ElasticSearch访问控制

image.png
# 安装elasticsearch
# 调高JVM线程数限制数量
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -p

# 创建配置文件目录
mkdir -p /etc/elasticsearch

# 创建数据目录及权限
mkdir /data
chmod 777 /data

# 创建配置文件
cat <<"EOF" >/etc/elasticsearch/elasticsearch.yml
cluster.name: "elasticsearch-cluster"
node.name: elasticsearch-node
network.host: 0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true
EOF

# 如果机器内存比较小,可以调整JVM内存
cat <<"EOF" >/etc/elasticsearch/jvm.options
## JVM configuration

################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms256m
-Xmx256m

################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################

## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly

## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC
14-:-XX:G1ReservePercent=25
14-:-XX:InitiatingHeapOccupancyPercent=30

## DNS cache policy
# cache ttl in seconds for positive DNS lookups noting that this overrides the
# JDK security property networkaddress.cache.ttl; set to -1 to cache forever
-Des.networkaddress.cache.ttl=60
# cache ttl in seconds for negative DNS lookups noting that this overrides the
# JDK security property networkaddress.cache.negative ttl; set to -1 to cache
# forever
-Des.networkaddress.cache.negative.ttl=10

## optimizations

# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch

## basic

# explicitly set the stack size
-Xss1m

# set to headless, just in case
-Djava.awt.headless=true

# ensure UTF-8 encoding by default (e.g. filenames)
-Dfile.encoding=UTF-8

# use our provided JNA always versus the system one
-Djna.nosys=true

# turn off a JDK optimization that throws away stack traces for common
# exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow

# flags to configure Netty
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0

# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true

-Djava.io.tmpdir=${ES_TMPDIR}

## heap dumps

# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError

# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=data

# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=logs/hs_err_pid%p.log

## JDK 8 GC logging

8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:logs/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m

# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m
# due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise
# time/date parsing will break in an incompatible way for some date patterns and locals
9-:-Djava.locale.providers=COMPAT

# temporary workaround for C2 bug with JDK 10 on hardware with AVX-512
10-:-XX:UseAVX=2
EOF

# 拉取镜像
docker pull elasticsearch:6.8.7
# 运行
docker run -d --restart=always -p 9200:9200 -p 9300:9300 -v /etc/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /etc/elasticsearch/jvm.options:/usr/share/elasticsearch/config/jvm.options -v /data:/usr/share/elasticsearch/data --name elasticsearch elasticsearch:6.8.7

# 配置TLS
docker exec -it elasticsearch bash
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
exit
# 复制证书到物理机
docker cp elasticsearch:/usr/share/elasticsearch/config/elastic-certificates.p12 /etc/elasticsearch/elastic-certificates.p12
# 修改证书权限
chmod 660 /etc/elasticsearch/elastic-certificates.p12

# 修改elasticsearch配置 添加以下配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

# 重新部署
docker stop elasticsearch
docker rm elasticsearch
docker run -d --restart=always -p 9200:9200 -p 9300:9300 -v /etc/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /etc/elasticsearch/jvm.options:/usr/share/elasticsearch/config/jvm.options -v /etc/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 -v /data:/usr/share/elasticsearch/data --name elasticsearch elasticsearch:6.8.7

# 设置密码(可随机可手动指定)
docker exec -it elasticsearch bash
bin/elasticsearch-setup-passwords auto # 自动生成随机密码
bin/elasticsearch-setup-passwords interactive # 手动配置

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = QG0I9LS9ytRKXOEwzeHs

Changed password for user kibana
PASSWORD kibana = hwc02uXgKdHgQPqAQbIL

Changed password for user logstash_system
PASSWORD logstash_system = njSslSbuVPfPLb3HCbj2

Changed password for user beats_system
PASSWORD beats_system = UCAwd9Y6ZMEZVTV1OrZ4

