一、背景
cpos KS ES集群增加xpack 安全认证。
1、集群信息
ES版本:7.10.2
节点数:5个
数据量:349G
分片数:6
副本数:1
2、集群截图信息
二、操作
0、步骤说明:
-
es yml 配置中增加 xpack
-
配置cert,然后将cert文件复制到其他节点上
-
配置ES集群之间tcp 9300 相互通讯的密码
-
重启ES服务
-
创建es 管理员密码
-
kibana配置文件中添加用户后重启kibana服务
-
创建yumdbuser账号
-
应用连接ES
1、es配置文件中增加xpack参数(5个节点都要)
vim /etc/elasticsearch/elasticsearch.yml
追加如下参数
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
2、创建cert(5个节点都要)
mkdir /etc/elasticsearch/certs
3、在主节点上创建elastic-certificates.p12文件
# 用于生成elastic-certificates.p12 文件,有了cert,就不需要ca。
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
#创建后的文件在如下路径:
/usr/share/elasticsearch/elastic-certificates.p12
# 放到 /etc/elasticsearch/certs
cp /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/certs
# 文件权限
chown -R elasticsearch:elasticsearch /etc/elasticsearch/certs
说明:
· 主节点上创建的elastic-certificates.p12传到其他节点的/etc/elasticsearch/certs 路径下
· 如果修改权限,在重启es服务的时候会出现权限不够
4、配置ES集群之间的通讯密码(5个节点都要)
# 配置的为ES集群之间tcp 9300 相互通讯的密码
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
说明:
配置完后立即重启es服务,否则ES启动失败。
systemctl restart elasticsearch
5、创建ES 管理员密码
# 指定密码: a3b9ymeERz
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
# 另一种方式,指定IP
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive -u "http://172.21.52.95:9200"
6、kibana中添加xpack
vim /etc/kibana/kibana.yml
追加如下配置
elasticsearch.username: "elastic"
elasticsearch.password: "1234567"
xpack.reporting.csv.maxSizeBytes: 809715200
xpack.reporting.queue.timeout: 1800000
7、验证
# 查询集群settings
curl -X GET --user yumdbuser:Stz8H6SY23 http://172.25.171.33:9200/_cluster/settings?pretty
# 查询index
curl -X GET --user yumdbuser:Stz8H6SY23 http://172.25.171.33:9200/_cat/indices?v
三、问题
1、xpack等配置完成后,重启ES报错
[2023-01-09T21:00:38,731][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [vm172-25-171-29.ksc.com] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.];
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) ~[elasticsearch-cli-7.10.2.jar:7.10.2]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.10.2.jar:7.10.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) ~[elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.10.2.jar:7.10.2]
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
分析:缺少配置ES集群之间的通讯密码
解决:
# 配置的为ES集群之间tcp 9300 相互通讯的密码
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
然后立马重启ES服务,即可解决问题。
2、停止分片重分配功能
# 关闭分片,关闭重分配
curl -X PUT -H "Content-Type: application/json" -d '{ "persistent": { "cluster.routing.allocation.enable": "primaries" } }' "http://172.25.171.33:9200/_cluster/settings"
# 刷新执行同步刷新
curl -X POST "http://172.25.171.33:9200/_flush/synced?pretty"
# 检查集群settings
curl -X GET http://172.25.171.33:9200/_cluster/settings?pretty
3、开启集群重分配
# 启动elastic后 启动分片
curl -X PUT -H "Content-Type: application/json" -d '{"persistent": { "cluster.routing.allocation.enable": null } }' --user elastic:a3b9ymeERz "http://172.25.171.33:9200/_cluster/settings"
# 检查集群settings
curl -X GET --user elastic:a3b9ymeERz http://172.25.171.33:9200/_cluster/settings?pretty
# 刷新执行同步刷新
curl -X POST --user elastic:a3b9ymeERz "http://172.25.171.33:9200/_flush/synced?pretty"
