在使用elasticsearch暴露的节点的ip和端口后就可以对整个集群进行各种操作，删索引，改数据等，如何对访问控制限制呢？
本文使用离线下载的方式安装search-guard，也可以使用在线安装，具体参照官网说明

0、基础环境

elasticsearch6.2.3
search-guard-6-6.2.3-23.0

1、search-guard官网下载es对应版本的search-guard

去官网下载对应版本的search-guard，本文编者使用es6.2.3，离线下载地址如下：
https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/search-guard-6/6.2.3-23.0/search-guard-6-6.2.3-23.0.zip

2、安装插件

./bin/elasticsearch-plugin install -b file:///path/search-guard-6-6.2.3-23.0.zip；

3、下载证书地址

https://downloads.search-guard.com/resources/certificates/certificates.zip

4、解压

certificates.zip解压到elasticsearch-6.2.3\config\certificates

5、修改elasticsearch.yml

在yml最后追加以下内容

searchguard.ssl.transport.pemcert_filepath: certificates/esnode.pem
searchguard.ssl.transport.pemkey_filepath: certificates/esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: certificates/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certificates/esnode.pem
searchguard.ssl.http.pemkey_filepath: certificates/esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: certificates/root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test,C=de
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]

6、访问

https://localhost:9200/_searchguard/authinfo（username:admin,pwd:admin）

7、如何修改admin默认密码

7.1、首先使用默认hash工具，生成hash串

elasticsearch-6.2.3\plugins\search-guard-6\tools
.\hash.bat -p newpwd

7.2、新密码生效

sgadmin.bat -cd ..\sgconfig -key ..\..\..\config\certificates\kirk-key.pem -cert ..\..\..\config\certificates\kirk.pem -cacert ..\..\..\config\certificates\root-ca.pem -nhnv -icl

8、使用searchbox获取jestclient的方式（basic的方式连接es）

    JestClientFactory factory= new JestClientFactory();
    factory.setHttpClientConfig(new HttpClientCofig.Builder("https://ip:9200").defaultCredentials(username,pwd).sslSockedFactory(getSslSockedFactory()));
    private static SSLConnectionSockedFactory getSslSockedFactory() throws Exception{
    SSLContextBuilder builder= SSLContexts.custom();
    builder.loadTrustMaterial(new Trustrategy(){
    @Override
    public boolean isTrusted(X509Certificate[] chain,String authType){
    return true;
    }
    });
    SSLContext sslcontext=builder.build();
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,new String[]{"TLSv1","TLSv1.1","TLSv1.2"},null,new HostnameVerifier(){
    @Override
    public boolean verify(String arg0,String arg1){
    return true;
    }
    });
    return sslsf ;
    }

9、使用nodejs如何连接

nodejs 使用用户名密码(basic-auth)连接es
参考地址：https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/auth-reference.html
实践：host: https://username:pwd@ip:9200