为 Elastic Stack 设置基本安全性

在最小安全配置中添加密码保护后，您将需要配置传输层安全性 (TLS)。传输层处理集群中节点之间的所有内部通信。

最小安全配置请参考 ：Elasticsearch 设置最低安全性

• 如果您的集群有多个节点，那么您必须在节点之间配置 TLS。如果您不启用 TLS，生产模式集群将不会启动。

• 传输层依赖于双向 TLS 来加密和验证节点。正确应用 TLS 可确保恶意节点无法加入集群并与其他节点交换数据。虽然在 HTTP 层实现用户名和密码身份验证对于保护本地集群很有用，但节点之间通信的安全性需要 TLS。

- 在节点之间配置 TLS 是防止未经授权的节点访问您的集群的基本安全设置。

先决条件

完成Elastic Stack 的最低安全性中的步骤，以在集群中的每个节点上启用 Elasticsearch 安全功能。然后，您可以使用 TLS 加密节点之间的通信。

生成证书颁发机构

您可以在集群中添加任意数量的节点，但它们必须能够相互通信。集群中节点之间的通信由传输模块处理。为了保护您的集群，您必须确保节点间通信经过加密和验证，这是通过双向 TLS 实现的

• 在安全集群中，Elasticsearch 节点在与其他节点通信时使用证书来标识自己。

• 集群必须验证这些证书的真实性。推荐的方法是信任特定的证书颁发机构 (CA)。将节点添加到集群时，它们必须使用由同一 CA 签名的证书。

• 对于传输层，我们建议使用单独的专用 CA 而不是现有的、可能共享的 CA，以便严格控制节点成员资格。使用该elasticsearch-certutil工具为您的集群生成 CA。

在任何单个节点上，使用该elasticsearch-certutil工具为您的集群生成 CA。
你也可以指定 --days 参数 ： number of days that the generated certificates are valid

• 出现提示时，接受默认文件名，即elastic-stack-ca.p12，此文件包含您的 CA 的公共证书和用于为每个节点签署证书的私钥。
• 输入您的 CA 的密码。如果您不部署到生产环境，则可以选择将密码留空。

root@ubuntu-x64_02:/usr/local/elasticsearch9201# ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authorityBy default the 'ca' mode produces a single PKCS#12 output file which holds:* The CA certificate* The CA's private keyIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private keyPlease enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 : 

• 执行成功后，在当前目录下可以看到CA证书文件： elastic-stack-ca.p12

root@ubuntu-x64_02:/usr/local/elasticsearch9201# ls -tlh 
total 656K
-rw-------  1 root root 2.7K Mar 21 14:31 elastic-stack-ca.p12

• 在任何单个节点上，为集群中的节点生成证书和私钥。使用在上一步中生成的CA输出文件elastic-stack-ca.p12。

• –ca

• 用于签署证书的 CA 文件的名称。该工具的默认文件名elasticsearch-certutil是elastic-stack-ca.p12.

• 输入您的 CA 的密码，或者如果您在上一步中没有配置密码， 请按Enter 。

• 为证书创建密码并接受默认文件名。

• 输出文件是一个名为elastic-certificates.p12. 此文件包含节点证书、节点密钥和 CA 证书。

• 你也可以指定 --days 参数 ： number of days that the generated certificates are valid

root@ubuntu-x64_02:/usr/local/elasticsearch9201# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'cert' mode generates X.509 certificate and private keys.* By default, this generates a single certificate and key for useon a single instance.* The '-multiple' option will prompt you to enter details for multipleinstances and will generate a certificate and key for each one* The '-in' option allows for the certificate generation to be automated by describingthe details of each instance in a YAML file* An instance is any piece of the Elastic Stack that requires an SSL certificate.Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beatsmay all require a certificate and private key.* The minimum required value for each instance is a name. This can simply be thehostname, which will be used as the Common Name of the certificate. A fulldistinguished name may also be used.* A filename value may be required for each instance. This is necessary when thename would result in an invalid file or directory name. The name provided hereis used as the directory name (within the zip) and the prefix for the key andcertificate files. The filename is required if you are prompted and the nameis not displayed in the prompt.* IP addresses and DNS names are optional. Multiple values can be specified as acomma separated string. If no IP addresses or DNS names are provided, you maydisable hostname verification in your SSL configuration.* All certificates generated by this tool will be signed by a certificate authority (CA)unless the --self-signed command line option is specified.The tool can automatically generate a new CA for you, or you can provide your own withthe --ca or --ca-cert command line options.By default the 'cert' mode produces a single PKCS#12 output file which holds:* The instance certificate* The private key for the instance certificate* The CA certificateIf you specify any of the following options:* -pem (PEM formatted output)* -keep-ca-key (retain generated CA key)* -multiple (generate multiple certificates)* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key filesEnter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 : Certificates written to /usr/local/elasticsearch9201/elastic-certificates.p12This file should be properly secured as it contains the private key for 
your instance.This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

