二、elasticsearch8.2集群添加密码认证

基本篇文章上一篇文章

10.4.2.101 8C16G64G data-hot client   centos8  16C48G(JVM24G) 10.4.2.102 8C16G64G data-hot client   centos8  16C48G(JVM24G) 10.4.2.103 8C16G64G data-hot client   centos8  16C48G(JVM24G) 10.4.2.104 8C16G64G data-warm         centos8  16C48G(JVM24G) 10.4.2.105 8C16G64G data-warm         centos8  16C48G(JVM24G) 10.4.2.106 8C16G64G data-warm         centos8  16C48G(JVM24G) 10.4.2.107 8C16G64G master            centos8  8C16G(JVM8G)   临时data 10.4.2.108 8C16G64G master            centos8  8C16G(JVM8G) 10.4.2.109 8C16G64G master            centos8  8C16G(JVM8G)

在10.4.2.107上操作

1、生成ca证书

]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca -out /etc/elasticsearch/certs/elastic-stack-ca.p12 -pass "" 回车 回车

生成transport.p12 证书

]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert -out /etc/elasticsearch/certs/transport.p12 --ca /etc/elasticsearch/certs/elastic-stack-ca.p12

生成http.p12 证书

这里不需要这个，没有打开http ssl认证

]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert -out /etc/elasticsearch/certs/http.p12 --ca /etc/elasticsearch/certs/elastic-stack-ca.p12

修改elasticsearch.keytone

如果证书有密码，则需要修改elasticsearch.keytone的密码

# 使用此更改密码设置证书密码 ]# /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl  Enter value for xpack.security.transport.ssl: /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password  Setting xpack.security.transport.ssl.truststore.secure_password already exists. Overwrite? [y/N]y  Enter value for xpack.security.transport.ssl.truststore.secure_password:

如果证书没有设置密码，请使用elasticsearch.keytone去掉密码，最后保留了这两个

# 仅保留autoconfiguration.password_hash和keystore.seed ]# /usr/share/elasticsearch/bin/elasticsearch-keystore list autoconfiguration.password_hash keystore.seed xpack.security.http.ssl.keystore.secure_password xpack.security.transport.ssl.keystore.secure_password xpack.security.transport.ssl.truststore.secure_password  ]# /usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.http.ssl.keystore.secure_password  ]# /usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.transport.ssl.keystore.secure_password  ]# /usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.transport.ssl.truststore.secure_password    ]# /usr/share/elasticsearch/bin/elasticsearch-keystore list autoconfiguration.password_hash keystore.seed

夹住证书文件certs授权其他节点elasticsearch权限

scp /etc/elasticsearch/certs/* root@10.4.2.108:/etc/elasticsearch/certs/ scp /etc/elasticsearch/certs/* root@10.4.2.109:/etc/elasticsearch/certs/

在10.4.2.108,109上操作

登录其他节点，授权新复制过去的数据，

~]# chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12

并且也处理elasticsearch.keytone--略

二、各节点配置elasticsearch.yml文件

cluster.name: elasticsearch-secure node.name: ly-elasticsearch-secure107 node.roles: [ data, master ] path.data: /data/elasticsearch path.logs: /var/log/elasticsearch  network.host: 10.4.2.107 http.port: 9200 discovery.seed_hosts: ["10.4.2.107", "10.4.2.108", "10.4.2.109"]   xpack.security.enabled: true xpack.security.enrollment.enabled: false  xpack.security.http.ssl:   enabled: false   keystore.path: certs/http.p12  xpack.security.transport.ssl:   enabled: true   verification_mode: certificate   keystore.path: certs/transport.p12   truststore.path: certs/transport.p12  cluster.initial_master_nodes: ["elasticsearch-secure107", "elasticsearch-secure108", "elasticsearch-secure109"] http.host: 0.0.0.0  transport.host: 10.4.2.107  http.cors.enabled: true http.cors.allow-origin: "*" http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length 

重启es服务

~]# systemctl restart elasticsearch

重置elastic密码，回车，输入两次密码

~]# /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i

验证集群

]# curl --insecure -u elastic:密码 -XGET "http://127.0.0.1:9200/" { "name" : "ly-elasticsearch-secure107", "cluster_name" : "elasticsearch-secure", "cluster_uuid" : "fpapHOWOS46hpswSofVwow", "version" : { "number" : "8.2.2", "build_flavor" : "default", "build_type" : "pm",
"build_hash" : "9876968ef3c745186b94fdabd4483e01499224ef",
"build_date" : "2022-05-25T15:47:06.259735307Z",
"build_snapshot" : false,
"lucene_version" : "9.1.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}

]# curl --insecure -u elastic:密码 -XGET "http://127.0.0.1:9200/_cat/nodes"
10.4.2.109 3 58 2 0.23 0.20 0.08 dm - elasticsearch-secure109
10.4.2.108 4 58 2 0.29 0.21 0.09 dm * elasticsearch-secure108
10.4.2.107 9 58 4 0.31 0.25 0.10 dm - elasticsearch-secure107