一、設置密碼
1.需要在配置文件中開啓x-pack驗證, 修改config目錄下面的elasticsearch.yml文件,在裏面添加如下內容,並重啓.
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
2,執行設置用戶名和密碼的命令,這裏需要爲4個用戶分別設置密碼,elastic, kibana, logstash_system,beats_system
bin/elasticsearch-setup-passwords interactive
網上設置時出現的:
Initiating the setup of passwords for reserved users elastic,kibana,logstash_system,beats_system.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
passwords must be at least [6] characters long
Try again.
Enter password for [elastic]:
Reenter password for [elastic]:
Passwords do not match.
Try again.
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [elastic]
我設置密碼時出現的:
[es@k8snode2 elasticsearch-7.3.0]$ ./bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Passwords do not match.
Try again.
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
其中,用戶權限分別如下:
- elastic 賬號:擁有 superuser 角色,是內置的超級用戶。
- kibana 賬號:擁有 kibana_system 角色,用戶 kibana 用來連接 elasticsearch 並與之通信。Kibana 服務器以該用戶身份提交請求以訪問集羣監視 API 和 .kibana 索引。不能訪問 index。
- logstash_system 賬號:擁有 logstash_system 角色。用戶 Logstash 在 Elasticsearch 中存儲監控信息時使用。
二、修改密碼
修改密碼命令如下:
curl -H "Content-Type:application/json" -XPOST -u elastic 'http://127.0.0.1:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "123456" }'
三、帶密碼查詢
Elasticsearch設置用戶名密碼之後,不能再直接使用Elasticsearch head 訪問,可以在查詢等API上加上用戶等參數:
curl -XGET --user user:passwd 'http://XXXX:9200/XX/XXX'
比如想要清空某個索引下的數據:
curl -XPOST --user admin:admin 'http://XXXX:9200/XXXX/XXX/_delete_by_query' -H "Content-Type: application/json" -d '{ "query":{"match_all":{}}}'
四、添加自定義角色
添加角色接口爲:POST /_xpack/security/role/
下面添加一個超級管理員角色爲例:
[elastic@data-backup elasticsearch-6.2.4]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic123 'http://10.163.19.231:9600/_xpack/security/role/admin?pretty' -d '{
"run_as":["elastic"],
"cluster":["all"],
"indices":[
{
"names":["*"],
"privileges":["all"]
}
]
}'
{
"role" : {
"created" : true
}
}
[elastic@data-backup elasticsearch-6.2.4]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic123 'http://10.163.19.231:9600/_xpack/security/role/admin?pretty'
{
"admin" : {
"cluster" : [
"all"
],
"indices" : [
{
"names" : [
"*"
],
"privileges" : [
"all"
]
}
],
"run_as" : [
"elastic"
],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
五、添加自定義用戶
添加用戶接口爲:POST/_xpack/security/user/
下面以添加一個test用戶並添加至admin角色爲例:
[elastic@data-backup elasticsearch-6.2.4]$ curl -XGET -H 'Content-type: application/json' -u test:Test123654% 'http://10.163.19.231:9600/_cat/indices?pretty'
green open .monitoring-es-6-2019.09.17 J1K2XG1eTXqw0GHSOH5Gwg 1 0 848 104 846.9kb 846.9kb
green open .watches qHj5owowRC-3DeK8DaLD-g 1 0 6 0 47.8kb 47.8kb
green open .triggered_watches 2pm3BwCnTaKgyzl39eFpUw 1 0 0 0 5.1kb 5.1kb
yellow open monitor yFnfztziSguTq9VsfSANpw 5 1 48 0 226.7kb 226.7kb
green open .watcher-history-7-2019.09.17 uz6RA_8vRraHHLAitWKtAw 1 0 74 0 259.8kb 259.8kb
green open .monitoring-alerts-6 ZPTqnNVOQ5GlUK1ncXNQDQ 1 0 2 0 18.1kb 18.1kb
yellow open track AqSGAZnAQE2NGvZXlp9zcw 5 1 1343729 175384 201mb 201mb
green open .security-6 83fAslPbQDSGbGWfhiMAXA 1 0
注:這裏要注意的是用戶密碼最好不要有"$" "!"之類的字符,這樣有可能會導致密碼認證不成功,其他字符測試過暫時沒問題(具體原因不詳,反正我遇到過這個坑)
六、header帶密碼插件訪問
修改配置文件elasticsearch.yml,增加
http.cors.allow-headers: Authorization
訪問head時,url如下所示:
http://192.168.100.100:9100/?auth_user=elastic&auth_password=changeme
七、java api帶密碼訪問
//初始化ES操作客戶端
final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials("elastic", "123456")); //es賬號密碼(默認用戶名爲elastic)
RestHighLevelClient esClient =new RestHighLevelClient(
RestClient.builder(
new HttpHost("127.0.0.1",9200)
).setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
httpClientBuilder.disableAuthCaching();
return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
}
})/.setMaxRetryTimeoutMillis(2000)/
);