Elasticsearch 7.x设置密码访问

Elasticsearch在7.0.0之后免费使用x-pack，也为了系统业务数据安全，所以我们使用x-pack对Elasticsearch进行密码设置。

爪哇小能手^ ^

10220人浏览 · 2021-11-05 22:26:55

爪哇小能手^ ^ · 2021-11-05 22:26:55 发布

Elasticsearch在7.0.0之后免费使用x-pack，也为了系统业务数据安全，所以我们使用x-pack对Elasticsearch进行密码设置。

设置密码前注意事项

Elasticsearch需要提前启动一次，否则会出现以下Error：

ERROR: Elasticsearch keystore file is missing [/kaysen/daemon/elasticsearch-7.7.0/config/elasticsearch.keystore]

Elasticsearch必须处于启动状态，否则会出现以下Error：

Connection failure to: http://127.0.0.1:9200/_security/_authenticate?pretty failed: Connection refused (Connection refused) 
ERROR: Failed to connect to elasticsearch at http://127.0.0.1:9200/_security/_authenticate?pretty. Is the URL correct and elasticsearch running?

密码生成的两种方式：
1. auto：各用户自动生成密码；
2. interactive：手动设置密码。
以下操作操作都是使用普通用户权限进行操作。

配置x-pack步骤

进入elasticsearch目录，执行以下命令：

./bin/elasticsearch-setup-passwords interactive

会出现以下错误信息：

Unexpected response code [500] from calling GET http://127.0.0.1:9200/_security/_authenticate?pretty  
It doesn't look like the X-Pack security feature is enabled on this Elasticsearch node.
Please check if you have enabled X-Pack security in your elasticsearch.yml configuration file.

我们需要配置文件中开启x-pack验证，修改config/elasticsearch.yml配置文件，在尾部添加以下内容，然后重启elasticsearch：
```
xpack.security.enabled: true
```
```
./bin/elasticsearch -d
```

重复第1步，为elastic、apm_system、kibana、logstash_system、beats_system、remote_monitoring_user设置密码，这里我设置了统一密码：123456，具体操作：

./bin/elasticsearch-setup-passwords interactive

future versions of Elasticsearch will require Java 11; your Java version from [/kaysen/tools/java/jre] does not meet this requirement
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

先不加用户密码进行访问：curl 127.0.0.1:9200：

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "missing authentication credentials for REST request [/]",
        "header": {
          "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type": "security_exception",
    "reason": "missing authentication credentials for REST request [/]",
    "header": {
      "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status": 401
}

CURL密码访问Elasticsearch

curl -u elastic:123456 127.0.0.1:9200
# 或者
curl -u elastic 127.0.0.1:9200
Enter host password for user 'elastic': 123456

成功打印：

{
  "name" : "localhost.localdomain",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "MZlO8UPyS52AuuCrFwABvQ",
  "version" : {
    "number" : "7.7.0",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "81a1e9eda8e6183f5237786246f6dced26a10eaf",
    "build_date" : "2020-05-12T02:01:37.602180Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}