一，

前言

本文主要内容是通过elasticsearch的api来进行一些集群的管理和信息查询工作，以及elasticsearch用户的增删改查和密码的重设以及重置如何操作

接上文：elasticsearch|大数据|elasticsearch低版本集群的部署安装和安全增强---密码设置问题-CSDN博客

上文主要介绍了elasticsearch低版本集群的部署和密码的设定，这些是大大的提高了集群的安全性，但关于security（安全性）只是稍微提及，本文将要更加的深入的介绍这些安全措施，其次是部署完集群仅仅是第一步，如何正确的使用，高效的使用集群才是最终的目的，本文也将从这些方面做一个简单的论述。

二，

elasticsearch的安全插件----xpack

该插件主要是两个功能，第一个是通过config文件夹下的elasticsearch-keystone文件加密api，使得在使用api的时候必须要先检验预设的用户和密码

其次是ssl加密，通过certgen这个工具生成自签的ca证书（高版本的es这个工具可能改名），以提高elasticsearch的网络安全

在主配置文件中，有以下三个选项，这三个选项是这两个功能的开关：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: false
xpack.security.http.ssl.ssl.enabled: false

上文讲了密码校验的开启，ssl如何开启没有说，本文就把这个补充上吧

xpack.security.transport.ssl.enabled: false 这个选项应该是集群间ssl自签证书验证，防止恶意的增添节点

xpack.security.http.ssl.ssl.enabled: false 这个选项应该是使用自签证书，外部访问集群的时候需要证书验证，通俗的说就是https

那么，先开启xpack.security.transport.ssl.enabled，具体步骤如下：

1，在master节点生成ca证书（这个证书带密码，也可以不带密码，我这里用了密码，随意设置一个记得住的就可以了）# 生成elastic-stack-ca.p12文件

[root@node1 es]# ./bin/x-pack/certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authorityBy default the 'ca' mode produces a single PKCS#12 output file which holds:* The CA certificate* The CA's private keyIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private keyPlease enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 : 

2，生成elastic-certificates.p12这个文件，在其它节点生成同样的文件，命令稍微修改一下#### 生成elastic-certificates.p12文件，供elasticsearch使用（只在master节点生成，然后拷贝到其它节点即可，scp命令或者什么其它的方式都可以，不得在其它节点自己生成）：

[root@node1 es]# ./bin/x-pack/certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'cert' mode generates X.509 certificate and private keys.* By default, this generates a single certificate and key for useon a single instance.* The '-multiple' option will prompt you to enter details for multipleinstances and will generate a certificate and key for each one* The '-in' option allows for the certificate generation to be automated by describingthe details of each instance in a YAML file* An instance is any piece of the Elastic Stack that requires a SSL certificate.Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beatsmay all require a certificate and private key.* The minimum required value for each instance is a name. This can simply be thehostname, which will be used as the Common Name of the certificate. A fulldistinguished name may also be used.* A filename value may be required for each instance. This is necessary when thename would result in an invalid file or directory name. The name provided hereis used as the directory name (within the zip) and the prefix for the key andcertificate files. The filename is required if you are prompted and the nameis not displayed in the prompt.* IP addresses and DNS names are optional. Multiple values can be specified as acomma separated string. If no IP addresses or DNS names are provided, you maydisable hostname verification in your SSL configuration.* All certificates generated by this tool will be signed by a certificate authority (CA).* The tool can automatically generate a new CA for you, or you can provide your own with the-ca or -ca-cert command line options.By default the 'cert' mode produces a single PKCS#12 output file which holds:* The instance certificate* The private key for the instance certificate* The CA certificateIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the instance certificate, the key and the CA certificateIf you elect to generate multiple instances certificates, the output will be a zip file
containing all the generated certificatesEnter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 : Certificates written to /data/es/elastic-certificates.p12This file should be properly secured as it contains the private key for 
your instance.This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

3，如果该证书设置了证书，那么需要节点认证通过，否则会报没有权限读取（每个节点都执行）：

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

4，为了防止elasticsearch因为权限问题启动失败，再次递归赋属组：

chown -Rf es. /data/es

5，elasticsearch主配置文件的修改

在主配置文件末尾添加如下内容：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-methods : OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Content-Length
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /data/es/config/cert/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /data/es/config/cert/elastic-certificates.p12

 

6，在补充说明一下：

因为elasticsearch集群是使用的发现机制，因此，master在扫描到同网段其它的服务器的9300-9305端口的时候，就会将其自动加入集群，而如果没有任何验证的加入节点是非常危险的，因此，证书的密码建议是最好设置，恶意节点将会因为没有证书文件并通过节点认证而无法随意加入集群，这样，我们的集群将会比较的安全。

verification_mode 控制服务器证书的验证。有效值为：

• # full 验证提供的证书是否由可信机构 (CA) 签名，并验证服务器的主机名（或 IP 地址）是否与证书中标识的名称相匹配。
• # strict 验证提供的证书是否由可信机构 (CA) 签名，并验证服务器的主机名（或 IP 地址）是否与证书中标识的名称相匹配。如果 Subject Alternative Name 为空，则返回错误。
• # certificate 验证提供的证书是否由可信机构 (CA) 签名，但不执行任何主机名验证。
• # none 不执行服务器证书的验证。此模式会禁用 SSL/TLS 的许多安全优势，应仅在谨慎考虑后使用。它主要用作尝试解决 TLS 错误时的临时诊断机制；强烈建议不要在生产环境中使用它。

keystore:存放公钥，私钥，数字签名等信息
truststore:存放信任的证书
keystore和truststore都存放key,不同的地方是truststore只存放公钥的数字证书,代表了可以信任的证书,keystore存放私钥相关.

未完待续！！！！！！！！！