背景:
因项目信息安全考虑 原es版本5.6.12,没有登录认证,不安全。要求升级为6.8.0,并添加认证,整个过程记录下。
环境:
Elasticsearch: 6.8.0
Kibana: 6.8.0
准备三台服务器:10.25.169.50 10.25.169.51 10.25.169.52
springboot2.x
简单安装配置:
1.下载Elasticsearch的tar.gz包
地址:Elasticsearch安装包
2.解压 到相应的目录下面
tar -zxvf https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.8.0.tar.gz
3.单机版略过,另es安装过程不在记录,网上很多,可以参考
4.集群搭建:
vim /config/elasticsearch.yml
配置如下:
#集群名称
cluster.name: elasticsearch-cluster
#节点名称
node.name: es-node1
#0.0.0.0表示其他机器都可以访问 类似白名单
network.bind_host: 0.0.0.0
#设置其他节点连接此节点的地址,如果不设置的话,则自动获取,publish_host的地址必须为真实地址
network.publish_host: 10.25.169.50
#Http传输监听端口 本机访问
http.port: 9200
#该节点与其他节点交互的端口
transport.tcp.port: 9300
#是否支持跨域,默认不支持
http.cors.enabled: true
http.cors.allow-origin: "*"
#是否允许该节点参加master选举
node.master: true
#允许该节点存储数据,默认开启
node.data: true
#存储数据和日志到指定服务器路径
path.data: /home/soft/elasticsearch-6.8.0/elastic/data
path.logs: /home/soft/elasticsearch-6.8.0/elastic/logs
#节点内部通信地址
discovery.zen.ping.unicast.hosts: ["10.25.169.50","10.25.169.51","10.25.169.52"]
#这个参数控制的是,一个节点需要看到的具有master节点资格的最小数量,然后才能在集群中做操作。官方的推荐值是(N/2)+1,其中N是具有master资格的节点的数量
discovery.zen.minimum_master_nodes: 2bootstrap.memory_lock: false
bootstrap.system_call_filter: false其他2个节点:
cluster.name: elasticsearch-cluster
node.name: es-node2
network.bind_host: 0.0.0.0
network.publish_host: 10.25.169.50
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true
path.data: /home/soft/elasticsearch-6.8.0/elastic/data
path.logs: /home/soft/elasticsearch-6.8.0/elastic/logs
discovery.zen.ping.unicast.hosts: ["10.25.169.50","10.25.169.51","10.25.169.52"]
discovery.zen.minimum_master_nodes: 2bootstrap.memory_lock: false
bootstrap.system_call_filter: false
cluster.name: elasticsearch-cluster
node.name: es-node3
network.bind_host: 0.0.0.0
network.publish_host: 10.25.169.50
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true
path.data: /home/soft/elasticsearch-6.8.0/elastic/data
path.logs: /home/soft/elasticsearch-6.8.0/elastic/logs
discovery.zen.ping.unicast.hosts: ["10.25.169.50","10.25.169.51","10.25.169.52"]
discovery.zen.minimum_master_nodes: 2bootstrap.memory_lock: false
bootstrap.system_call_filter: false逐个启动节点:/elasticsearch-6.8.0/bin -d 后台启动 看不到启动日志
./bin/elasticsearch -d
访问:http://localhost:9200 看到如下界面,说明启动成功了。
安全认证:
目前这个集群是没有安全认证的,在生产环境,这样的集群是及其容易被人攻击的。
接下来开启ES集群的安全认证之路(这里说明一下,ES集群之间的节点是通过凭证来通信的,所以才有生成凭证这一步骤)
1. 生成证书:/elasticsearch-6.8.0/bin
./bin/elasticsearch-certutil ca
中间会让输入路径和密码,路径可以不输,直接回车(生成的文件到当前目录),密码设置一下的,设置密码:123456
完成后会生成一个文件:elastic-stack-ca.p12
2.生成秘钥
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
中间需要输入刚才设置的密码就直接输入就可以了,需要输入路径的地方就直接回车,和上面一样,然后会生成一个文件:elastic-certificates.p12
这个证书就是ES的各个节点之间通信的凭证了。
强调说明一下,一个ES集群生成一个凭证就可以了,其他节点不许要生成凭证。
3.将上步成成的证书迁移到指定目录
mv /bin/elastic-certificates.p12 /config/certificates/
3.1记得修改一下文件的权限(否则启动的时候会有权限问题):
chmod 777 /config/certificates/elastic-certificates.p12
4.修改配置文件 :
vim /config/elasticsearch.yml
cluster.name: elasticsearch-cluster
node.name: es-node1
network.bind_host: 0.0.0.0
network.publish_host: 10.25.169.50
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true
path.data: /home/soft/elasticsearch-6.8.0/elastic/data
path.logs: /home/soft/elasticsearch-6.8.0/elastic/logs
discovery.zen.ping.unicast.hosts: ["10.25.169.50","10.25.169.51","10.25.169.52"]