• 生成之后的证书文件 如下：

root@ubuntu-x64_02:/usr/local/elasticsearch9201# ls -tlh 
total 660K
-rw-------  1 root root 3.6K Mar 21 14:37 elastic-certificates.p12
-rw-------  1 root root 2.7K Mar 21 14:31 elastic-stack-ca.p12

• 在集群中的每个节点 上，将elastic-certificates.p12文件复制到$ES_PATH_CONF目录中。并修改文件所有者为 elk

root@ubuntu-x64_02:/usr/local/elasticsearch9201#cp elastic-certificates.p12  /usr/local/elasticsearch9201/config/ ;  chown elk:elk /usr/local/elasticsearch9201/config/elastic-certificates.p12
root@ubuntu-x64_02:/usr/local/elasticsearch9201#cp elastic-certificates.p12  /usr/local/elasticsearch9202/config/ ;  chown elk:elk /usr/local/elasticsearch9202/config/elastic-certificates.p12
root@ubuntu-x64_02:/usr/local/elasticsearch9201#cp elastic-certificates.p12  /usr/local/elasticsearch9203/config/ ;  chown elk:elk /usr/local/elasticsearch9203/config/elastic-certificates.p12

使用 TLS 加密节点间通信

• 传输网络层用于集群中节点之间的内部通信。启用安全功能后，您必须使用 TLS 来确保节点之间的通信是加密的。

• 现在您已经生成了证书颁发机构和证书，您将更新集群以使用这些文件。

• 为集群中的每个节点完成以下步骤。要加入同一个集群，所有节点必须共享相同的cluster.name值。

• 打开$ES_PATH_CONF/elasticsearch.yml文件并进行以下更改：

• 添加cluster-name设置并为集群输入名称：

root@ubuntu-x64_02:/usr/local/elasticsearch9201# cat /usr/local/elasticsearch9201/config/elasticsearch.yml | grep "cluster.name"
cluster.name: my-clusterroot@ubuntu-x64_02:/usr/local/elasticsearch9201# cat /usr/local/elasticsearch9202/config/elasticsearch.yml | grep "cluster.name"
cluster.name: my-clusterroot@ubuntu-x64_02:/usr/local/elasticsearch9201# cat /usr/local/elasticsearch9203/config/elasticsearch.yml | grep "cluster.name"
cluster.name: my-cluster

• 添加node.name设置并输入节点名称。当 Elasticsearch 启动时，节点名称默认为机器的主机名。

root@ubuntu-x64_02:/usr/local/elasticsearch9201# cat /usr/local/elasticsearch9201/config/elasticsearch.yml | grep "node.name"
node.name: node-1root@ubuntu-x64_02:/usr/local/elasticsearch9201# cat /usr/local/elasticsearch9202/config/elasticsearch.yml | grep "node.name"
node.name: node-2root@ubuntu-x64_02:/usr/local/elasticsearch9201# cat /usr/local/elasticsearch9203/config/elasticsearch.yml | grep "node.name"
node.name: node-3

• 添加以下设置以启用节点间通信并提供对节点证书的访问。

• 因为您在集群中的每个节点上都使用相同的elastic-certificates.p12文件，所以将验证模式设置为certificate：

root@ubuntu-x64_02:/usr/local/elasticsearch9201# cat >> /usr/local/elasticsearch9201/config/elasticsearch.yml  <> /usr/local/elasticsearch9202/config/elasticsearch.yml  <> /usr/local/elasticsearch9203/config/elasticsearch.yml  <

root@ubuntu-x64_02:/usr/local/elasticsearch9201# systemctl restart elasticsearch9201
root@ubuntu-x64_02:/usr/local/elasticsearch9201# systemctl restart elasticsearch9202
root@ubuntu-x64_02:/usr/local/elasticsearch9201# systemctl restart elasticsearch9203

root@ubuntu-x64_02:/db_data/elasticsearch9201/logs# curl "http://127.0.0.1:9201/_cat/health/?v"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/health/?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/health/?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}root@ubuntu-x64_02:/db_data/elasticsearch9201/logs# 
root@ubuntu-x64_02:/db_data/elasticsearch9201/logs# 

root@ubuntu-x64_02:/db_data/elasticsearch9201/logs# curl -u elastic:G9******nG http://127.0.0.1:9201/_cat/health/?v; 
epoch      timestamp cluster    status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1679389771 09:09:31  my-cluster green           3         3     39  18    0    0        0             0                  -                100.0%root@ubuntu-x64_02:/db_data/elasticsearch9201/logs# curl -u elastic:G9******nG  http://127.0.0.1:9201/_cat/nodes/?v; 
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
127.0.0.1           41          90   5    1.10    0.51     0.25 cdfhilmrstw *      node-1
127.0.0.1           66          90   5    1.10    0.51     0.25 cdfhilmrstw -      node-3
127.0.0.1           52          90   5    1.10    0.51     0.25 cdfhilmrstw -      node-2
root@ubuntu-x64_02:/db_data/elasticsearch9201/logs#