ES集群加密

• 1 生成证书文件

[root@elk91 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert -out /etc/elasticsearch/elastic-certificates.p12 -pass ""
...


Certificates written to /etc/elasticsearch/elastic-certificates.p12

This file should be properly secured as it contains the private key for 
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

[root@elk91 ~]# 
[root@elk91 ~]# ll /etc/elasticsearch/elastic-certificates.p12
-rw------- 1 root elasticsearch 3596 Mar 14 16:08 /etc/elasticsearch/elastic-certificates.p12
[root@elk91 ~]# 

• 2 把证书文件拷贝到其他节点

[root@elk91 ~]# chmod 640 /etc/elasticsearch/elastic-certificates.p12
[root@elk91 ~]# 
[root@elk91 ~]# ll /etc/elasticsearch/elastic-certificates.p12
-rw-r----- 1 root elasticsearch 3596 Jan  7 15:59 /etc/elasticsearch/elastic-certificates.p12
[root@elk91 ~]# 
[root@elk91 ~]# scp -p /etc/elasticsearch/elastic-certificates.p12 10.0.0.92:/etc/elasticsearch 
[root@elk91 ~]# scp -p /etc/elasticsearch/elastic-certificates.p12 10.0.0.93:/etc/elasticsearch

• 3.修改ES集群的配置文件

[root@elk91 ~]# vim /etc/elasticsearch/elasticsearch.yml 
...
# 在最后一行添加以下内容
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

• 4.同步ES配置文件到其他节点

[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml  10.0.0.92:/etc/elasticsearch/
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml  10.0.0.93:/etc/elasticsearch/

• 5.所有节点重启ES集群

[root@elk91 ~]# systemctl restart elasticsearch.service 

[root@elk92 ~]# systemctl restart elasticsearch.service 

[root@elk93 ~]# systemctl restart elasticsearch.service 

• 6.测试验证ES集群访问

[root@elk91 ~]# curl 10.0.0.91:9200/_cat/nodes?v
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}[root@elk91 ~]# 
[root@elk91 ~]# 

• 7.生成随机密码

[root@elk91 ~]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords  auto
warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y  # 此处输入字母Y


Changed password for user apm_system
PASSWORD apm_system = akdT005CJJefuPJ6n5dz

Changed password for user kibana_system
PASSWORD kibana_system = Hfx39YTl19NkR9nEMeW1

Changed password for user kibana
PASSWORD kibana = Hfx39YTl19NkR9nEMeW1

Changed password for user logstash_system
PASSWORD logstash_system = 0ZN1tsj8acthljOH0yoa

Changed password for user beats_system
PASSWORD beats_system = NR3h3oYrp7iqmKq5Oumd

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = q4CUA4FHT44GNyiLzQBc

Changed password for user elastic
PASSWORD elastic = hdQD7BCf0AsKSC7mpu1Z

[root@elk91 ~]# 

• 8 验证集群是否正常，此密码不要抄我的，看你上面生成的密码

[root@elk91 ~]# curl -u elastic:hdQD7BCf0AsKSC7mpu1Z  10.0.0.91:9200/_cat/nodes
10.0.0.93 16 76 11 0.14 0.14 0.09 cdfhilmrstw - elk93
10.0.0.91 20 88 14 0.19 0.21 0.11 cdfhilmrstw - elk91
10.0.0.92  9 81 11 0.27 0.23 0.09 cdfhilmrstw * elk92
[root@elk91 ~]# 

Filebeat对接ES加密集群

• 1.编写Filebeat的配置文件

[root@elk92 filebeat]# cat 15-tcp-to-es_tls.yaml 
filebeat.inputs:
- type: tcp
  host: "0.0.0.0:9000"


output.elasticsearch:
  hosts:
  - 10.0.0.91:9200
  - 10.0.0.92:9200
  - 10.0.0.93:9200
  # 指定连接ES集群的用户名
  username: "elastic"
  # 指定连接ES集群的密码
  password: "123456"
  index: custom-example-es-tls-filebeat

setup.ilm.enabled: false
setup.template.name: "custom-example"
setup.template.pattern: "custom-example-*"
setup.template.overwrite: true
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0

