elasticsearch|大數據|elasticsearch的api部分實戰操作以及用戶和密碼的管理

一，

前言

本文主要內容是通過elasticsearch的api來進行一些集群的管理和信息查詢工作，以及elasticsearch用戶的增刪改查和密碼的重設以及重置如何操作

接上文：elasticsearch|大數據|elasticsearch低版本集群的部署安裝和安全增強---密碼設置問題-CSDN博客

上文主要介紹了elasticsearch低版本集群的部署和密碼的設定，這些是大大的提高了集群的安全性，但關于security（安全性）只是稍微提及，本文將要更加的深入的介紹這些安全措施，其次是部署完集群僅僅是第一步，如何正確的使用，高效的使用集群才是最終的目的，本文也將從這些方面做一個簡單的論述。

二，

elasticsearch的安全插件----xpack

該插件主要是兩個功能，第一個是通過config文件夾下的elasticsearch-keystone文件加密api，使得在使用api的時候必須要先檢驗預設的用戶和密碼

其次是ssl加密，通過certgen這個工具生成自簽的ca證書（高版本的es這個工具可能改名），以提高elasticsearch的網絡安全

在主配置文件中，有以下三個選項，這三個選項是這兩個功能的開關：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: false
xpack.security.http.ssl.ssl.enabled: false

上文講了密碼校驗的開啟，ssl如何開啟沒有說，本文就把這個補充上吧

xpack.security.transport.ssl.enabled: false?這個選項應該是集群間ssl自簽證書驗證，防止惡意的增添節點

xpack.security.http.ssl.ssl.enabled: false?這個選項應該是使用自簽證書，外部訪問集群的時候需要證書驗證，通俗的說就是https

那么，先開啟xpack.security.transport.ssl.enabled，具體步驟如下：

1，在master節點生成ca證書（這個證書帶密碼，也可以不帶密碼，我這里用了密碼，隨意設置一個記得住的就可以了）# 生成elastic-stack-ca.p12文件

[root@node1 es]# ./bin/x-pack/certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authorityBy default the 'ca' mode produces a single PKCS#12 output file which holds:* The CA certificate* The CA's private keyIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private keyPlease enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 :

2，生成elastic-certificates.p12這個文件，在其它節點生成同樣的文件，命令稍微修改一下#### 生成elastic-certificates.p12文件，供elasticsearch使用（只在master節點生成，然后拷貝到其它節點即可，scp命令或者什么其它的方式都可以，不得在其它節點自己生成）：

[root@node1 es]# ./bin/x-pack/certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'cert' mode generates X.509 certificate and private keys.* By default, this generates a single certificate and key for useon a single instance.* The '-multiple' option will prompt you to enter details for multipleinstances and will generate a certificate and key for each one* The '-in' option allows for the certificate generation to be automated by describingthe details of each instance in a YAML file* An instance is any piece of the Elastic Stack that requires a SSL certificate.Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beatsmay all require a certificate and private key.* The minimum required value for each instance is a name. This can simply be thehostname, which will be used as the Common Name of the certificate. A fulldistinguished name may also be used.* A filename value may be required for each instance. This is necessary when thename would result in an invalid file or directory name. The name provided hereis used as the directory name (within the zip) and the prefix for the key andcertificate files. The filename is required if you are prompted and the nameis not displayed in the prompt.* IP addresses and DNS names are optional. Multiple values can be specified as acomma separated string. If no IP addresses or DNS names are provided, you maydisable hostname verification in your SSL configuration.* All certificates generated by this tool will be signed by a certificate authority (CA).* The tool can automatically generate a new CA for you, or you can provide your own with the-ca or -ca-cert command line options.By default the 'cert' mode produces a single PKCS#12 output file which holds:* The instance certificate* The private key for the instance certificate* The CA certificateIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the instance certificate, the key and the CA certificateIf you elect to generate multiple instances certificates, the output will be a zip file
containing all the generated certificatesEnter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 : Certificates written to /data/es/elastic-certificates.p12This file should be properly secured as it contains the private key for 
your instance.This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

3，如果該證書設置了證書，那么需要節點認證通過，否則會報沒有權限讀取（每個節點都執行）：

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

4，為了防止elasticsearch因為權限問題啟動失敗，再次遞歸賦屬組：

chown -Rf es. /data/es

5，elasticsearch主配置文件的修改

在主配置文件末尾添加如下內容：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-methods : OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Content-Length
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /data/es/config/cert/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /data/es/config/cert/elastic-certificates.p12

6，在補充說明一下：

因為elasticsearch集群是使用的發現機制，因此，master在掃描到同網段其它的服務器的9300-9305端口的時候，就會將其自動加入集群，而如果沒有任何驗證的加入節點是非常危險的，因此，證書的密碼建議是最好設置，惡意節點將會因為沒有證書文件并通過節點認證而無法隨意加入集群，這樣，我們的集群將會比較的安全。

verification_mode 控制服務器證書的驗證。有效值為：

# full 驗證提供的證書是否由可信機構 (CA) 簽名，并驗證服務器的主機名（或 IP 地址）是否與證書中標識的名稱相匹配。
# strict 驗證提供的證書是否由可信機構 (CA) 簽名，并驗證服務器的主機名（或 IP 地址）是否與證書中標識的名稱相匹配。如果 Subject Alternative Name 為空，則返回錯誤。
# certificate 驗證提供的證書是否由可信機構 (CA) 簽名，但不執行任何主機名驗證。
# none 不執行服務器證書的驗證。此模式會禁用 SSL/TLS 的許多安全優勢，應僅在謹慎考慮后使用。它主要用作嘗試解決 TLS 錯誤時的臨時診斷機制；強烈建議不要在生產環境中使用它。

keystore:存放公鑰，私鑰，數字簽名等信息
truststore:存放信任的證書
keystore和truststore都存放key,不同的地方是truststore只存放公鑰的數字證書,代表了可以信任的證書,keystore存放私鑰相關.

未完待續！！！！！！！！！