开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 大数据 -> Elasticsearch集群配置密码（传统方式&Docker方式） -> 正文阅读

[大数据]Elasticsearch集群配置密码（传统方式&Docker方式）

????????在最低安全配置中添加密码保护后，需要配置传输层安全 (TLS)。传输层处理集群中节点之间的所有内部通信。如果集群有多个节点，那么您必须在节点之间配置 TLS。如果不启用 TLS，生产模式集群将不会启动。传输层依赖于双向 TLS 来加密和验证节点。正确应用 TLS 可确保恶意节点无法加入集群并与其他节点交换数据。虽然在 HTTP 层实现用户名和密码认证对于保护本地集群很有用，但节点之间的通信安全需要 TLS。在节点之间配置 TLS 是基本的安全设置，以防止未经授权的节点访问您的集群。

传统方式

集群安装Elasticsearch的安装（传统方式&docker方式）&整合Springboot_熟透的蜗牛的博客-CSDN博客

1、生成证书

./bin/elasticsearch-certutil ca

Please enter the desired output file [elastic-stack-ca.p12]:? 此处按回车键
Enter password for elastic-stack-ca.p12 :??输入密码 snail(也可以不输入)

2、集群中的任意一个节点生成证书和私钥

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

Enter password for CA (elastic-stack-ca.p12) : 输入上面的密码
Please enter the desired output file [elastic-certificates.p12]:??回车

Enter password for elastic-certificates.p12 : 输入上面的密码

?3、此时已生成证书elastic-certificates.p12，将该证书复制到每一个节点的config目录下

/usr/local/elasticsearch/config

4、在每一个节点上存储密码

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

?5、修改每一个节点elasticsearch.yml 注意不要有多余的空格

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: my-es
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: node-3
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /usr/local/es/data
#
# Path to log files:
#
path.logs: /usr/local/es/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 0.0.0.0
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["192.168.139.160","192.168.139.161", "192.168.139.162"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes: ["node-1", "node-2","node-3"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#设置密码
xpack.security.enabled: true
http.cors.allow-headers: Authorization
xpack.license.self_generated.type: basic
#设置单点模式
#discovery.type: single-node
#设置证书
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

6、授权证书文件


chown -R snail_es.es /usr/local/elasticsearch/

7、设置密码，请保证每个节点都在运行的状态

./bin/elasticsearch-setup-passwords interactive ?手动
./bin/elasticsearch-setup-passwords auto 自动

Changed password for user apm_system
PASSWORD apm_system = Yu0vjHZxkCBXuGnTM9VM

Changed password for user kibana_system
PASSWORD kibana_system = oNXyGWsWHLC3VllVb4Qb

Changed password for user kibana
PASSWORD kibana = oNXyGWsWHLC3VllVb4Qb

Changed password for user logstash_system
PASSWORD logstash_system = XFd1IoqZAgt7scdxwXN2

Changed password for user beats_system
PASSWORD beats_system = 1oENHpgMQLeLyiugkmRy

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = bjGZqG7SxffKciVJRxsX

Changed password for user elastic
PASSWORD elastic = cGKuMaWGZLBaSSDW7qKX

elastic
一个内置的超级用户。
kibana_system
Kibana 用于连接 Elasticsearch 并与之通信的用户。
logstash_system
Logstash 在 Elasticsearch 中存储监控信息时使用的用户。
beats_system
Beats 在 Elasticsearch 中存储监控信息时使用的用户。
apm_system
APM 服务器在 Elasticsearch 中存储监控信息时使用的用户。
remote_monitoring_user
在 Elasticsearch 中收集和存储监控信息时使用的用户 Metricbeat。
它具有remote_monitoring_agent和 remote_monitoring_collector内置角色。

8、结束

Docker方式

1、创建挂载目录并授权

[root@localhost ~]# mkdir -p /data/es/{conf,data,logs,plugins}
#授权
[root@localhost ~]# chmod 777 -R /data/

2、进入容器生成证书

docker exec -it elasticsearch /bin/bash?

./bin/elasticsearch-certutil ca

#集群中的任意一个节点生成证书和私钥
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

3、将证书复制到每个节点的config目录（挂载目录）

将证书复制到宿主机
#复制
docker cp elasticsearch:/usr/share/elasticsearch/elastic-certificates.p12 /root

4、将证书复制到每一个节点docker容器中

docker cp /data/es/conf/elastic-certificates.p12 

elasticsearch:/usr/share/elasticsearch/config

#存储密码 每一个节点都要执行
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

5、修改配置文件跟上面配置文件一样

6、进入容器设置密码

docker exec -it elasticsearch /bin/bash?
./bin/elasticsearch-setup-passwords interactive ?手动
./bin/elasticsearch-setup-passwords auto 自动

7、重新启动容器或者新创建容器

docker run --name elasticsearch --privileged=true --net=host \
?-v /data/es/conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
?-v /data/es/data:/usr/share/elasticsearch/data \
?-v /data/es/logs:/usr/share/elasticsearch/logs \
?-v /data/es/plugins:/usr/share/elasticsearch/plugins \
?-d elasticsearch:7.14.2

8、结束