ES用户认证
ES用户认证
·
本次实验版本Elasticsearch7.5,适用版本7.x
1. ES开启认证
#1. 为Elasticsearch集群中的节点生成证书
bin/elasticsearch-certutil ca
#提示输入密码,可以直接回车到底
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
mkdir config/certs/ && mv elastic-certificates.p12 elastic-stack-ca.p12 config/certs/
#2. 修改配置文件 config/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
#3. 设置密码
bin/elasticsearch-setup-passwords interactive
#密码会按照次序一次输入。
elastic/admin123
apm_system/user123
kibana/user123
logstash_system/user123
beats_system/user123
remote_monitoring_user/user123
2. Kibana开启认证
#4. 设置kibana config/kibana.yml
elasticsearch.username: "kibana"
elasticsearch.password: "user123"
curl访问
curl -u elastic:admin123 http://localhost:9200
根据以上可以推知,通过用户Auth的方式,就可以通过认证,那么java的http方式,可以通过Authorization或者Auth进行。
JAVA访问
/**
* Hutool
*/
HttpRequest request = HttpUtil.createPost(url);
//方法1
request.basicAuth("elastic","admin123");
//方法2
request.header("Authorization","Basic ZWxhc3RpYzphZG1pbjEyMw==");
/**
* HttpClient
*/
post.addHeader("Authorization","Basic ZWxhc3RpYzphZG1pbjEyMw==");
Hive访问ES
#在建表语句中添加,认证语句。
'es.net.http.auth.user'='elastic',
'es.net.http.auth.pass'='admin123'
异常问题-处理经验
1. 在执行bin/elasticsearch-certutil ca 生成ca证书过程中包错如下:
Error opening zip file or JAR manifest missing: /home/root/elasticsearch-7.5.1/jdk/lib/management-agent.jar
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.drbg.DRBG (file:/home/root/elasticsearch-7.5.1/lib/tools/security-cli/bcprov-jdk15on-1.61.jar) to constructor sun.security.provider.Sun()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.drbg.DRBG
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Error opening zip file or JAR manifest missing: /home/root/elasticsearch-7.5.1/jdk/lib/management-agent.jar
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
找了一圈也没有找到解决方案,没有发现任何配置或其他问题,最终发现除了es外还有一个自带jdk的应用启动。由于在生成ca证书过程中会用到一些java的环境变量,有的是由另一个java应用的参数信息,会造成信息交错,导致读不到es的jdk信息。
【应对方案】:关停所有不相关的java应用,执行完成后,可以回复其他任务。
进阶篇-开始https
Elasticsearch开启HTTPS访问_雨农007的博客-CSDN博客
参考
Configuring security in Elasticsearch | Elasticsearch Guide [7.5] | Elastic
Set up basic security for the Elastic Stack | Elasticsearch Guide [8.2] | Elastic
更多推荐
已为社区贡献1条内容
所有评论(0)