身份認證
啓動單節點
bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true
#運行密碼設定的命令,設置ES內置用戶及其初始密碼。
bin/elasticsearch-setup-passwords interactive
集羣內部通信
爲節點創建證書
# 生成證書
# 爲您的Elasticearch集羣創建一個證書頒發機構。例如,使用elasticsearch-certutil ca命令:
bin/elasticsearch-certutil ca
#爲羣集中的每個節點生成證書和私鑰。例如,使用elasticsearch-certutil cert 命令:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
#將證書拷貝到 config/certs目錄下
elastic-certificates.p12
bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12
bin/elasticsearch -E node.name=node1 -E cluster.name=geektime -E path.data=node1_data -E http.port=9201 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12
集羣於外部安全通信
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
ES 啓用 https
bin/elasticsearch -E node.name=node0 -E cluster.name=geektime -E path.data=node0_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.http.ssl.enabled=true -E xpack.security.http.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.http.ssl.truststore.path=certs/elastic-certificates.p12
集羣節點角色
-
master節點
負責集羣狀態管理,低配置機器
node.master:true
node.ingest:false
node.data:false -
data節點
負責數據存儲及處理客戶端請求,高配置機器
node.master:false
node.ingest:false
node.data:true -
ingest節點
負責數據處理,高配置的CPU,低配的磁盤
node.master:true
node.ingest:true
node.data:false -
Coordinate節點
扮演load balance,降低master和data節點負擔
node.master:false
node.ingest:false
node.data:false