本次实验版本Elasticsearch7.5，适用版本7.x

1. ES开启认证

#1. 为Elasticsearch集群中的节点生成证书
bin/elasticsearch-certutil ca
#提示输入密码，可以直接回车到底
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
mkdir config/certs/ && mv  elastic-certificates.p12 elastic-stack-ca.p12 config/certs/
#2. 修改配置文件  config/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

#3. 设置密码
bin/elasticsearch-setup-passwords interactive
#密码会按照次序一次输入。
elastic/admin123
apm_system/user123
kibana/user123
logstash_system/user123
beats_system/user123
remote_monitoring_user/user123

2. Kibana开启认证

#4. 设置kibana   config/kibana.yml
elasticsearch.username: "kibana"
elasticsearch.password: "user123"

 

curl访问

curl -u elastic:admin123 http://localhost:9200

根据以上可以推知，通过用户Auth的方式，就可以通过认证，那么java的http方式，可以通过Authorization或者Auth进行。

JAVA访问

/**
 * Hutool
 */
HttpRequest request = HttpUtil.createPost(url);
//方法1
request.basicAuth("elastic","admin123");
//方法2
request.header("Authorization","Basic ZWxhc3RpYzphZG1pbjEyMw==");

/**
 * HttpClient
 */
post.addHeader("Authorization","Basic ZWxhc3RpYzphZG1pbjEyMw==");

Hive访问ES

#在建表语句中添加,认证语句。
'es.net.http.auth.user'='elastic',
'es.net.http.auth.pass'='admin123'

异常问题-处理经验

1. 在执行bin/elasticsearch-certutil ca 生成ca证书过程中包错如下：

Error opening zip file or JAR manifest missing: /home/root/elasticsearch-7.5.1/jdk/lib/management-agent.jar
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.drbg.DRBG (file:/home/root/elasticsearch-7.5.1/lib/tools/security-cli/bcprov-jdk15on-1.61.jar) to constructor sun.security.provider.Sun()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.drbg.DRBG
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Error opening zip file or JAR manifest missing: /home/root/elasticsearch-7.5.1/jdk/lib/management-agent.jar
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

找了一圈也没有找到解决方案，没有发现任何配置或其他问题，最终发现除了es外还有一个自带jdk的应用启动。由于在生成ca证书过程中会用到一些java的环境变量，有的是由另一个java应用的参数信息，会造成信息交错，导致读不到es的jdk信息。

【应对方案】：关停所有不相关的java应用，执行完成后，可以回复其他任务。

进阶篇-开始https

Elasticsearch开启HTTPS访问_雨农007的博客-CSDN博客

参考

Configuring security in Elasticsearch | Elasticsearch Guide [7.5] | Elastic

Set up basic security for the Elastic Stack | Elasticsearch Guide [8.2] | Elastic