ElasticSearch7.X版本配置密码

ElasticSearch7.X版本配置密码 作前检查清单 必须全部满足集群当前状态为green无未分配分片、无节点离线所有节点ES进程运行用户为es非root所有节点防火墙已开放9200HTTP、9300TCP内部通信端口已完成全集群快照备份备份存储在独立于集群的存储介质上所有节点时间同步NTP正常时间差≤1s回到顶部密码配置步骤步骤一生成集群SSL证书7.x强制要求7.x开启安全认证后节点间TCP通信transport层必须启用SSL加密否则节点无法互相通信集群无法组建。证书在任意一台主节点上生成再分发到所有节点。1.1 生成CA根证书在其中一台主节点执行即可# 进入es安装目录执行下面的命令# 生成CA根证书执行后按两次回车无需设置密码生成的文件为elastic-stack-ca.p12rootmaster:/usr/local/elasticsearch# ./bin/elasticsearch-certutil ca...Please enter the desired output file [elastic-stack-ca.p12]: # 输入第一个回车Enter password for elastic-stack-ca.p12 : # 输入第一个回车# 执行成功后当前目录会生成elastic-stack-ca.p12根证书文件。也就是es目录中rootmaster:/usr/local/elasticsearch# lltotal 668drwxr-xr-x 2 elasticsearch elasticsearch 4096 Nov 28 2024 bindrwxr-xr-x 3 elasticsearch elasticsearch 4096 Apr 15 16:10 config# 这就是根证书-rw------- 1 root root 2672 Apr 16 11:17 elastic-stack-ca.p12drwxr-xr-x 8 elasticsearch elasticsearch 4096 Nov 28 2024 jdkdrwxr-xr-x 3 elasticsearch elasticsearch 4096 Nov 28 2024 lib-rw-r--r-- 1 elasticsearch elasticsearch 3860 Nov 28 2024 LICENSE.txtdrwxr-xr-x 2 elasticsearch elasticsearch 4096 Apr 15 16:10 logsdrwxr-xr-x 61 elasticsearch elasticsearch 4096 Nov 28 2024 modules-rw-r--r-- 1 elasticsearch elasticsearch 640930 Nov 28 2024 NOTICE.txtdrwxr-xr-x 2 elasticsearch elasticsearch 4096 Nov 28 2024 plugins-rw-r--r-- 1 elasticsearch elasticsearch 2710 Nov 28 2024 README.asciidoc1.2 用CA生成节点通用证书生产集群所有节点共用同一份证书即可不用每个节点单独生成# 执行之后连续输入三次回车即可rootmaster:/usr/local/elasticsearch# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12...Enter password for CA (elastic-stack-ca.p12) : # 第一次回车Please enter the desired output file [elastic-certificates.p12]: # 第二次回车Enter password for elastic-certificates.p12 : # 第三次回车...# 查看一下rootmaster:/usr/local/elasticsearch# lltotal 672drwxr-xr-x 2 elasticsearch elasticsearch 4096 Nov 28 2024 bindrwxr-xr-x 3 elasticsearch elasticsearch 4096 Apr 15 16:10 config# 节点证书文件-rw------- 1 root root 3596 Apr 16 11:22 elastic-certificates.p12# 根证书文件-rw------- 1 root root 2672 Apr 16 11:17 elastic-stack-ca.p12drwxr-xr-x 8 elasticsearch elasticsearch 4096 Nov 28 2024 jdkdrwxr-xr-x 3 elasticsearch elasticsearch 4096 Nov 28 2024 lib-rw-r--r-- 1 elasticsearch elasticsearch 3860 Nov 28 2024 LICENSE.txtdrwxr-xr-x 2 elasticsearch elasticsearch 4096 Apr 15 16:10 logsdrwxr-xr-x 61 elasticsearch elasticsearch 4096 Nov 28 2024 modules-rw-r--r-- 1 elasticsearch elasticsearch 640930 Nov 28 2024 NOTICE.txtdrwxr-xr-x 2 elasticsearch elasticsearch 4096 Nov 28 2024 plugins-rw-r--r-- 1 elasticsearch elasticsearch 2710 Nov 28 2024 README.asciidoc1.3 证书分发到所有节点将证书放到es安装目录中的config目录下# 复制到config目录下rootmaster:/usr/local/elasticsearch# cp elastic-certificates.p12 elastic-stack-ca.p12 ./config/# 查看一下rootmaster:/usr/local/elasticsearch# ll config/total 56# 节点证书-rw------- 1 root root 3596 Apr 16 11:26 elastic-certificates.p12-rw-rw---- 1 elasticsearch elasticsearch 199 Apr 15 16:10 elasticsearch.keystore-rw-rw---- 1 elasticsearch elasticsearch 1042 Nov 28 2024 elasticsearch-plugins.example.yml-rw-rw---- 1 elasticsearch elasticsearch 3627 Apr 15 15:25 elasticsearch.yml# 根证书-rw------- 1 root root 2672 Apr 16 11:26 