ElasticSearch访问控制

2020-03-29  本文已影响0人  习惯了沉默乄
image.png
# 安装elasticsearch
# 调高JVM线程数限制数量
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -p

# 创建配置文件目录
mkdir -p /etc/elasticsearch

# 创建数据目录及权限
mkdir /data
chmod 777 /data

# 创建配置文件
cat <<"EOF" >/etc/elasticsearch/elasticsearch.yml
cluster.name: "elasticsearch-cluster"
node.name: elasticsearch-node
network.host: 0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true
EOF

# 如果机器内存比较小,可以调整JVM内存
cat <<"EOF" >/etc/elasticsearch/jvm.options
## JVM configuration

################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms256m
-Xmx256m

################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################

## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly

## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC
14-:-XX:G1ReservePercent=25
14-:-XX:InitiatingHeapOccupancyPercent=30

## DNS cache policy
# cache ttl in seconds for positive DNS lookups noting that this overrides the
# JDK security property networkaddress.cache.ttl; set to -1 to cache forever
-Des.networkaddress.cache.ttl=60
# cache ttl in seconds for negative DNS lookups noting that this overrides the
# JDK security property networkaddress.cache.negative ttl; set to -1 to cache
# forever
-Des.networkaddress.cache.negative.ttl=10

## optimizations

# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch

## basic

# explicitly set the stack size
-Xss1m

# set to headless, just in case
-Djava.awt.headless=true

# ensure UTF-8 encoding by default (e.g. filenames)
-Dfile.encoding=UTF-8

# use our provided JNA always versus the system one
-Djna.nosys=true

# turn off a JDK optimization that throws away stack traces for common
# exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow

# flags to configure Netty
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0

# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true

-Djava.io.tmpdir=${ES_TMPDIR}

## heap dumps

# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError

# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=data

# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=logs/hs_err_pid%p.log

## JDK 8 GC logging

8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:logs/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m

# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m
# due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise
# time/date parsing will break in an incompatible way for some date patterns and locals
9-:-Djava.locale.providers=COMPAT

# temporary workaround for C2 bug with JDK 10 on hardware with AVX-512
10-:-XX:UseAVX=2
EOF

# 拉取镜像
docker pull elasticsearch:6.8.7
# 运行
docker run -d --restart=always -p 9200:9200 -p 9300:9300 -v /etc/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /etc/elasticsearch/jvm.options:/usr/share/elasticsearch/config/jvm.options -v /data:/usr/share/elasticsearch/data --name elasticsearch elasticsearch:6.8.7

# 配置TLS
docker exec -it elasticsearch bash
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
exit
# 复制证书到物理机
docker cp elasticsearch:/usr/share/elasticsearch/config/elastic-certificates.p12 /etc/elasticsearch/elastic-certificates.p12
# 修改证书权限
chmod 660 /etc/elasticsearch/elastic-certificates.p12

# 修改elasticsearch配置 添加以下配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

# 重新部署
docker stop elasticsearch
docker rm elasticsearch
docker run -d --restart=always -p 9200:9200 -p 9300:9300 -v /etc/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /etc/elasticsearch/jvm.options:/usr/share/elasticsearch/config/jvm.options -v /etc/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 -v /data:/usr/share/elasticsearch/data --name elasticsearch elasticsearch:6.8.7

# 设置密码(可随机可手动指定)
docker exec -it elasticsearch bash
bin/elasticsearch-setup-passwords auto # 自动生成随机密码
bin/elasticsearch-setup-passwords interactive # 手动配置

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = QG0I9LS9ytRKXOEwzeHs

Changed password for user kibana
PASSWORD kibana = hwc02uXgKdHgQPqAQbIL

Changed password for user logstash_system
PASSWORD logstash_system = njSslSbuVPfPLb3HCbj2

Changed password for user beats_system
PASSWORD beats_system = UCAwd9Y6ZMEZVTV1OrZ4

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = gmCVf8oFC3BaxOBI2M0f

Changed password for user elastic
PASSWORD elastic = mCO21RPJQYBmAze7x5R0

# 部署集群启动其他节点即可

# 访问测试
# 直接访问拒绝
curl localhost:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}[root@izs3l77ihmekj0z ~]

# 带密码访问成功
curl localhost:9200/ --user elastic:mCO21RPJQYBmAze7x5R0
{
  "name" : "elasticsearch-node",
  "cluster_name" : "elasticsearch-cluster",
  "cluster_uuid" : "ESg1ZrTiSsOeNeWCQmJNdg",
  "version" : {
    "number" : "6.8.7",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "c63e621",
    "build_date" : "2020-02-26T14:38:01.193138Z",
    "build_snapshot" : false,
    "lucene_version" : "7.7.2",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

# 查看集群状态
curl localhost:9200/_cat/health?v --user elastic:mCO21RPJQYBmAze7x5R0
epoch      timestamp cluster               status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1585486040 12:47:20  elasticsearch-cluster green           1         1      1   1    0    0        0             0                  -                100.0%
# 查看索引状态 密码就存储在.security-6这个索引中
curl localhost:9200/_cat/indices?v --user elastic:mCO21RPJQYBmAze7x5R0      
health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .security-6 ECm7arRxRLqY0meJFf5ppA   1   0          6            0       19kb           19kb

# 安装kibana
# 生成kibana配置文件
mkdir -p /etc/kibana
cat <<"EOF" >/etc/kibana/kibana.yml
# ** THIS IS AN AUTO-GENERATED FILE **
#

# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://172.24.35.68:9200" ]
xpack.monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.username: "kibana"
elasticsearch.password: "hwc02uXgKdHgQPqAQbIL"
EOF
# 修改权限
chmod 777 /etc/kibana/kibana.yml

# 拉取镜像
docker pull kibana:6.8.7

# 运行
docker run -d --restart=always --name=kibana -p 5601:5601 -v /etc/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml kibana:6.8.7

# 访问测试
kibana kibana
# 安装elasticsearch-head

# 下载源码解压
wget https://codeload.github.com/mobz/elasticsearch-head/zip/master -O elasticsearch-head-master.zip
unzip elasticsearch-head-master.zip
cd elasticsearch-head-master

# 制作elasticsearch-head镜像
docker build -t elasticsearch-head:alpine -f Dockerfile-alpine .
Sending build context to Docker daemon  3.027MB
Step 1/6 : FROM node:alpine
 ---> 483343d6c5f5
Step 2/6 : WORKDIR /usr/src/app
 ---> Using cache
 ---> 6a4ff9cfd803
Step 3/6 : RUN npm install http-server
 ---> Using cache
 ---> d70acd0b5ac3
Step 4/6 : COPY . .
 ---> 9754e9da891e
Step 5/6 : EXPOSE 9100
 ---> Running in d1e07d5c93a9
Removing intermediate container d1e07d5c93a9
 ---> 89573a689ca3
Step 6/6 : CMD node_modules/http-server/bin/http-server _site -p 9100
 ---> Running in 7f6987a0240f
Removing intermediate container 7f6987a0240f
 ---> 9d4f61595780
Successfully built 9d4f61595780
Successfully tagged elasticsearch-head:alpine
# 安装
docker run -d --restart=always -p 9100:9100 --name=elasticsearch-head elasticsearch-head:alpine

# 修改elasticsearch配置
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

# 重启elasticsearch
docker restart elasticsearch

# 访问测试
http://59.110.233.231:9100/?auth_user=elastic&auth_password=mCO21RPJQYBmAze7x5R0
elasticsearch-head elasticsearch-head
# 参考文档
https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security
上一篇下一篇

猜你喜欢

热点阅读