文章目录
- Prerequisites
- Enable Elasticsearch security features
- Next: Configure Kibana to connect to Elasticsearch with a password
-
- Configure Kibana to connect to Elasticsearch with a password
这时主要看自动生成密码就可以了,参考配置kibana
You enable the Elasticsearch security features and then create passwords for built-in users. You can add more users later, but using the built-in users simplifies the process of enabling security for your cluster.
The minimal security scenario is not sufficient for production mode clusters. If your cluster has multiple nodes, you must enable minimal security and then configure Transport Layer Security (TLS) between nodes.
Prerequisites
Install and configure Elasticsearch and Kibana. See Getting started with the Elastic Stack.
Verify that you are using a license that includes the specific security features you want.
The basic license includes minimal security settings for the Elastic Stack, so you can just download the distribution and get to work. You can also enable a free trial license to access all features of the Elastic Stack. See subscriptions and license management.
Enable Elasticsearch security features
When you use the basic license, the Elasticsearch security features are disabled by default. Enabling the Elasticsearch security features enables basic authentication so that you can run a local cluster with username and password authentication.
On every node in your cluster, stop both Kibana and Elasticsearch if they are running.
On every node in your cluster, add the xpack.security.enabled setting to the $ES_PATH_CONF/elasticsearch.yml file and set the value to true:
xpack.security.enabled: true
The $ES_PATH_CONF
variable is the path for the Elasticsearch configuration files. If you installed Elasticsearch using archive distributions (zip or tar.gz), the variable defaults to $ES_HOME/config. If you used package distributions (Debian or RPM), the variable defaults to
/etc/elasticsearch.
If your cluster has a single node, add the discovery.type setting in the $ES_PATH_CONF/elasticsearch.yml file and set the value to single-node. This setting ensures that your node does not inadvertently connect to other clusters that might be running on your network.
discovery.type: single-node
Create passwords for built-in usersedit
To communicate with the cluster, you must configure a username for the built-in users. Unless you enable anonymous access, all requests that don’t include a user name and password are rejected.
You only need to set passwords for the elastic and kibana_system users when enabling minimal or basic security.
On every node in your cluster, start Elasticsearch. For example, if you installed Elasticsearch with a .tar.gz package, run the following command from the ES_HOME
directory:
./bin/elasticsearch
In another terminal window, set the passwords for the built-in users by running the elasticsearch-setup-passwords utility.
You can run the elasticsearch-setup-passwords utility against any node in your cluster. However, you should only run this utility one time for the entire cluster.
Using the auto parameter outputs randomly-generated passwords to the console that you can change later if necessary:
./bin/elasticsearch-setup-passwords auto
If you want to use your own passwords, run the command with the interactive parameter instead of the auto parameter. Using this mode steps you through password configuration for all of the built-in users.
./bin/elasticsearch-setup-passwords interactive
Save the generated passwords. You’ll need them to add the built-in user to Kibana.
After you set a password for the elastic user, you cannot run the elasticsearch-setup-passwords command a second time.
Next: Configure Kibana to connect to Elasticsearch with a password
Configure Kibana to connect to Elasticsearch with a password
When the Elasticsearch security features are enabled, users must log in to Kibana with a valid username and password.
You’ll configure Kibana to use the built-in kibana_system use
r and the password that you created earlier. Kibana performs some background tasks that require use of the kibana_system
user.
This account is not meant for individual users and does not have permission to log in to Kibana from a browser. Instead, you’ll log in to Kibana as the elastic superuser.
Add the elasticsearch.username setting to the KIB_PATH_CONF/kibana.yml file and set the value to the kibana_system user:
elasticsearch.username: "kibana_system"
The KIB_PATH_CONF variable is the path for the Kibana configuration files. If you installed Kibana using archive distributions (zip or tar.gz), the variable defaults to KIB_HOME/config. If you used package distributions (Debian or RPM), the variable defaults to /etc/kibana.
From the directory where you installed Kibana, run the following commands to create the Kibana keystore and add the secure settings:
Create the Kibana keystore:
./bin/kibana-keystore create
Add the password for the kibana_system user to the Kibana keystore:
./bin/kibana-keystore add elasticsearch.password
When prompted, enter the password for the kibana_system user.
Restart Kibana. For example, if you installed Kibana with a .tar.gz package, run the following command from the Kibana directory:
./bin/kibana
Log in to Kibana as the elastic user. Use this superuser account to manage spaces, create new users, and assign roles. If you’re running Kibana locally, go to http://localhost:5601 to view the login page.