discovery.zen.minimum_master_nodes: 2bootstrap.memory_lock: false
bootstrap.system_call_filter: false# 以下配置用于设置密码访问ES集群,在三台es服务上都配置
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /elasticsearch/config/certificates/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /elasticsearch/config/certificates/elastic-certificates.p125.将证书:elastic-certificates.p12文件 同步复制到另外两个服务器节点:指定的文件目录
cluster.name: elasticsearch-cluster
node.name: es-node2
network.bind_host: 0.0.0.0
network.publish_host: 10.25.169.50
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true
path.data: /home/soft/elasticsearch-6.8.0/elastic/data
path.logs: /home/soft/elasticsearch-6.8.0/elastic/logs
discovery.zen.ping.unicast.hosts: ["10.25.169.50","10.25.169.51","10.25.169.52"]
discovery.zen.minimum_master_nodes: 2bootstrap.memory_lock: false
bootstrap.system_call_filter: false# 以下配置用于设置密码访问ES集群,在三台es服务上都配置
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /elasticsearch/config/certificates/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /elasticsearch/config/certificates/elastic-certificates.p12cluster.name: elasticsearch-cluster
node.name: es-node3
network.bind_host: 0.0.0.0
network.publish_host: 10.25.169.50
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
node.master: true
node.data: true
path.data: /home/soft/elasticsearch-6.8.0/elastic/data
path.logs: /home/soft/elasticsearch-6.8.0/elastic/logs
discovery.zen.ping.unicast.hosts: ["10.25.169.50","10.25.169.51","10.25.169.52"]
discovery.zen.minimum_master_nodes: 2bootstrap.memory_lock: false
bootstrap.system_call_filter: false# 以下配置用于设置密码访问ES集群,在三台es服务上都配置
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /elasticsearch/config/certificates/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /elasticsearch/config/certificates/elastic-certificates.p126.最后一步:你还需要在各个服务器节点上添加密码:
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
输入密码:123456(之前设定的密码,往上看)
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
输入密码:123456(之前设定的密码,往上看)
7.逐个启动节点
./bin/elasticsearch -d
8.这时候打开 http://localhost:9200 看到如下画面
其实这个时候 我们的账号跟密码 还没有设置
9.设置密码:(设置密码 -- 你的elasticsearch 是启动运行的,只需要在一个节点上设置就可以了)
./bin/elasticsearch-setup-passwords interactive
接下来按照提示一路设置密码以下仅供参考,:
future versions of Elasticsearch will require Java 11; your Java version from [/kaysen/tools/java/jre] does not meet this requirement
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
————————————————
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
然后逐个设置吧,记住,中间会有一个elastic账号的密码(123456),然后在用户名跟密码栏填写上就可以了。
至此ES集群的账号跟密码就设置完成了
10.我们可以在任意一个节点上可以访问其他节点了
curl -user elastic:123456 "http://10.25.169.52:9200/_cluster/health?pretty"
集成springboot:
11.最后es集群配置后还是需要用起来的,集成到我们系统中
添加配置到配置中(还是要找到对应的版本)不然启动会报连接上的问题
spring:data:elasticsearch:cluster-name: your-cluster-namecluster-nodes: 10.25.169.50:9300,10.25.169.51::9300,10.25.169.52::9300username: elasticpassword: 123456报错:
failed to load elasticsearch nodes : org.elasticsearch.client.transport.NoNodeAvailableException: None of the configured nodes are available: [{#transport#-1}{jnstBkqwSkqiMcqaSmQeFg}{192.168.56.101}{192.168.56.101:9300}]报错原因:
在 elasticsearch/config/elasticsearch.yml配置文件中 tcp 端口与ES 客户端配置不一致导致
elasticsearch 服务端与 客户端版本不一致导致
解决办法:
1.统一版本(说实话升级springboot版本也是不容易)
2.也可以使用es的api 来操作,没有springdataElasticserach封装的更好用
3.有更好的解决方案,欢迎评论