[root@elk92 filebeat]# 
[root@elk92 filebeat]# filebeat -e -c 15-tcp-to-es_tls.yaml

• 2.发送测试数据

[root@elk93 ~]# echo 1111111111111111111111111111 | nc 10.0.0.92 9000

Logstash对接ES加密集群

• 1.编写Logstash的配置文件

	1.编写Logstash的配置文件
[root@elk93 ~]# cat /etc/logstash/conf.d/11-tcp-to-es_tls.conf
input { 
  tcp {
    port => 8888
  }
}  

output { 

  elasticsearch {
    hosts => ["10.0.0.91:9200","10.0.0.92:9200","10.0.0.93:9200"]
    index => "custom-example-logstash-tls-es"
    user => elastic
    password => "123456"
  }
}
[root@elk93 ~]# 
[root@elk93 ~]# logstash -rf /etc/logstash/conf.d/11-tcp-to-es_tls.conf

• 2.发送测试数据

[root@elk93 ~]# echo 222222222222222222222 | nc 10.0.0.93 8888

• 3.kibana查看数据

ES配置启用api-key功能并Filebeat测试验证

• 1.为什么要启用api-key

为了安全性，使用用户名和密码的方式进行认证会暴露用户信息。

ElasticSearch也支持api-key的方式进行认证。这样就可以保证安全性。api-key是不能用于登录kibana，安全性得到保障。

而且可以基于api-key实现权限控制。

• 2.ES启用api-key

[root@elk91 ~]# vim /etc/elasticsearch/elasticsearch.yml 
...
# 添加如下配置
# 启用api_key功能
xpack.security.authc.api_key.enabled: true
# 指定API密钥加密算法
xpack.security.authc.api_key.hashing.algorithm: pbkdf2
# 缓存的API密钥时间
xpack.security.authc.api_key.cache.ttl: 1d
# API密钥保存数量的上限
xpack.security.authc.api_key.cache.max_keys: 10000
# 用于内存中缓存的API密钥凭据的哈希算法
xpack.security.authc.api_key.cache.hash_algo: ssha256
[root@elk91 ~]# 

• 3.拷贝配置文件到其他节点

[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.92:/etc/elasticsearch 
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.93:/etc/elasticsearch

• 4.重启ES集群

[root@elk93 ~]# systemctl restart elasticsearch.service 

[root@elk92 ~]# systemctl restart elasticsearch.service 


[root@elk91 ~]# systemctl restart elasticsearch.service 

• 5.访问kibana的WebUI

http://10.0.0.91:5601/app/management/security/api_keys

• 6.创建api-key图形化操作略

• 7.基于api-key解析

[root@elk91 ~]# echo bUZ3R2xKVUJyRGJpX0RlaVg4X2Y6RW5kT0lLVFNSMTJvcUtOeDEyb2NKUQ== | base64 -d ;echo
mFwGlJUBrDbi_DeiX8_f:EndOIKTSR12oqKNx12ocJQ
[root@elk91 ~]# 

• 8.编写Filebeat的配置文件

[root@elk92 filebeat]# cat 16-tcp-to-es_api-key.yaml 
filebeat.inputs:
- type: tcp
  host: "0.0.0.0:9000"


output.elasticsearch:
  hosts:
  - 10.0.0.91:9200
  - 10.0.0.92:9200
  - 10.0.0.93:9200
  #username: "elastic"
  #password: "123456"
  # 基于api_key方式认证，相比于上面的base_auth更加安全。（生产环境推荐使用此方式！）
  api_key: "mFwGlJUBrDbi_DeiX8_f:EndOIKTSR12oqKNx12ocJQ"
  index: custom-example-es-tls-filebeat-api-key

setup.ilm.enabled: false
setup.template.name: "custom-example"
setup.template.pattern: "custom-example-*"
setup.template.overwrite: true
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0

[root@elk92 filebeat]# 
[root@elk92 filebeat]# filebeat -e -c  `pwd`/16-tcp-to-es_api-key.yaml 

