elasticsearch 管理操作

发表于 上层目录 阅读次数:

环境信息

  • elasticsearch 8.8.2

安全相关配置管理

更新 transport ssl 证书

在启用安全配置(xpack.security.enabled: true)的情况下,Elasticsearch 集群节点间通信(transport 默认端口 9300)必须使用 TLS (xpack.security.transport.ssl.enabled: true)。默认使用的证书文件位于 /etc/elasticsearch/certs/。若需要更新或者重新生成此证书,可以参考以下步骤

  1. 生成 CA,如果已有 CA 可跳过此步骤。此命令会生成一个 CA 证书文件,默认名称为 /usr/share/elasticsearch/elastic-stack-ca.p12。根据提示使用 证书密码,如果不配置密码,使直接Enter
    elasticsearch-certutil ca
  2. 为 Elasticsearch 生成 TLS 证书,证书使用 CA 进行签名,根据提示输入 CA 证书密码等信息,如果无密码,使直接Enter 键。默认生成文件 /usr/share/elasticsearch/elastic-certificates.p12 
    elasticsearch-certutil cert --ca elastic-stack-ca.p12
  3. 执行以下命令,将 CA 证书密码和服务器证书密码写入 /etc/elasticsearch/elasticsearch.keystore 
    # elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    Setting xpack.security.transport.ssl.keystore.secure_password already exists. Overwrite? [y/N]y
    Enter value for xpack.security.transport.ssl.keystore.secure_password:

    # elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
    Setting xpack.security.transport.ssl.truststore.secure_password already exists. Overwrite? [y/N]y
    Enter value for xpack.security.transport.ssl.truststore.secure_password:
  4. 将上面生成的 CA 证书服务器证书 以及 证书密码文件 拷贝到 Elasticsearch 集群的所有节点的 /etc/elasticsearch/certs/ 下,并修改权限 
    chmod 660 /etc/elasticsearch/certs/*
    chown root:elasticsearch /etc/elasticsearch/certs/*
  5. 重启 Elasticsearch 集群的所有节点 
    systemctl restart elasticsearch
  6. 检查集群状态 
    # curl --user newadmin:password localhost:9200/_cluster/health?pretty
    {
      "cluster_name" : "es-cluster1",
      "status" : "green",
      "timed_out" : false,
      "number_of_nodes" : 3,
      "number_of_data_nodes" : 3,
      "active_primary_shards" : 18,
      "active_shards" : 37,
      "relocating_shards" : 0,
      "initializing_shards" : 0,
      "unassigned_shards" : 0,
      "delayed_unassigned_shards" : 0,
      "number_of_pending_tasks" : 0,
      "number_of_in_flight_fetch" : 0,
      "task_max_waiting_in_queue_millis" : 0,
      "active_shards_percent_as_number" : 100.0
    }

重置用户密码

可以使用以下命令,创建新的超级管理员账号。首先要 确保集群状态正常

elasticsearch-users useradd newadmin -p password -r superuser

接下来使用刚刚创建的账号密码对原有的账号(如 elastic) 进行密码重置

# curl -s --user newadmin:password -XPUT "http://localhost:9200/_security/user/elastic/_password?pretty" -H 'Content-Type: application/json' -d '{
   "password": "password1"
 }'


密码重置成功后,尝试使用新账号密码访问集群

# curl --user elastic:password1 localhost:9200/_cluster/health?pretty
{
  "cluster_name" : "es-cluster1",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 19,
  "active_shards" : 39,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}