elastic-stack-ca.p12-rw-rw---- 1 elasticsearch elasticsearch 3404 Nov 28 2024 jvm.optionsdrwxr-x--- 2 elasticsearch elasticsearch 4096 Nov 28 2024 jvm.options.d-rw-rw---- 1 elasticsearch elasticsearch 19304 Nov 28 2024 log4j2.properties-rw-rw---- 1 elasticsearch elasticsearch 473 Nov 28 2024 role_mapping.yml-rw-rw---- 1 elasticsearch elasticsearch 197 Nov 28 2024 roles.yml-rw-rw---- 1 elasticsearch elasticsearch 0 Nov 28 2024 users-rw-rw---- 1 elasticsearch elasticsearch 0 Nov 28 2024 users_roles修改一下证书所属的用户及用户组rootmaster:/usr/local/elasticsearch# chown elasticsearch:elasticsearch -R /usr/local/elasticsearch将证书分发到其它节点rootmaster:/usr/local/elasticsearch/config# scp elastic-certificates.p12 elastic-stack-ca.p12 rootnode01:pwdrootmaster:/usr/local/elasticsearch/config# scp elastic-certificates.p12 elastic-stack-ca.p12 rootnode02:pwd验证其它所有节点对应目录下是否存在该文件且所属用户和用户组是否正确步骤省略1.4 所有节点添加ES配置所有节点添加下面的配置# 修改配置文件rootmaster:~# vim /usr/local/elasticsearch/config/elasticsearch.yml# -------------------------- 安全认证配置所有节点统一添加 --------------------------# 开启X-Pack安全认证xpack.security.enabled: true# 开启节点间传输层SSL加密7.x强制要求不开启启动报错xpack.security.transport.ssl.enabled: true# 证书校验模式生产建议用certificate只校验证书合法性不校验主机名避免节点 hostname/IP 变更导致通信失败xpack.security.transport.ssl.verification_mode: certificate# 证书路径xpack.security.transport.ssl.keystore.path: /usr/local/elasticsearch/config/elastic-certificates.p12xpack.security.transport.ssl.truststore.path: /usr/local/elasticsearch/config/elastic-certificates.p12# 【可选但生产推荐】开启HTTP层SSL加密防止密码、数据明文传输xpack.security.http.ssl.enabled: truexpack.security.http.ssl.keystore.path: /usr/local/elasticsearch/config/elastic-certificates.p12xpack.security.http.ssl.truststore.path: /usr/local/elasticsearch/config/elastic-certificates.p121.5 所有节点顺序停止因为开启安全后未开安全的节点和开了安全的节点无法通信所以不能滚动重启必须全停后再启动所有节点停止rootmaster:~# systemctl stop elasticsearch.service# 检查是否全部停止rootmaster:~# ss -lntup | grep -E 9200|9300所有节点启动rootmaster:~# systemctl start elasticsearch.service# 检查状态rootmaster:~# systemctl status elasticsearch.service● elasticsearch.service - elasticsearch serviceLoaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)Active: active (running) since Thu 2026-04-16 11:46:49 CST; 13s agoDocs: https://www.cnblogs.com/huangSir-devopsMain PID: 2349699 (java)Tasks: 89 (limit: 9830)Memory: 32.0GCGroup: /system.slice/elasticsearch.service├─2349699 /usr/local/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl60 -Des.networkaddress.cache.negative.ttl10 -XX:AlwaysPreTouch -Xss1m -Djava.awt.headlesstrue -Dfile.enco└─2350027 /usr/local/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller1.6 设置所有内置用户密码elasticsearch中所有内置用户如下用户作用保存要求elastic超级管理员用户拥有所有权限务必保存在安全的密码管理工具中kibana_systemKibana连接ES专用用户配置Kibana时需要用到logstash_systemLogstash连接ES监控专用用户配置Logstash监控时需要用到beats_systemFilebeat/Metricbeat等Beats组件连接ES专用用户配置Beats时需要用到apm_systemAPM监控组件连接ES专用用户配置APM时需要用到remote_monitoring_user远程集群监控专用用户跨集群监控时需要用到设置内置用户密码分为两种方式由系统自动生成这种方式完全随机不好维护elasticsearch-setup-passwords auto自定义设置密码我们使用第二种方式elasticsearch-setup-passwords interactive实操rootmaster:/usr/local/elasticsearch# ./bin/elasticsearch-setup-passwords interactiveInitiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.You