.4.2.zip"

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/elasticsearch-analysis-pinyin-7.4.2.zip"

su - elasticsearch -c "cd /data/apps/elasticsearch && bin/elasticsearch-plugin install file:///data/apps/elasticsearch/pack/elasticsearch-analysis-stconvert-7.4.2.zip"

到kibana目录中安装opendistro 加密插件

cd /data/apps

ln -s /data/apps/kibana-7.4.2-linux-x86_64 /data/apps/kibana

chown elasticsearch:elasticsearch -R /data/apps/kibana-7.4.2-linux-x86_64

chown elasticsearch:elasticsearch -R /data/apps/kibana

#kibana 要在非root用户下运行

su - elasticsearch -c "cd /data/apps/kibana && bin/kibana-plugin install file:///data/apps/elasticsearch/pack/opendistro-alerting-1.4.0.0.zip"

su - elasticsearch -c "cd /data/apps/kibana && bin/kibana-plugin install file:///data/apps/elasticsearch/pack/opendistro_security_kibana_plugin-1.4.0.0.zip"

制作证书

证书说明

opendistro中有测试证书，如果是测试可以执行自行下边的脚本完成配置

sh ?plugins/opendistro_security/tools/install_demo_configuration.sh #执行完成可以直接启动完成测试

想自行制作ssl证书，可以自行下边的配置

# Root CA

openssl genrsa -out root-ca-key.pem 2048

openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA" -out root-ca.pem -days 36500

# Node cert

openssl genrsa -out esnode-key-temp.pem 2048

openssl pkcs8 -inform PEM -outform PEM -in esnode-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out esnode-key.pem

openssl req -new -key esnode-key.pem -subj "/DC=de/L=test/O=node/OU=node/CN=192.168.1.54.example.com" -out esnode.csr

openssl x509 -req -in esnode.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out esnode.pem -days 36500

# Admin cert

openssl genrsa -out kirk-key-temp.pem 2048

openssl pkcs8 -inform PEM -outform PEM -in kirk-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kirk-key.pem

openssl req -new -key kirk-key.pem -subj "/C=de/L=test/O=client/OU=client/CN=kirk" -out kirk.csr

openssl x509 -req -in kirk.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out kirk.pem -days 36500

配置文件片段

########################stop x-pack############################################ xpack.security.enabled: false xpack.monitoring.enabled: false xpack.monitoring.collection.enabled: false xpack.ml.enabled: false ################################################################################ ######## Start OpenDistro for Elasticsearch Security Demo Configuration ######## # WARNING: revise all the lines below before you go into production opendistro_security.ssl.transport.pemcert_filepath: esnode.pem opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: false #关闭https请求 opendistro_security.ssl.http.pemcert_filepath: esnode.pem opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: true opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: - CN=kirk,OU=client,O=client,L=test, C=de opendistro_security.nodes_dn: - CN=*.example.com,OU=node,O=node,L=test,DC=de #正则表达式*泛匹配 opendistro_security.audit.type: internal_elasticsearch opendistro_security.enable_snapshot_restore_privilege: true opendistro_security.check_snapshot_restore_write_privileges: true opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] cluster.routing.allocation.disk.threshold_enabled: false node.max_local_storage_nodes: 3 ######## End OpenDistro for Elasticsearch Security Demo Configuration ########

拷贝到其他设备上执行