• 9.kibana验证数据

基于ES的api创建api-key并实现权限管理

参考链接:
https://www.elastic.co/guide/en/beats/filebeat/7.17/beats-api-keys.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-privileges.html#privileges-list-cluster
https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-privileges.html#privileges-list-indices

• 1.创建api-key

POST /_security/api_key
{
  "name": "violet2024", 
  "role_descriptors": {
    "filebeat_monitoring": { 
      "cluster": ["all"],
      "index": [
        {
          "names": ["custom-example-es-apikey*"],
          "privileges": ["create_index", "create"]
        }
      ]
    }
  }
}


执行后，返回数据如下:
{
  "id" : "m1wPlJUBrDbi_DeiIc-1",
  "name" : "jasonyin2020",
  "api_key" : "RcEw7Mk2QQKH_CGhMBnfbg",
  "encoded" : "bTF3UGxKVUJyRGJpX0RlaUljLTE6UmNFdzdNazJRUUtIX0NHaE1CbmZiZw=="
}

[root@elk92 filebeat]# echo bTF3UGxKVUJyRGJpX0RlaUljLTE6UmNFdzdNazJRUUtIX0NHaE1CbmZiZw== | base64 -d ;echo
m1wPlJUBrDbi_DeiIc-1:RcEw7Mk2QQKH_CGhMBnfbg
[root@elk92 filebeat]# 

ES集群配置https证书及kibana登录

• 1.自建ca证书

[root@elk91 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca --out /etc/elasticsearch/elastic-stack-ca.p12 --pass ""
[root@elk91 ~]# ll /etc/elasticsearch/elastic-stack-ca.p12 
-rw------- 1 root elasticsearch 2672 Jan  9 15:25 /etc/elasticsearch/elastic-stack-ca.p12
[root@elk91 ~]# 

• 2.基于自建ca证书生成ES证书

[root@elk91 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/elastic-stack-ca.p12 --out /etc/elasticsearch/elastic-certificates-https.p12 --pass "" --days 3650 --ca-pass ""


[root@elk91 ~]# ll /etc/elasticsearch/elastic-stack-ca.p12 
-rw------- 1 root elasticsearch 2672 Mar 14 18:06 /etc/elasticsearch/elastic-stack-ca.p12
[root@elk91 ~]# 

[root@elk91 ~]# ll  /etc/elasticsearch/elastic-certificates-https.p12
-rw------- 1 root elasticsearch 3596 Mar 14 18:07 /etc/elasticsearch/elastic-certificates-https.p12
[root@elk91 ~]# 

• 3.修改配置文件

[root@elk91 ~]# egrep -v "^#|^$" /etc/elasticsearch/elasticsearch.yml
cluster.name: linux 
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["10.0.0.91", "10.0.0.92","10.0.0.93"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.authc.api_key.enabled: true
xpack.security.authc.api_key.hashing.algorithm: pbkdf2
xpack.security.authc.api_key.cache.ttl: 1d
xpack.security.authc.api_key.cache.max_keys: 10000
xpack.security.authc.api_key.cache.hash_algo: ssha256
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates-https.p12
[root@elk91 ~]# 

• 4.同步配置文件集群的其他节点

[root@elk91 ~]# chmod 640 /etc/elasticsearch/elastic-certificates-https.p12
[root@elk91 ~]# 
[root@elk91 ~]# scp  -p /etc/elasticsearch/elastic{-certificates-https.p12,search.yml} 10.0.0.92:/etc/elasticsearch/
[root@elk91 ~]# scp  -p /etc/elasticsearch/elastic{-certificates-https.p12,search.yml} 10.0.0.93:/etc/elasticsearch/

5.重启ES集群

[root@elk91 ~]# systemctl restart elasticsearch.service 

[root@elk92 ~]# systemctl restart elasticsearch.service 

[root@elk93 ~]# systemctl restart elasticsearch.service

• 6.测试验证，使用https协议

[root@elk91 ~]# curl https://10.0.0.91:9200/_cat/nodes  -u elastic:123456 -k
10.0.0.92 18 83 1 0.48 0.26 0.14 cdfhilmrstw * elk92
10.0.0.93 40 77 5 0.80 0.32 0.16 cdfhilmrstw - elk93
10.0.0.91 12 89 4 0.66 0.30 0.16 cdfhilmrstw - elk91
[root@elk91 ~]# 

