Shulou(Shulou.com)06/03 Report--

This article focuses on "how to achieve elasticsearch based on RBAC authentication and cluster TLS communication", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn "how to achieve elasticsearch based on RBAC authentication and TLS communication between clusters"!

I. background

By default, when we set up the es cluster, we can directly access some information of the es cluster through http://localhost:9200, which is obviously not secure. In the same local area network, if we start multiple es nodes and the cluster has the same name, then they may automatically join the cluster, which is obviously not secure. So we need to find a way to solve it. The plug-in x-pack that comes with es can solve the above requirements. In higher versions of es, the x-pack plug-in is integrated by default.

II. Problems that need to be solved

1. Add user name and password to es.

2. TLS is used to communicate between clusters.

Add username and password access to es 1, modify config/elasticsearch.yml# 1, modify ES_HOME/config/elasticsearch.yml# and add the following configuration vim config/elasticsearch.ymlxpack.security.enabled: true2, access to es cluster

> at this point, you can see that you need a user name and password to access the es cluster, so where do we get this user name and password?

3. Enable users built into es cluster 1. Let es automatically set initialization password. / bin/elasticsearch-setup-passwords auto

If you execute the above statement, then es will automatically set the password, and we need to save the password ourselves.

2. Set the password automatically and manually. / bin/elasticsearch-setup-passwords interactive

For simplicity here, the user name and password of each user are set to 123456, and the production environment needs to be set to a complex interface.

Note ⚠️:

Once we have set the password for the elastic user, we can no longer execute the elasticsearch-setup-passwords command.

3. Revisit es and enter your user name and password

Revisit the es cluster, enter the user name and password, and you can access the cluster information.

4. Kibana connects to es cluster 1, sets kibana username and password # sets username and password elasticsearch.username: "kibana_system" elasticsearch.password: "123456"

The user name and password are set by the previous step.

2. Visit kibana

At this point, you can see that our kibana needs a username and password to access.

3. Create users and roles through kibana

5. Configure TLS communication between es clusters

1. In the production mode of es cluster, the communication between nodes must use TLS communication, otherwise the cluster cannot be started.

2. Configure the cluster to communicate with TLS, and prevent untrusted nodes from joining the es cluster.

1. What is the production mode of es

Service discovery between clusters is not single-node discovery service discovery.

Non-loopback addresses can be used between nodes to join the cluster.

2. Configuration step 1: generate certificate (CA) # generate certificate bin/elasticsearch-certutil ca

2. Issue a certificate for each node #-- ca specifies the path of the certificate. / bin/elasticsearch-certutil cert-- ca elastic-stack-ca.p12

3. View the generation path of the certificate

4. Configure certificate # 1 for each node in the cluster, copy the certificate to mv elastic-certificates.p12 config# 2 under the config directory of each node, modify the elasticsearch.yml file, and add the following configuration xpack.security.transport.ssl.enabled: truexpack.security.transport.ssl.verification_mode: certificatexpack.security.transport.ssl.client_authentication: requiredxpack.security.transport.ssl.keystore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.path: elastic-certificates.p125, restart the es cluster

6. Reload certificates, keys and other information of the cluster

Use the resource.reload.interval.high parameter configuration, which defaults to 5s.

6. The basic authentication in java client is written as import org.apache.http.HttpHost;import org.apache.http.auth.AuthScope;import org.apache.http.auth.UsernamePasswordCredentials;import org.apache.http.client.CredentialsProvider;import org.apache.http.impl.client.BasicCredentialsProvider;import org.elasticsearch.client.RestClient;import org.elasticsearch.client.RestHighLevelClient;/** * @ author huan.fu 2021-4-22-2:48 p.m. * / public class AbstractEsApi {protected final RestHighLevelClient client Public AbstractEsApi () {final CredentialsProvider credentialsProvider = new BasicCredentialsProvider (); credentialsProvider.setCredentials (AuthScope.ANY, new UsernamePasswordCredentials ("elastic", "123456")) Client = new RestHighLevelClient (RestClient.builder ("localhost", 9200, "http"), new HttpHost ("localhost", 9201, "http"), new HttpHost ("localhost", 9202) "http") .setHttpClientConfigCallback (httpClientBuilder-> httpClientBuilder.setDefaultCredentialsProvider (credentialsProvider) }} at this point, I believe you have a deeper understanding of "how to achieve elasticsearch RBAC-based authentication and TLS communication between clusters". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.