- 生成允许节点安全通信证书
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass "" - 将以下配置写入elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
-
保存2步操作,后台启动elasticsearch
./bin/elasticsearch -d
4.(可选操作es版本高于6.8可以无视) es的x-pack插件为收费功能,6.8版本+/7版本都是免费功能,而我当前测试服elasticsearch版本为6.7.2,该版本此插件为收费功能,我们需要先申请trial license(30天试用)
curl -H "Content-Type:application/json" -XPOST http://127.0.0.1:9200/_xpack/license/start_trial?acknowledge=true -
执行如下命令为elasticsearch内部用户创建随机密码
bin/elasticsearch-setup-passwords auto
执行结束,用户和密码对应关系将会打印到console
如果需要对每个用户自定义密码,auto参数修改为interactive -
再次打开elasticsearch head界面,将会提示输入密码,我们用上一步得到的elasticsearch用户的账号密码成功进入
image.png
-
同时我们需要修改java端连接的es连接配置,添加安全配置,否则将出现如下错误
image.png
/**
* 此处构建的是 Java Low Level REST Client:es官方低级客户端,允许通过http与一个es集群通信
* 将请求的编组和响应的反编组工作留给用户自己处理。
* 优势:兼容所有的es版本
*/
@Configuration
public class ElasticSearchConfig {
@Value("${elasticsearch.host}")
private String elasticsearchHost;
@Value("${elasticsearch.port}")
private int elasticsearchPort;
@Value("${elasticsearch.username}")
private String elasticsearchUserName;
@Value("${elasticsearch.password}")
private String elasticsearchPassword;
@Bean
public RestClient restClient(){
final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials(elasticsearchUserName, elasticsearchPassword));
RestClient restClient = RestClient.builder(new HttpHost(elasticsearchHost, elasticsearchPort))
.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider))
.setMaxRetryTimeoutMillis(5*60*1000).build();
return restClient;
}
}
网友评论