elasticsearch使用x-pack安全驗(yàn)證

elasticsearch、kibana、logstash版本：7.3.2

#使用es自帶工具生成CA及證書
ES_HOME=/usr/local/elasticsearch
$ES_HOME/bin/elasticsearch-certutil?ca
$ES_HOME/bin/elasticsearch-certutil?cert?--ca?elastic-stack-ca.p12
mkdir?$ES_HOME/config/certs?&&?mv?$ES_HOME/elastic-*?$ES_HOME/config/certs

復(fù)制證書到其他es節(jié)點(diǎn)

#es配置文件(es1為例)
elasticsearch.yml
cluster.name:?my-es
node.name:?es-1
node.master:?true?
node.data:?true
node.ingest:?false
path.data:?/usr/local/elasticsearch/data/
path.logs:?/usr/local/elasticsearch/log/
network.host:?0.0.0.0
http.port:?9200
transport.port:?9300
transport.compress:?true
discovery.seed_hosts:?["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"]
cluster.initial_master_nodes:?["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"]
#head插件
http.cors.enabled:?true
http.cors.allow-origin:?"*"
#開啟安全功能
xpack.security.enabled:?true
#集群內(nèi)部通信加密
xpack.security.transport.ssl.enabled:?true
xpack.security.transport.ssl.verification_mode:?certificate
xpack.security.transport.ssl.keystore.path:?certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path:?certs/elastic-certificates.p12

#使用systemd管理es
/usr/lib/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
User=es
Group=es
LimitNOFILE=100000
LimitNPROC=100000
ExecStart=/usr/local/elasticsearch/bin/elasticsearch
[Install]
WantedBy=multi-user.target

#啟動es集群；設(shè)置默認(rèn)賬戶密碼
#自動生成密碼
$ES_HOME/bin/elasticsearch-setup-passwords?auto

#手動設(shè)置密碼
$ES_HOME/bin/elasticsearch-setup-passwords?interactive

#Kibana相關(guān)證書
Kibana_HOME=/usr/local/kibana
#kibana連接es加密需要使用pem證書
cd??$ES_HOME/config/certs
#證書轉(zhuǎn)換
openssl?pkcs12?-in?elastic-certificates.p12?-out?elastic-certificates.pem?-nodes
mkdir?$Kibana_HOME/config/certs?&&?mv?elastic-certificates.pem?$Kibana_HOME/config/certs
#https證書
$ES_HOME/bin/elasticsearch-certutil?ca?--pem
mv?$ES_HOME/elastic-stack-ca.zip?$Kibana_HOME/config/certs?&&?unzip?$Kibana_HOME/config/certs/elastic-stack-ca.zip

#kibana配置文件
kibana.yml
server.host:?"192.168.3.102"
elasticsearch.hosts:?["http://192.168.3.102:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"]
elasticsearch.username:?"kibana"
elasticsearch.password:?"ukCAClFof70DU5mWnHC7"
logging.dest:?/usr/local/kibana/log/kibana.log
logging.quiet:?true
#啟用https訪問kibana；使用私有證書會有訪問日志報錯的問題
#server.ssl.enabled:?true
#server.ssl.certificate:?/usr/local/kibana/config/certs/ca/ca.crt
#server.ssl.key:?/usr/local/kibana/config/certs/ca/ca.key
#啟用elasticsearch連接加密
elasticsearch.ssl.certificateAuthorities:?[?"/usr/local/kibana/config/certs/elastic-certificates.pem"?]
elasticsearch.ssl.verificationMode:?certificate

#systemd管理kibana
/usr/lib/systemd/system/kibana.service
[Unit]
Description=Kinaba
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
User=kibana
Group=kibana
ExecStart=/usr/local/kibana/bin/kibana
[Install]
WantedBy=multi-user.target

#logstash示例
input?{
??stdin?{
??}
}
output?{
??elasticsearch?{
????hosts?=>?["http://192.168.3.100:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"]
????index?=>?"test-%{+YYYY.MM.dd}"
????user?=>?"elastic"
????password?=>?"HkqZIHZsuXSv6B5OwqJ7"
??}
}

使用PKCS12配置logstash=>es安全加密未成功(有大佬成功的話私信或者評論下)，可以參考下面鏈接使用PEM方式來完成各組件之間的安全通信

https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash#step-5-2

參考：

https://www.elastic.co/guide/en/elastic-stack-overview/7.3/ssl-tls.html

https://www.elastic.co/guide/en/elasticsearch/reference/7.3/configuring-security.html

https://www.elastic.co/guide/en/kibana/7.3/using-kibana-with-security.html

https://www.elastic.co/guide/en/kibana/7.3/configuring-tls.html