This article has participated in the activity of “New person creation Ceremony”, and started the road of digging gold creation together

I. Pit mining process

Set up minimal Security for ElasticSearch Set up minimal Security for ElasticSearch Set up minimal security for ElasticSearch /bin/elasticsearch-setup-passwords Auto./bin/elasticsearch-setup-passwords interactive are not accessible. A message is displayed indicating that the health status of the cluster cannot be checked. In fact, the communication of the cluster is abnormal. The following information is displayed:

Failed to determine the health of the cluster running at http://192.168.122.1:9200
Unexpected response code [503] from calling GET http://192.168.122.1:9200/_cluster/health? pretty Cause: master_not_discovered_exception It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.
Do you want to continue with the password setup process [y/N]ERROR: User cancelled operation
Copy the code

I read the official document many times and found a sentence:

The minimal security scenario is not sufficient for production mode clusters. If your cluster has multiple nodes, you must enable minimal security and then configure Transport Layer Security (TLS) between nodes.
Copy the code

Minimum security is not sufficient for production mode clusters. If you have multiple nodes in your cluster, you must enable minimum security and then configure transport Layer Security (TLS) between the nodes. If there is only one node, add the following configuration to elasticSearch. yml:

discovery.type: single-node
Copy the code

However, since my cluster has 3 nodes, it cannot be set to single-node mode, so this item is not available. According to the documentation, other security configurations need to be configured in the cluster environment. So the solution is actually there. Set up Basic Security for the Elastic Stack as described in the later section of the official documentation.

2. Configuration Steps:

Note, because every time I operate the command is in the bin directory of ES, so it is not exactly the same as the official document.

2.1 Generating a CA Certificate

On any single node, use the ElasticSearch -Certutil tool to generate the CA for your cluster.

./elasticsearch-certutil ca
Copy the code

A. When prompted, accept the default file name, namely, elastice-stack-ca.p12. This file contains the CA’s public certificate and the private key used to sign the certificate for each node. B. Enter the CA password. If you are not deployed to a production environment, you can choose to leave the password blank.

2.2 Configuring the CA Certificate

On any single node, generate certificates and private keys for the nodes in the cluster. Include the elastice-stack-ca.p12 output file generated in the previous step.

./elasticsearch-certutil cert --ca elastic-stack-ca.p12
Copy the code

A. Enter your CA password, or if you did not configure a password in the previous step, press Enter. B. Create a password for the certificate and accept the default file name. The output file is a keystore called elastic-certificates.p12. This file contains the node certificate, node key, and CA certificate.

2.3 Copying a Certificate to a Cluster

On each node in the cluster, copy the elastice-certificate. p12 file to the $ES_PATH_CONF directory. The config directory.

2.4 Modifying the Configuration File

A. Basic cluster configuration, which is required even without security:

cluster.name: my-cluster  Each node is consistent
node.name: node- 1  # Each node is different
Copy the code

B. Configure security

Since the same elastice-certificate. p12 file is used on every node in the cluster, set the authentication mode to Certificate:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
Copy the code

2.5 Configuring passwords

If you entered a password when creating the node certificate, run the following command to store the password in the Elasticsearch keystore:

./elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Copy the code

Steps 2.4-2.5 are required on each node.

2.6 Restarting ES.

I specify pid file at startup, and the startup command is as follows:

./elasticsearch -d -p /home/elk/pid/es-node- 01
Copy the code

You can stop es with the following command

cat /home/elk/pid/es-node- 01
kill -SIGTERM 32167   #32167 is the output of the previous statement
Copy the code

2.7 Configuring the Account Password

After restarting, you can run the following command to configure the account password:

./elasticsearch-setup-passwords auto
Copy the code

It automatically outputs random passwords for all built-in accounts, which can be changed later. You can also use the following command to customize the password:

./elasticsearch-setup-passwords interactive
Copy the code

The preceding command needs to be run on only one node, not all nodes. The password output above can be configured to Kibana or other tools that need to connect to ES, such as Cerebro monitoring.

3, summarize

Depending on the piecemeal learning content, it is actually difficult to fully grasp the core content of a technology. Still need to see the official documentation, and it is best to understand each chapter, in order to choose the configuration that suits their needs.