測試環境配置
ES用戶登錄
開啟ES用戶登陸驗證,生成ca證書
1. 為集群創建一個ca機構
elasticsearch-certutil ca
依次輸入回車(文件使用默認名),密碼
2. 通過ca頒發證書
elasticsearch-certutil cert --ca elastic-stack-ca.p12
回車(文件使用默認名),密碼上一步密碼相同
elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
輸入第一步輸入的密碼
elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
輸入第一步輸入的密碼
3. 修改es的配置文件:elasticsearch.yml,添加如下配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12
4. 啟動ES服務
./bin/elasticsearch -d
5. 執行設置用戶名和密碼的命令,ES有六個默認的用戶
./bin/elasticsearch-setup-passwords interactive
設置密碼在集群中任意一個elasticsearch節點執行完成即可,如果執行第二次,將會給出如下錯誤提示:
如果需要更新密碼可以使用以下命令:
curl -H "Content-Type:application/json" -XPOST http://elastic:123456@192.168.43.139:9200/_xpack/security/user/elastic/_password -d { "password" : "qwer123" }
ES角色管理
1. 查詢ES角色詳細權限
curl -XGET -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/role/superuser?pretty
cluster:設置集群權限
indices:設置索引權限
applications:應用權限;
包含application、privileges、resources屬性
global:全局性的集群權限
run_as:賦予該role的用戶擁有其他用戶的權限
metadata:元數據
2. ES角色創建與更新
curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/role/IDS_ES -H "Content-Type: application/json" -d{"cluster":["monitor","manage_index_templates","manage_ilm"],"indices":[{"names":["IDS_ES_*"],"privileges":["all"],"allow_restricted_indices": false}],"transient_metadata":{"enabled": true}}
3. ES角色清理緩存
curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/role/IDS_ES/_clear_cache?pretty
4. ES刪除角色
curl -XDELETE -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/role/IDS_ES?pretty
ES用戶管理
curl -XGET -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user?pretty
2. 創建ES用戶
curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user/IDS_ES -H "Content-Type: application/json" -d {
"password" : "Kms9852HTVdxjzUNXX",
"full_name" : "",
"email" : "",
"roles" : [ "IDS_ES" ],
"metadata" : {
}
}
3. ES更新用戶密碼
curl -H "Content-Type:application/json" -XPOST http://elastic:123456@192.168.43.139:9200/_xpack/security/user/elastic/_password -d { "password" : "qwer123" }
4. ES禁用用戶
curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user/IDS_ES/_disable
5. ES啟用用戶
curl -XPOST -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user/IDS_ES/_enable
6. ES用戶刪除
curl -XDELETE -u elastic:qwer123 -s http://@192.168.43.139:9200/_xpack/security/user/IDS_ES?pretty
http訪問
1) ./bin/elasticsearch-certutil ca # 生成elastic-stack-ca.p12文件
2) ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 # 生成elastic-certificates.p12文件,供elasticsearch使用
3) openssl pkcs12 -in elastic-stack-ca.p12 -out newfile.crt.pem -clcerts -nokeys # 生成newfile.crt.pem文件,供kibana使用,復制到對應目錄下
4) ./bin/elasticsearch-certutil cert --pem elastic-stack-ca.p12 # 生成certificate-bundle.zip文件,包含ca/ca.crt,instance/instance.crt,instance/instance.key
Archive: certificate-bundle.zip
creating: ca/
inflating: ca/ca.crt
creating: instance/
inflating: instance/instance.crt
inflating: instance/instance.key
5)修改配置文件elasticsearch.yml,添加如下配置
#enable xpack
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
# 下面的這幾項 用于 集群間 加密通信
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /home/elasticsearch/elasticsearch-6.8.0/config/elastic-certificates.p12
6) 修改kibana配置文件,kibana.yml
elasticsearch.hosts: ["https://localhost:9200"] # 注意https
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: ["/home/elasticsearch/kibana-6.8.2/config/newfile.crt.pem"]
elasticsearch.username: "kibana"
elasticsearch.password: "1io0K4VS7nkxpGwGwzHg"
7)重啟elasticsearch服務,查詢方式已改為https
curl -u elastic:qwer123 -k https://@192.168.43.139:9200/_cat/health?v
相關閱讀: 劉能,公眾號:IT那活兒ES常用基礎操作命令及實踐
更多精彩干貨分享
點擊下方名片關注
IT那活兒
文章版權歸作者所有,未經允許請勿轉載,若此文章存在違規行為,您可以聯系管理員刪除。
轉載請注明本文地址:http://specialneedsforspecialkids.com/yun/129809.html
摘要:簡單工廠模式簡單工廠模式又叫靜態工廠模式,由一個工廠對象決定創建某一種產品對象類的實例。工廠方法模式工廠方法模式的本意是將實際創建對象的工作推遲到子類中,這樣核心類就變成了抽象類。抽象工廠模式一般用在 1 什么是工廠模式? 工廠模式是用來創建對象的一種最常用的設計模式。我們不暴露創建對象的具體邏輯,而是將將邏輯封裝在一個函數中,那么這個函數就可以被視為一個工廠。工廠模式根據抽象程度的不...
摘要:簡單工廠模式簡單工廠模式又叫靜態工廠模式,由一個工廠對象決定創建某一種產品對象類的實例。工廠方法模式工廠方法模式的本意是將實際創建對象的工作推遲到子類中,這樣核心類就變成了抽象類。抽象工廠模式一般用在 1 什么是工廠模式? 工廠模式是用來創建對象的一種最常用的設計模式。我們不暴露創建對象的具體邏輯,而是將將邏輯封裝在一個函數中,那么這個函數就可以被視為一個工廠。工廠模式根據抽象程度的不...
閱讀 1346·2023-01-11 13:20
閱讀 1684·2023-01-11 13:20
閱讀 1132·2023-01-11 13:20
閱讀 1860·2023-01-11 13:20
閱讀 4100·2023-01-11 13:20
閱讀 2704·2023-01-11 13:20
閱讀 1385·2023-01-11 13:20
閱讀 3597·2023-01-11 13:20