will be prompted to enter passwords as the process progresses.Please confirm that you would like to continue [y/N]yEnter password for [elastic]:Reenter password for [elastic]:Enter password for [apm_system]:Reenter password for [apm_system]:Enter password for [kibana_system]:Reenter password for [kibana_system]:Enter password for [logstash_system]:Reenter password for [logstash_system]:Enter password for [beats_system]:Reenter password for [beats_system]:Enter password for [remote_monitoring_user]:Reenter password for [remote_monitoring_user]:Changed password for user [apm_system]Changed password for user [kibana_system]Changed password for user [kibana]Changed password for user [logstash_system]Changed password for user [beats_system]Changed password for user [remote_monitoring_user]Changed password for user [elastic]rootmaster:/usr/local/elasticsearch#使用密码访问测试# -k忽略证书不安全# -u指定用户名和密码rootmaster:/usr/local/elasticsearch# curl -k -u elastic:!Xinxin123 https://localhost:9200/_cluster/health?pretty{cluster_name : elasticsearch-v7,status : green,timed_out : false,number_of_nodes : 3,number_of_data_nodes : 3,active_primary_shards : 8,active_shards : 16,relocating_shards : 0,initializing_shards : 0,unassigned_shards : 0,delayed_unassigned_shards : 0,number_of_pending_tasks : 0,number_of_in_flight_fetch : 0,task_max_waiting_in_queue_millis : 0,active_shards_percent_as_number : 100.0}故障解决访问报错因为我们使用的是自签证书证书不被信任所以报错访问时加上-k选项即可忽略自签名证书错误rootmaster:/usr/local/elasticsearch# curl -u elastic:!Xinxin123 https://localhost:9200/_cluster/health?prettycurl: (60) SSL certificate problem: self signed certificate in certificate chainMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above.修改密码报错证书用的是自签名证书证书里没有写入你的服务器 IP / 域名。可以使用./bin/elasticsearch-setup-passwords interactive -E xpack.security.http.ssl.verification_modecertificate 来解决rootmaster:/usr/local/elasticsearch# ./bin/elasticsearch-setup-passwords interactive12:00:45.112 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [100.89.161.128]; the server provided a certificate with subject name [CNinstance] and fingerprint [840c27f021914b9e7c7e907cf514dbf11186e681]; the certificate does not have any subject alternative names; the certificate is issued by [CNElastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CNElastic Certificate Tool Autogenerated CA] fingerprint [3dcf29a717a030ff66562a12159bd9414780229a] {trusted issuer}) which is self-issued; the [CNElastic Certificate Tool Autogenerated CA] certificate is trusted in this ssl context ([xpack.security.http.ssl])java.security.cert.CertificateException: No subject alternative names presentat sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:138) ~[?:?]at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457) ~[?:?]at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431) ~[?:?]at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) ~[?:?]at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:83) ~[elasticsearch-ssl-config-7.17.26.jar:7.17.26]at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1310) ~[?:?]at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203) ~[?:?]