Elasticsearch安全加固指南:启用登录认证与SSL加密

在之前文章中我们介绍了Elasticsearch安全与权限控制,本篇文章我们将详细介绍 启用登录认证与SSL加密 实践配置操作

1 为什么需要安全加固?

Elasticsearch默认不启用安全功能,会导致以下风险:

  • 未授权访问:任何人都能读取/修改数据
  • 数据泄露:网络传输未加密,可能被窃听
  • 合规性风险:不符合企业安全审计要求

2 环境准备

  • ES版本:Elasticsearch 7.10.1
  • 操作系统:CentOS 7.9

3 配置步骤

3.1 生成SSL证书

复制代码
# 进入ES安装目录
cd /export/home/elasticsearch-7.10.1/

# 生成CA证书
/export/home/elasticsearch-7.10.1/bin/elasticsearch-certutil ca --pass ""

# 生成节点证书
/export/home/elasticsearch-7.10.1/bin/elasticsearch-certutil cert \
--ca /export/home/elasticsearch-7.10.1/elastic-stack-ca.p12 \
--ip 192.168.10.33,192.168.10.34,192.168.10.35,127.0.0.1 \
--dns node3,node4,node5,localhost

# 创建证书目录
mkdir config/certs

# 部署证书,同时在其余节点上创建相同目录并拷贝证书过去
mv elastic-certificates.p12 config/certs/

3.2 修改elasticsearch.yml

复制代码
#编辑elasticsearch.yml文件增加如下内容

cat >>/export/home/elasticsearch-7.10.1/config/elasticsearch.yml<<EOF
# 安全核心配置
# HTTP层SSL
xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12

# 传输层SSL
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12
EOF

# 重启elasticsearch服务
ps -ef |grep elasticsearch-7.10.1|grep -v grep |awk '{print $2}'|xargs kill -9
/export/home/elasticsearch-7.10.1/bin/elasticsearch -d

3.3 设置内置用户密码

复制代码
# 交互式设置密码
/export/home/elasticsearch-7.10.1/bin/elasticsearch-setup-passwords interactive

# 自动生成密码(输出需保存)
/export/home/elasticsearch-7.10.1/bin/elasticsearch-setup-passwords auto

涉及的主要用户

  • elastic:超级管理员
  • kibana_system:Kibana服务账号
  • logstash_system:Logstash连接账号

4 验证配置

4.1 检查HTTPS访问

复制代码
curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200

正常应返回包含"tagline" : "You Know, for Search"的JSON

复制代码
[lianggj@node4 config]$ curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200
{
  "name" : "node4",
  "cluster_name" : "my_es_cluster",
  "cluster_uuid" : "6JC1NLZXTWymb5WiLPvjaA",
  "version" : {
    "number" : "7.10.1",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "1c34507e66d7db1211f66f3513706fdf548736aa",
    "build_date" : "2020-12-05T01:00:33.671820Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
[lianggj@node4 config]$ 

4.2 测试用户权限

复制代码
# 尝试未授权访问
curl https://192.168.10.33:9200/_cat/indices

# 使用正确凭证访问
curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200/_security/user

[lianggj@node4 config]$ curl https://192.168.10.33:9200/_cat/indices
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[lianggj@node4 config]$ curl -k -u elastic:Lahmy1c@ https://192.168.10.33:9200/_security/user
{"elastic":{"username":"elastic","roles":["superuser"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"kibana":{"username":"kibana","roles":["kibana_system"],"full_name":null,"email":null,"metadata":{"_deprecated":true,"_deprecated_reason":"Please use the [kibana_system] user instead.","_reserved":true},"enabled":true},"kibana_system":{"username":"kibana_system","roles":["kibana_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"logstash_system":{"username":"logstash_system","roles":["logstash_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"beats_system":{"username":"beats_system","roles":["beats_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"apm_system":{"username":"apm_system","roles":["apm_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true},"remote_monitoring_user":{"username":"remote_monitoring_user","roles":["remote_monitoring_collector","remote_monitoring_agent"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true}}[lianggj@node4 config]$ 

5 Kibana集成配置

复制代码
# PKCS12文件中提取CA证书:
cd /export/home/elasticsearch-7.10.1/config/certs
openssl pkcs12 -in elastic-certificates.p12 -out ca.pem -nodes

# 编辑修改kibana.yml,添加如下内容
cat >>/export/home/kibana-7.10.1-linux-x86_64/config/kibana.yml<<EOF
elasticsearch.hosts: ["https://192.168.10.33:9200","https://192.168.10.34:9200","https://192.168.10.35:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "Lahmy1c@"
elasticsearch.ssl.verificationMode: "certificate"
elasticsearch.ssl.certificateAuthorities: ["/export/home/elasticsearch-7.10.1/config/certs/ca.pem"]
EOF

# 重启
ps -ef |grep esmagent|grep -v grep |awk '{print $2}'|xargs kill -9
nohup ./bin/kibana &> kibana.log &

6 常见问题解决

6.1 证书错误

复制代码
PKIX path validation failed: java.security.cert.CertPathValidatorException

解决方案

  • 确认所有节点使用相同CA签发证书

6.2 密码重置

复制代码
bin/elasticsearch-reset-password -u elastic

6.3 临时关闭安全(仅开发)

复制代码
xpack.security.enabled: false
xpack.security.http.ssl.enabled: false

7 附:常用安全命令

复制代码
# 查看用户列表
GET /_security/user

# 创建自定义角色
POST /_security/role/my_admin
{
  "cluster": ["myindx"],
  "indices": [
    {
      "names": ["myindex-*"],
      "privileges": ["read", "write"]
    }
  ]
}
相关推荐
泯泷1 小时前
第 2 篇:设计第一套字节码:Opcode、Instruction 与 Constant Pool
前端·javascript·安全
泯泷1 小时前
第 1 篇:从 1 + 2 开始:亲手写出第一台 JSVM
前端·javascript·安全
Elasticsearch8 小时前
使用 Elastic Agent Builder 和 Sarvam AI 构建多语言语音 agent
elasticsearch
武子康4 天前
调查研究-197 FAISS vs Elasticsearch 全面对比:从向量检索、全文搜索到 RAG 选型指南
人工智能·elasticsearch·agent
Flynt4 天前
npm v12 来了:allowScripts 默认关闭,我的项目差点跑不起来
安全·npm·node.js
Elasticsearch5 天前
Elasticsearch ES|QL:现已支持视图、子查询和读取时模式定义
elasticsearch
Elasticsearch8 天前
Kibana 中的 SNMP 拓扑数据:从采集到 Canvas
elasticsearch
冬奇Lab9 天前
Skill 系列(02):Skill 安全风险——三类攻击面的实战测试
人工智能·安全·开源
Elasticsearch10 天前
3个信号、2个环境变量、0个采集器:使用 Python 和 Elastic 的托管 OTLP 端点实现 OpenTelemetry
elasticsearch