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = gmCVf8oFC3BaxOBI2M0f

Changed password for user elastic
PASSWORD elastic = mCO21RPJQYBmAze7x5R0

# 部署集群启动其他节点即可

# 访问测试
# 直接访问拒绝
curl localhost:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}[root@izs3l77ihmekj0z ~]

# 带密码访问成功
curl localhost:9200/ --user elastic:mCO21RPJQYBmAze7x5R0
{
  "name" : "elasticsearch-node",
  "cluster_name" : "elasticsearch-cluster",
  "cluster_uuid" : "ESg1ZrTiSsOeNeWCQmJNdg",
  "version" : {
    "number" : "6.8.7",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "c63e621",
    "build_date" : "2020-02-26T14:38:01.193138Z",
    "build_snapshot" : false,
    "lucene_version" : "7.7.2",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

# 查看集群状态
curl localhost:9200/_cat/health?v --user elastic:mCO21RPJQYBmAze7x5R0
epoch      timestamp cluster               status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1585486040 12:47:20  elasticsearch-cluster green           1         1      1   1    0    0        0             0                  -                100.0%
# 查看索引状态 密码就存储在.security-6这个索引中
curl localhost:9200/_cat/indices?v --user elastic:mCO21RPJQYBmAze7x5R0      
health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .security-6 ECm7arRxRLqY0meJFf5ppA   1   0          6            0       19kb           19kb

# 安装kibana
# 生成kibana配置文件
mkdir -p /etc/kibana
cat <<"EOF" >/etc/kibana/kibana.yml
# ** THIS IS AN AUTO-GENERATED FILE **
#

# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://172.24.35.68:9200" ]
xpack.monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.username: "kibana"
elasticsearch.password: "hwc02uXgKdHgQPqAQbIL"
EOF
# 修改权限
chmod 777 /etc/kibana/kibana.yml

# 拉取镜像
docker pull kibana:6.8.7

# 运行
docker run -d --restart=always --name=kibana -p 5601:5601 -v /etc/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml kibana:6.8.7

# 访问测试
kibana
kibana
# 安装elasticsearch-head

# 下载源码解压
wget https://codeload.github.com/mobz/elasticsearch-head/zip/master -O elasticsearch-head-master.zip
unzip elasticsearch-head-master.zip
cd elasticsearch-head-master

# 制作elasticsearch-head镜像
docker build -t elasticsearch-head:alpine -f Dockerfile-alpine .
Sending build context to Docker daemon  3.027MB
Step 1/6 : FROM node:alpine
 ---> 483343d6c5f5
Step 2/6 : WORKDIR /usr/src/app
 ---> Using cache
 ---> 6a4ff9cfd803
Step 3/6 : RUN npm install http-server
 ---> Using cache
 ---> d70acd0b5ac3
Step 4/6 : COPY . .
 ---> 9754e9da891e
Step 5/6 : EXPOSE 9100
 ---> Running in d1e07d5c93a9
Removing intermediate container d1e07d5c93a9
 ---> 89573a689ca3
Step 6/6 : CMD node_modules/http-server/bin/http-server _site -p 9100
 ---> Running in 7f6987a0240f
Removing intermediate container 7f6987a0240f
 ---> 9d4f61595780
Successfully built 9d4f61595780
Successfully tagged elasticsearch-head:alpine
# 安装
docker run -d --restart=always -p 9100:9100 --name=elasticsearch-head elasticsearch-head:alpine

# 修改elasticsearch配置
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

# 重启elasticsearch
docker restart elasticsearch

# 访问测试
http://59.110.233.231:9100/?auth_user=elastic&auth_password=mCO21RPJQYBmAze7x5R0
elasticsearch-head
elasticsearch-head
# 参考文档
https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 214,377评论 6 496
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,390评论 3 389
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 159,967评论 0 349
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,344评论 1 288
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,441评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,492评论 1 292
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,497评论 3 412
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,274评论 0 269
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,732评论 1 307
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,008评论 2 328
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,184评论 1 342
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,837评论 4 337
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,520评论 3 322
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,156评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,407评论 1 268
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,056评论 2 365
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,074评论 2 352

推荐阅读更多精彩内容