at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146) ~[?:?]at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) ~[?:?]at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507) ~[?:?]at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1422) ~[?:?]at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:586) ~[?:?]at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:141) ~[?:?]at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) ~[x-pack-core-7.17.26.jar:7.17.26]at java.security.AccessController.doPrivileged(AccessController.java:571) [?:?]at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) [x-pack-core-7.17.26.jar:7.17.26]at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.execute(CommandLineHttpClient.java:116) [x-pack-security-7.17.26.jar:7.17.26]at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:327) [x-pack-security-7.17.26.jar:7.17.26]at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$InteractiveSetup.execute(SetupPasswordTool.java:199) [x-pack-security-7.17.26.jar:7.17.26]at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:77) [elasticsearch-7.17.26.jar:7.17.26]at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112) [elasticsearch-cli-7.17.26.jar:7.17.26]at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:95) [elasticsearch-cli-7.17.26.jar:7.17.26]at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112) [elasticsearch-cli-7.17.26.jar:7.17.26]at org.elasticsearch.cli.Command.main(Command.java:77) [elasticsearch-cli-7.17.26.jar:7.17.26]at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:128) [x-pack-security-7.17.26.jar:7.17.26]SSL connection to https://100.89.161.128:9200/_security/_authenticate?pretty failed: No subject alternative names presentPlease check the elasticsearch SSL settings under xpack.security.http.ssl.ERROR: Failed to establish SSL connection to elasticsearch at https://100.89.161.128:9200/_security/_authenticate?pretty.回到顶部补充kibana使用用户名和密码连接elasticsearch方式一在kibana配置文件中修改以下配置即可rootmaster:/usr/local/kibana/config# vim kibana.yml# 这里地址要加httpselasticsearch.hosts: [https://master:9200,https://node01:9200,https://node02:9200]# 用户名和密码elasticsearch.username: kibana_systemelasticsearch.password: !Xinxin123# 忽略自签名证书elasticsearch.ssl.verificationMode: none# 重启kibanarootmaster:/usr/local/kibana/config# systemctl restart kibana.service连接kibana输入elasticsearch的用户名和密码即可方式二加密存储密码不要明文写在yml中# 进入Kibana安装目录rootmaster:/usr/local/kibana/config# cd /usr/local/kibana# 创建密钥库首次执行会提示确认直接回车即可rootmaster:/usr/local/kibana# ./bin/kibana-keystore createCreated Kibana keystore in /data00/software/kibana-7.17.12-linux-x86_64/config/kibana.keystore# 添加kibana_system密码执行后输入你设置的密码即可rootmaster:/usr/local/kibana# ./bin/kibana-keystore add elasticsearch.passwordEnter value for elasticsearch.password: **********#修改kibana配置文件rootmaster:/usr/local/kibana/config# vim kibana.yml# 这里地址要加httpselasticsearch.hosts: [https://master:9200,https://node01:9200,https://node02:9200]# elaticsearch的连接用户elasticsearch.username: kibana_system# 忽略自签名证书elasticsearch.ssl.verificationMode: none# 重启kibanarootmaster:/usr/local/kibana/config# systemctl restart kibana.service连接kibana