如何解决在Elasticsearch中具有两个节点的集群中启用安全性
我试图在Elasticsearch节点中启用安全功能,但是每当我打开“ xpack.security.enabled:true”时,我的Elasticsearch根本就不会启动。我该如何解决?
这是我在两个Elasticsearch节点上的配置: 节点1:
... "pickup": { "code": "pickup.pickup","title": "Standard","description": "If the cost of the order ...","cost": 0,"tax_class_id": 0,"text": "0.00 TMT" } ...
节点2:
# ======================== Elasticsearch Configuration ========================= # # NOTE: Elasticsearch comes with reasonable defaults for most settings. # Before you set out to tweak and tune the configuration,make sure you # understand what are you trying to accomplish and the consequences. # # The primary way of configuring a node is via this file. This template lists # the most important settings you may want to configure for a production cluster. # # Please consult the documentation for further information on configuration options: # https://www.elastic.co/guide/en/elasticsearch/reference/index.html # # ---------------------------------- Cluster ----------------------------------- # # Use a descriptive name for your cluster: # cluster.name: "elastic-a" # # ------------------------------------ Node ------------------------------------ # # Use a descriptive name for the node: # node.name: "elastic-master" node.master: true node.data: true # # Add custom attributes to the node: # #node.attr.rack: r1 # # ----------------------------------- Paths ------------------------------------ # # Path to directory where to store the data (separate multiple locations by comma): # path.data: /var/lib/elasticsearch # # Path to log files: # path.logs: /var/log/elasticsearch # # ----------------------------------- Memory ----------------------------------- # # Lock the memory on startup: # #bootstrap.memory_lock: true # # Make sure that the heap size is set to about half the memory available # on the system and that the owner of the process is allowed to use this # limit. # # Elasticsearch performs poorly when the system is swapping the memory. # # ---------------------------------- Network ----------------------------------- # # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 192.168.143.30 #http.host: 0.0.0.0 # # Set a custom port for HTTP: # #http.port: 9200 # # For more information,consult the network module documentation. # # --------------------------------- Discovery ---------------------------------- # # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is ["127.0.0.1","[::1]"] # discovery.seed_hosts: ["192.168.143.30","192.168.143.23"] # # Bootstrap the cluster using an initial set of master-eligible nodes: # cluster.initial_master_nodes: ["elastic-master","elastic-slave"] # # For more information,consult the discovery and cluster formation module documentation. # # ---------------------------------- Gateway ----------------------------------- # # Block initial recovery after a full cluster restart until N nodes are started: # #gateway.recover_after_nodes: 3 # # For more information,consult the gateway module documentation. # # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: # #action.destructive_requires_name: true action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml* xpack.security.enabled: true
我可以在不设置节点(单个节点)的情况下启用安全性功能,但是在设置节点后无法使用。
sudo journalctl -f日志:
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration,make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: "elastic-a"
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: "elastic-slave"
node.master: true
node.data: true
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 192.168.143.23
#http.host: 0.0.0.0
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information,.ml*
xpack.security.enabled: true
解决方法
如果您启用安全性,则必须使节点之间通过SSL相互通信,即,您需要将节点配置为encrypt communications between them。因此,您需要执行一些步骤:
步骤1:Generate a node certificate
在此步骤中,有两个选项:
A。。如果您没有任何根证书颁发机构来签名证书,则可以使用bin/elasticsearch-certutil ca创建证书颁发机构(遵循here解释的步骤)。您将获得以PKCS#12编码的证书,其中包含根CA证书,节点证书和私钥。
B 。如果您的组织具有根证书颁发机构(Digicert等),则可以create a CSR(证书签名请求)提交到根CA。通常,您将获得以PKCS#7编码的证书。 PS:让我们知道这是否是您要走的路,因为还需要一些步骤才能将其转换为PKCS#12。
请注意,出于测试目的,您绝对可以在两个节点上使用相同的证书,即您不需要为每个节点生成一个证书。
获得节点证书后(通过选项A或B),可以通过在elasticsearch.yml文件中添加以下内容来修改两个节点上的配置:
# enable security
xpack.security.enabled: true
# make sure the nodes talk in SSL to each other
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/mynode.p12
xpack.security.transport.ssl.truststore.path: certs/mynode.p12
之后,您可以重新启动群集,因为它们现在可以使用SSL相互通信。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。