ES集群开启认证

ES安装完成并运行，默认情况下是允许任何用户访问的，这样并不安全，可以为ES开启认证，设置账号密码。

生成节点证书

cd ~/elasticsearch-7.17.8/
# 创建一个本地证书颁发机构；（当前目录下生成了 elastic-stack-ca.p12 文件）
bin/elasticsearch-certutil ca
# 为节点生成X.509证书和密钥；（当前目录下生成了 elastic-certificates.p12 文件）
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# 移动到config目录下
mv *.p12 config/

注意证书和密钥文件的权限问题，ES集群本身不支持root账号执行，所以两个文件在config需要授权给指定的用户。

elasticsearch-certutil 命令说明：

bin/elasticsearch-certutil -h
Simplifies certificate creation for use with the Elastic Stack
Commands
--------
csr - generate certificate signing requests
cert - generate X.509 certificates and keys
ca - generate a new local certificate authority
http - generate a new certificate (or certificate request) for the Elasticsearch HTTP interface

Non-option arguments:
command              

Option             Description        
------             -----------        
-E <KeyValuePair>  Configure a setting
-h, --help         Show help          
-s, --silent       Show minimal output
-v, --verbose      Show verbose output

注意：生成证书和密钥文件后可以通过SCP复制到其他节点对应得到位置，此外需要修改证书和密钥文件的权限问题。

chown -R es.es /opt/ES安装目录
chmod -R 777 /opt/ES安装目录

修改修改ES配置文件开启认证

配置xpack.security.enabled: true 以开启xpack认证机制

vim config/elasticsearch.yml
# 开启xpack认证机制
xpack.security.enabled: true 
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

修改配置后，重新启动，访问 http://192.168.3.156:9200/ 会提示输入用户密码，下一步我们需要给ES内置的用户名都设置密码。

注意：在给集群配置用户密码之前，需要对集群节点都开用户认证的相关配置，修改完成后重启集群所有节点，不然设置集群内部用户密码会报错

[es@i-40B9FE39 elasticsearch-7.17.18]$  bin/elasticsearch-setup-passwords interactive

Failed to determine the health of the cluster running at http://192.168.3.156:9200
Unexpected response code [503] from calling GET http://192.168.3.156:9200/_cluster/health?pretty
Cause: master_not_discovered_exception

It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.

Do you want to continue with the password setup process [y/N]y

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:

Unexpected response code [503] from calling PUT http://192.168.3.156:9200/_security/user/apm_system/_password?pretty
Cause: Cluster state has not been recovered yet, cannot write to the [null] index

Possible next steps:
* Try running this tool again.
* Try running with the --verbose parameter for additional messages.
* Check the elasticsearch logs for additional error details.
* Use the change password API manually.

为内置账号添加密码

集群节点都开启用户认证并重启后，可以给集群设置用户密码，因为是集群，所以只要设置一个节点的用户密码即可。集群本身会同步数据。

bin/elasticsearch-setup-passwords interactive


# 以下是执行的过程日志
[es@i-40B9FE39 elasticsearch-7.17.18]$  bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]

用户密码设置好后，不需要重启，直接访问http://192.168.3.156:9200/_security/user?pretty可以查看当前集群内置的用户清单。前提是需要输入elastic账号的密码。

{
    "elastic": {
        "username": "elastic",
        "roles": [
            "superuser"
        ],
        "full_name": null,
        "email": null,
        "metadata": {
            "_reserved": true
        },
        "enabled": true
    },
    "kibana": {
        "username": "kibana",
        "roles": [
            "kibana_system"
        ],
        "full_name": null,
        "email": null,
        "metadata": {
            "_deprecated": true,
            "_reserved": true,
            "_deprecated_reason": "Please use the [kibana_system] user instead."
        },
        "enabled": true
    },
    "kibana_system": {
        "username": "kibana_system",
        "roles": [
            "kibana_system"
        ],
        "full_name": null,
        "email": null,
        "metadata": {
            "_reserved": true
        },
        "enabled": true
    },
    "logstash_system": {
        "username": "logstash_system",
        "roles": [
            "logstash_system"
        ],
        "full_name": null,
        "email": null,
        "metadata": {
            "_reserved": true
        },
        "enabled": true
    },
    "beats_system": {
        "username": "beats_system",
        "roles": [
            "beats_system"
        ],
        "full_name": null,
        "email": null,
        "metadata": {
            "_reserved": true
        },
        "enabled": true
    },
    "apm_system": {
        "username": "apm_system",
        "roles": [
            "apm_system"
        ],
        "full_name": null,
        "email": null,
        "metadata": {
            "_reserved": true
        },
        "enabled": true
    },
    "remote_monitoring_user": {
        "username": "remote_monitoring_user",
        "roles": [
            "remote_monitoring_collector",
            "remote_monitoring_agent"
        ],
        "full_name": null,
        "email": null,
        "metadata": {
            "_reserved": true
        },
        "enabled": true
    }
}

到此ES的整个集群就配置结束，并且开启了用户认证。接下来我们要开始使用kibana来管理运维ES集群。

安装部署kibana

一般和ES进行匹配，本文下载7.17.8版本进行部署安装，官网下载地址
kibana

1. 下载
   kibana的安装非常简单，官网的说明也很清楚，解压部署包修改配置就可以直接启动

curl -O https://artifacts.elastic.co/downloads/kibana/kibana-7.17.26-linux-x86_64.tar.gz
curl https://artifacts.elastic.co/downloads/kibana/kibana-7.17.26-linux-x86_64.tar.gz.sha512 | shasum -a 512 -c - 
tar -xzf kibana-7.17.26-linux-x86_64.tar.gz
cd kibana-7.17.26-linux-x86_64/ 

2. 修改配置

# 服务监听的IP
server.host: "192.168.3.156"
# ES集群所以节点地址
elasticsearch.hosts: ["http://192.168.3.156:9200","http://192.168.3.159:9200","http://192.168.3.160:9200"]
# 集群的登陆用户密码，kibana_system的专属用户，我这用的超级管理员账号
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
# 中文
i18n.locale: "zh-CN"

2. 启动kibana

cd ./bin 
# --allow-root 表示允许以root用户运行 &是后台启动，Kibana没有[-d]命令
./kibana --allow-root &

3. kibana服务化

vim /usr/lib/systemd/system/kibana.service

[Unit]
Description=Kibana Server
Wants=network-online.target
After=network-online.target

[Service]
# 使用合适的用户运行Kibana，通常为kibana用户
User=es
# 使用合适的组运行Kibana，通常为kibana组
Group=es
ExecStart=/opt/kibana-7.17.8-linux-x86_64/bin/kibana
# 在服务失败时自动重启
Restart=always  
# 可选，设置Node.js堆大小限制
Environment="NODE_OPTIONS=--max-old-space-size=2048"  
[Install]
WantedBy=multi-user.target


# 设置开机启动
systemctl enable kibana.service
# 启动服务
systemctl start kibana

**注意：kibana安装目录要授权给es用户。服务指定了启动用户
**