• 5.修改kibana的配置跳过自建证书校验

[root@elk91 ~]# vim /etc/kibana/kibana.yml 
...
# 指向ES集群的地址协议为https
elasticsearch.hosts: ["https://10.0.0.91:9200","https://10.0.0.92:9200","https://10.0.0.93:9200"]
# 跳过证书校验
elasticsearch.ssl.verificationMode: none
[root@elk91 ~]# 
[root@elk91 ~]# systemctl restart kibana.service 

logstash基于api-key

• 1.确保ES集群使用的是https协议

• 2.创建api-key

POST /_security/api_key
{
  "name": "violet", 
  "role_descriptors": {
    "filebeat_monitoring": { 
      "cluster": ["all"],
      "index": [
        {
          "names": ["custom-example-logstash-api-key*"],
          "privileges": ["create_index", "create"]
        }
      ]
    }
  }
}


返回数据:
{
  "id" : "oFwZlJUBrDbi_DeiLc9O",
  "name" : "yinzhengjie",
  "api_key" : "HWBj0LC2RWiUNTudV-6CBw",
  "encoded" : "b0Z3WmxKVUJyRGJpX0RlaUxjOU86SFdCajBMQzJSV2lVTlR1ZFYtNkNCdw=="
}


解码encoded数据：
[root@elk91 ~]# echo b0Z3WmxKVUJyRGJpX0RlaUxjOU86SFdCajBMQzJSV2lVTlR1ZFYtNkNCdw== |base64 -d ;echo
oFwZlJUBrDbi_DeiLc9O:HWBj0LC2RWiUNTudV-6CBw
[root@elk91 ~]# 

• 3.修改Logstash的配置文件

[root@elk93 logstash]# cat 13-tcp-to-es_api-key.conf 
input { 
  tcp {
    port => 8888
  }
}  

output { 

  elasticsearch {
    hosts => ["10.0.0.91:9200","10.0.0.92:9200","10.0.0.93:9200"]
    index => "custom-example-logstash-api-key"
    #user => elastic
    #password => "123456"
    # 指定api-key的方式认证
    api_key => "oFwZlJUBrDbi_DeiLc9O:HWBj0LC2RWiUNTudV-6CBw"
   
    # 使用api-key则必须启动ssl
    ssl => true

    # 跳过ssl证书验证
    ssl_certificate_verification => false
  }
}
[root@elk93 logstash]# 
[root@elk93 logstash]# logstash -rf 13-tcp-to-es_api-key.conf 


	3.访问测试 
[root@elk91 ~]# echo 88888888888888888888888 | nc 10.0.0.93 7777
[root@elk91 ~]# echo 999999999999999999999999 | nc 10.0.0.93 7777

filebeat对接ES加密集群

• 1.编写Filebeat配置文件

[root@elk92 filebeat]# cat 17-tcp-to-es-tls.yaml 
filebeat.inputs:
- type: tcp
  host: "0.0.0.0:9000"


output.elasticsearch:
  hosts:
  - https://10.0.0.91:9200
  - https://10.0.0.92:9200
  - https://10.0.0.93:9200
  api_key: "m1wPlJUBrDbi_DeiIc-1:RcEw7Mk2QQKH_CGhMBnfbg"
  index: custom-example-es-apikey-tls-2025
  # 配置es集群的tls，此处跳过证书校验。默认值为: full
  # 参考链接:
  # 	https://www.elastic.co/guide/en/beats/filebeat/7.17/configuration-ssl.html#client-verification-mode
  ssl.verification_mode: none

setup.ilm.enabled: false
setup.template.name: "custom-example"
setup.template.pattern: "custom-example-*"
setup.template.overwrite: true
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0

[root@elk92 filebeat]# 

• 2.启动Filebeat实例

[root@elk92 filebeat]# filebeat -e -c `pwd`/17-tcp-to-es-tls.yaml 

• 3.发送测试数据

[root@elk91 ~]# echo www.oldboyedu.com | nc 10.0.0.92 9000

• 4.kibana验证