在之前文章中我們介紹了Elasticsearch安全與權限控制,本篇文章我們將詳細介紹 啟用登錄認證與SSL加密實踐配置操作 。
1 為什么需要安全加固?
Elasticsearch默認不啟用安全功能,會導致以下風險:
- 未授權訪問:任何人都能讀取/修改數據
- 數據泄露:網絡傳輸未加密,可能被竊聽
- 合規性風險:不符合企業安全審計要求
2 環境準備
- ES版本:Elasticsearch 7.10.1
- 操作系統:CentOS 7.9
3 配置步驟
3.1 生成SSL證書
# 進入ES安裝目錄
cd /export/home/elasticsearch-7.10.1/# 生成CA證書
/export/home/elasticsearch-7.10.1/bin/elasticsearch-certutil ca --pass ""# 生成節點證書
/export/home/elasticsearch-7.10.1/bin/elasticsearch-certutil cert \
--ca /export/home/elasticsearch-7.10.1/elastic-stack-ca.p12 \
--ip 192.168.10.33,192.168.10.34,192.168.10.35,127.0.0.1 \
--dns node3,node4,node5,localhost# 創建證書目錄
mkdir config/certs# 部署證書,同時在其余節點上創建相同目錄并拷貝證書過去
mv elastic-certificates.p12 config/certs/
3.2 修改elasticsearch.yml
#編輯elasticsearch.yml文件增加如下內容cat >>/export/home/elasticsearch-7.10.1/config/elasticsearch.yml<<EOF
# 安全核心配置
# HTTP層SSL
xpack.security.http.ssl:enabled: trueverification_mode: certificatekeystore.path: certs/elastic-certificates.p12truststore.path: certs/elastic-certificates.p12# 傳輸層SSL
xpack.security.transport.ssl:enabled: trueverification_mode: certificatekeystore.path: certs/elastic-certificates.p12truststore.path: certs/elastic-certificates.p12
EOF# 重啟elasticsearch服務
ps -ef |grep elasticsearch-7.10.1|grep -v grep |awk '{print $2}'|xargs kill -9
/export/home/elasticsearch-7.10.1/bin/elasticsearch -d
3.3 設置內置用戶密碼
# 交互式設置密碼
/export/home/elasticsearch-7.10.1/bin/elasticsearch-setup-passwords interactive# 自動生成密碼(輸出需保存)
/export/home/elasticsearch-7.10.1/bin/elasticsearch-setup-passwords auto
涉及的主要用戶:
- elastic:超級管理員
- kibana_system:Kibana服務賬號
- logstash_system:Logstash連接賬號
4 驗證配置
4.1 檢查HTTPS訪問
curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200
正常應返回包含"tagline" : "You Know, for Search"的JSON
[lianggj@node4 config]$ curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200
{"name" : "node4","cluster_name" : "my_es_cluster","cluster_uuid" : "6JC1NLZXTWymb5WiLPvjaA","version" : {"number" : "7.10.1","build_flavor" : "default","build_type" : "tar","build_hash" : "1c34507e66d7db1211f66f3513706fdf548736aa","build_date" : "2020-12-05T01:00:33.671820Z","build_snapshot" : false,"lucene_version" : "8.7.0","minimum_wire_compatibility_version" : "6.8.0","minimum_index_compatibility_version" : "6.0.0-beta1"},"tagline" : "You Know, for Search"
}
[lianggj@node4 config]$
4.2 測試用戶權限
# 嘗試未授權訪問
curl https://192.168.10.33:9200/_cat/indices# 使用正確憑證訪問
curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200/_security/user
[lianggj@node4 config]$ curl https://192.168.10.33:9200/_cat/indices
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle"of Certificate Authority (CA) public keys (CA certs). If the defaultbundle file isn't adequate, you can specify an alternate fileusing the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented inthe bundle, the certificate verification probably failed due to aproblem with the certificate (it might be expired, or the name mightnot match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, usethe -k (or --insecure) option.
[lianggj@node4 config]$ curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200/_security/user
{"elastic":{"username":"elastic","roles":["superuser"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"kibana":{"username":"kibana","roles":["kibana_system"],"full_name":null,"email":null,"metadata":{"_deprecated":true,"_deprecated_reason":"Please use the [kibana_system] user instead.","_reserved":true},"enabled":true},"kibana_system":{"username":"kibana_system","roles":["kibana_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"logstash_system":{"username":"logstash_system","roles":["logstash_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"beats_system":{"username":"beats_system","roles":["beats_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"apm_system":{"username":"apm_system","roles":["apm_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"remote_monitoring_user":{"username":"remote_monitoring_user","roles":["remote_monitoring_collector","remote_monitoring_agent"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true}}[lianggj@node4 config]$
5 Kibana集成配置
# PKCS12文件中提取CA證書:
cd /export/home/elasticsearch-7.10.1/config/certs
openssl pkcs12 -in elastic-certificates.p12 -out ca.pem -nodes# 編輯修改kibana.yml,添加如下內容
cat >>/export/home/kibana-7.10.1-linux-x86_64/config/kibana.yml<<EOF
elasticsearch.hosts: ["https://192.168.10.33:9200","https://192.168.10.34:9200","https://192.168.10.35:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "Lahmy1c@"
elasticsearch.ssl.verificationMode: "certificate"
elasticsearch.ssl.certificateAuthorities: ["/export/home/elasticsearch-7.10.1/config/certs/ca.pem"]
EOF# 重啟
ps -ef |grep esmagent|grep -v grep |awk '{print $2}'|xargs kill -9
nohup ./bin/kibana &> kibana.log &
6 常見問題解決
6.1 證書錯誤
PKIX path validation failed: java.security.cert.CertPathValidatorException
解決方案:
- 確認所有節點使用相同CA簽發證書
- 在客戶端添加--cacert參數
curl --cacert /path/to/ca.crt https://es-node:9200
6.2 密碼重置
bin/elasticsearch-reset-password -u elastic
6.3 臨時關閉安全(僅開發)
xpack.security.enabled: false
xpack.security.http.ssl.enabled: false
7 附:常用安全命令
# 查看用戶列表
GET /_security/user# 創建自定義角色
POST /_security/role/my_admin
{"cluster": ["myindx"],"indices": [{"names": ["myindex-*"],"privileges": ["read", "write"]}]
}
)
及相關算法題目)
模擬娛樂篇11)
