Elasticsearch集群Security

前言

ES集群使用容器部署，并且开启认证

配置 transport TLS证书

如果要启动认证功能, 就必须在transport端口添加TLS. 如果不加密, 则密码将已明文的方式在传输中暴露.

注意，transport 和 http 端口是两个端口,一个是内部集群通信时的端口，一个是客户端的端口, 此次配置的是集群通信时的端口.

elasticsearch默认集成了一个命令来简化证书生成的过程 elasticsearch-certutil

1. 创建一个ca颁发机构的签名证书，位置默认

root@es-node-1 16:21:49 0 ~  
docker exec -it elasticsearch bash
elasticsearch-certutil ca  --pass noohle
[root@20ba83496a6b elasticsearch]# ls
LICENSE.txt  NOTICE.txt  README.textile  bin  config  data  elastic-stack-ca.p12  lib  logs  modules  plugins

此命令创建了一个已PKCS#12格式的证书文件,该证书文件集成了CA证书和签名秘钥，创建完成以后,可以通过他来签名服务器证书.

2. 创建服务器证书

[root@20ba83496a6b elasticsearch]# elasticsearch-certutil cert --ca elastic-stack-ca.p12  --ca-pass noohle --pass ""

为了方便, 我们创建了一个服务器证书, 并且没有指定CN和密码, 这样导致所有的服务器都可以共用一个证书文件。

当然, 如果使用ansible或者其他配置工具, 建议还是使用CN认证,比如:

./bin/elasticsearch-certutil cert \
  --ca elastic-stack-ca.p12 \ 
  --dns localhost \ 
  --ip 127.0.0.1,::1 
  --out config/certs/node-1.p12

3. 配置证书

network.host: 0.0.0.0
node.name: node-1
cluster.name: "noohle"
discovery.zen.ping.unicast.hosts: ["172.16.8.140","172.16.8.141","172.16.8.142"]
bootstrap.memory_lock: false
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

verification_mode 我们选择certificate，这个模式不会去检查证书的CN,只验证证书是否是信任机构签名的即可.

如果我们需要验证,并且配置了IP，则需要把这个模式该为full

如果证书是PEM格式，则使用下方配置

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.key: /home/es/config/node01.key 
xpack.security.transport.ssl.certificate: /home/es/config/node01.crt 
xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ]

4. 保存证书密码

• 如果生成的证书设置了密码,则需要将密码保存到keystore中

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

如果是PEM格式的证书,则使用

bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase

5.将创建好的证书copy出容器，在放入其他节点上面，挂载进容器里面

version: '3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:6.8.9
    container_name: elasticsearch
    restart: always
    environment:
      - "ES_JAVA_OPTS=-Xms2048m -Xmx2048m"
    volumes:
    - type: volume
      source: data
      target: /usr/share/elasticsearch/data
    - type: bind
      source:  ./elasticsearch.yml
      target:  /usr/share/elasticsearch/config/elasticsearch.yml
    - type: bind
      source:  ./cert/elastic-certificates.p12
      target:  /usr/share/elasticsearch/config/elastic-certificates.p12
    network_mode: "host"
    privileged: true
    user: "root"
volumes:
  data:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /data/elasticsearch

6.重启 Elasticsearch

为 Elasticsearch 设置认证

内置用户

elastic : 内置的超级用户
kibana_system: 用户Kibana用于连接Elasticsearch并与之通信
logstash_system: Logstash写入监控数据时所需要的ES权限用户
beats_system： Beats写入监控数据时所需要的ES权限用户
apm_system: APM写入监控数据时所需要的ES权限用户
remote_monitoring_user: Metricbeat用户在Elasticsearch中收集和存储监视信息时使用。

这些用户都存储在 .security 索引当中.

启动这些用户的方法有两种, 第一种是用elasticsearch-setup-passwords内置命令来修改用户的密码,第二种是使用bootstrap.password 密码通过API的方式进行设置

使用 elasticsearch-setup-passwords 设置密码

这个命令集成在elasticsearch中，直接交互式使用即可，集群中只需要在一台节点上面操作就可以了

elasticsearch-setup-passwords interactive

使用密码

# 第一种
curl  http://user:pass@localhost:9200
# 第二种
curl -X GET --user user:pass  127.0.0.1:9200/_security/_authenticate?pretty

使用引导密码, 更改elastic密码
POST /_security/user/<username>/_password

curl -X POST --user elastic:pass  "localhost:9200/_security/user/elastic/_password?pretty" -H 'Content-Type: application/json' -d'
{
  "password" : "new-password"
}
'

更新以后即可使用上述接口,再次更新elasticsearch其他用户的密码

logstash监控信息配置

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearchdata:9200" ]
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "zp3wczrneK2JSUEh"

kibana监控信息配置

elasticsearch.username: "kibana_system"
elasticsearch.password: "3R2DS3ehuMtTlOhO"

创建logstash集群角色

curl -X POST --user elastic:pass "localhost:9200/_security/role/logstash?pretty" -H 'Content-Type: application/json' -d'
{
  "cluster": ["manage_index_templates", "monitor", "manage_ilm"], 
  "indices": [
    {
      "names": [ "*" ], 
      "privileges": ["write","create","create_index","manage","manage_ilm"]  
    }
  ]
}
'

创建logstash用户

curl -X POST "localhost:9200/_security/user/logstash_internal?pretty" -H 'Content-Type: application/json' -d'
{
  "password" : "x-pack-test-password",
  "roles" : [ "logstash"],
  "full_name" : "Internal Logstash User"
}
'

创建成功返回

{
  "created": true 
}

使用配置

input {
  elasticsearch {
    ...
    user => logstash_internal
    password => x-pack-test-password
  }
}
filter {
  elasticsearch {
    ...
    user => logstash_internal
    password => x-pack-test-password
  }
}
output {
  elasticsearch {
    ...
    user => logstash_internal
    password => x-pack-test-password
  }
}