Elasticsearch安全加固指南：启用登录认证与SSL加密

在之前文章中我们介绍了Elasticsearch安全与权限控制，本篇文章我们将详细介绍 启用登录认证与SSL加密 实践配置操作 。

1 为什么需要安全加固？

Elasticsearch默认不启用安全功能，会导致以下风险：

• 未授权访问：任何人都能读取/修改数据
• 数据泄露：网络传输未加密，可能被窃听
• 合规性风险：不符合企业安全审计要求

2 环境准备

• ES版本：Elasticsearch 7.10.1
• 操作系统：CentOS 7.9

3 配置步骤

3.1 生成SSL证书

# 进入ES安装目录
cd /export/home/elasticsearch-7.10.1/

# 生成CA证书
/export/home/elasticsearch-7.10.1/bin/elasticsearch-certutil ca --pass ""

# 生成节点证书
/export/home/elasticsearch-7.10.1/bin/elasticsearch-certutil cert \
--ca /export/home/elasticsearch-7.10.1/elastic-stack-ca.p12 \
--ip 192.168.10.33,192.168.10.34,192.168.10.35,127.0.0.1 \
--dns node3,node4,node5,localhost

# 创建证书目录
mkdir config/certs

# 部署证书，同时在其余节点上创建相同目录并拷贝证书过去
mv elastic-certificates.p12 config/certs/

3.2 修改elasticsearch.yml

#编辑elasticsearch.yml文件增加如下内容

cat >>/export/home/elasticsearch-7.10.1/config/elasticsearch.yml<<EOF
# 安全核心配置
# HTTP层SSL
xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12

# 传输层SSL
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12
EOF

# 重启elasticsearch服务
ps -ef |grep elasticsearch-7.10.1|grep -v grep |awk '{print $2}'|xargs kill -9
/export/home/elasticsearch-7.10.1/bin/elasticsearch -d

3.3 设置内置用户密码

# 交互式设置密码
/export/home/elasticsearch-7.10.1/bin/elasticsearch-setup-passwords interactive

# 自动生成密码（输出需保存）
/export/home/elasticsearch-7.10.1/bin/elasticsearch-setup-passwords auto

涉及的主要用户：

• elastic：超级管理员
• kibana_system：Kibana服务账号
• logstash_system：Logstash连接账号

4 验证配置

4.1 检查HTTPS访问

curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200

正常应返回包含"tagline" : "You Know, for Search"的JSON

[lianggj@node4 config]$ curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200
{
  "name" : "node4",
  "cluster_name" : "my_es_cluster",
  "cluster_uuid" : "6JC1NLZXTWymb5WiLPvjaA",
  "version" : {
    "number" : "7.10.1",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "1c34507e66d7db1211f66f3513706fdf548736aa",
    "build_date" : "2020-12-05T01:00:33.671820Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
[lianggj@node4 config]$ 

4.2 测试用户权限

# 尝试未授权访问
curl https://192.168.10.33:9200/_cat/indices

# 使用正确凭证访问
curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200/_security/user

[lianggj@node4 config]$ curl https://192.168.10.33:9200/_cat/indices
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[lianggj@node4 config]$ curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200/_security/user
{"elastic":{"username":"elastic","roles":["superuser"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"kibana":{"username":"kibana","roles":["kibana_system"],"full_name":null,"email":null,"metadata":{"_deprecated":true,"_deprecated_reason":"Please use the [kibana_system] user instead.","_reserved":true},"enabled":true},"kibana_system":{"username":"kibana_system","roles":["kibana_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"logstash_system":{"username":"logstash_system","roles":["logstash_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"beats_system":{"username":"beats_system","roles":["beats_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"apm_system":{"username":"apm_system","roles":["apm_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"remote_monitoring_user":{"username":"remote_monitoring_user","roles":["remote_monitoring_collector","remote_monitoring_agent"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true}}[lianggj@node4 config]$ 

5 Kibana集成配置

# PKCS12文件中提取CA证书：
cd /export/home/elasticsearch-7.10.1/config/certs
openssl pkcs12 -in elastic-certificates.p12 -out ca.pem -nodes

# 编辑修改kibana.yml，添加如下内容
cat >>/export/home/kibana-7.10.1-linux-x86_64/config/kibana.yml<<EOF
elasticsearch.hosts: ["https://192.168.10.33:9200","https://192.168.10.34:9200","https://192.168.10.35:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "Lahmy1c@"
elasticsearch.ssl.verificationMode: "certificate"
elasticsearch.ssl.certificateAuthorities: ["/export/home/elasticsearch-7.10.1/config/certs/ca.pem"]
EOF

# 重启
ps -ef |grep esmagent|grep -v grep |awk '{print $2}'|xargs kill -9
nohup ./bin/kibana &> kibana.log &

6 常见问题解决

6.1 证书错误

PKIX path validation failed: java.security.cert.CertPathValidatorException

解决方案：

• 确认所有节点使用相同CA签发证书

• 在客户端添加--cacert参数

  curl --cacert /path/to/ca.crt https://es-node:9200

6.2 密码重置

bin/elasticsearch-reset-password -u elastic

6.3 临时关闭安全（仅开发）

xpack.security.enabled: false
xpack.security.http.ssl.enabled: false

7 附：常用安全命令

# 查看用户列表
GET /_security/user

# 创建自定义角色
POST /_security/role/my_admin
{
  "cluster": ["myindx"],
  "indices": [
    {
      "names": ["myindex-*"],
      "privileges": ["read", "write"]
    }
  ]
}