TBDS-Elasticsearch安全认证配置方法

Elasticsearch未授权访问漏洞

ES高版本已经支持x-pack认证，TBDS的ES版本是6.4.2，默认已经安装了x-pack，下面是配置方法。

配置认证步骤

1.停止ES服务

2.备份ES配置文件

登录所有ES节点

[root@tbds-172-27-0-174 bin]# cp /etc/elasticsearch/elasticsearch.yml /tmp/elasticsearch.yml.bak

3.修改配置文件开启认证

提供两种方法修改配置文件

（1）在ES节点直接修改配置文件，但是这种方法在TBDS集群不建议，若通过8088页面重启ES服务会把配置还原

登录所有ES节点，在每个ES节点的/etc/elasticsearch/elasticsearch.yml配置文件中增加以下参数 http.cors.enabled: true

http.cors.allow-origin: "*"

http.cors.allow-headers: Authorization

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

（2）在TBDS-portal节点修改ambari-server服务集成代码，该方法适用于TBDS集群

登录portal节点，修改/var/lib/tbds-server/resources/common-services/ES/7.6.2/package/templates/elasticsearch.yml.j2文件，加入下面参数

http.cors.enabled: true

http.cors.allow-origin: "*"

http.cors.allow-headers: Authorization

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

修改完文件后重启tbds-server服务

Tbds-server restart

4.配置证书及密钥

生成CA证书

[root@tbds-172-27-0-174 bin]# cd /usr/share/elasticsearch/

[root@tbds-172-27-0-174 elasticsearch]# bin/elasticsearch-certutil ca ##生成证书，直接全部回车到最后

生成P12密钥

[root@tbds-172-27-0-174 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 ##生成密钥直接全部回车到最后

拷贝证书相关文件到其他ES节点，所有ES节点都需要拷贝

[root@tbds-172-27-0-174 elasticsearch]# scp elastic-certificates.p12 elastic-stack-ca.p12 tbds-172-27-0-90:/usr/share/elasticsearch/

以下步骤所有节点都需要操作===================

创建证书存放目录，与配置文件中的xpack.security.transport.ssl.keystore.path能对应上

[root@tbds-172-27-0-174 elasticsearch]# mkdir -p /etc/elasticsearch/certs

[root@tbds-172-27-0-174 elasticsearch]# mv /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/certs/

[root@tbds-172-27-0-174 elasticsearch]# mv /usr/share/elasticsearch/elastic-stack-ca.p12 /etc/elasticsearch/certs/

修改属主

[root@tbds-172-27-0-174 elasticsearch]# chown elasticsearch:elasticsearch -R /etc/elasticsearch/certs

以上步骤所有节点都需要操作===================

5.后台启动ES服务

登录所有ES节点，切换到es用户，启动ES服务

[root@tbds-172-27-0-174 elasticsearch]# su elasticsearch

[elasticsearch@tbds-172-27-0-174 elasticsearch]$ /usr/share/elasticsearch/bin/elasticsearch -p /var/run/elasticsearch/elasticsearch.pid –d

6.设置ES密码

手动设置密码或者自动生成，密码需要记住

[root@tbds-172-27-0-174 elasticsearch]# pwd

/usr/share/elasticsearch

[root@tbds-172-27-0-174 elasticsearch]# bin/elasticsearch-setup-passwords interactive ##手动设置密码方式

[root@tbds-172-27-0-174 elasticsearch]# bin/elasticsearch-setup-passwords auto ##自动生成

7.测试认证是否成功

[root@tbds-172-27-0-174 elasticsearch]# curl http://172.27.0.174:9200 -uelastic:xxxxx

问题处理

1.执行elasticsearch-setup-passwords报错“ERROR: Failed to set password for user [apm_system].”

查看es日志如下

[2020-12-17T16:37:16,729][WARN ][o.e.c.c.ClusterFormationFailureHelper] [tbds-172-27-0-174] master not discovered or elected yet, an election requ

ires at least 2 nodes with ids from [ddeZ8y5iTTKvNFGaWINowA, V6XBAGPMQBqi4JoQKdH_iQ, PAnaiq_iT5OkcerxQgKmdQ], have discovered [{tbds-172-27-0-174}

{ddeZ8y5iTTKvNFGaWINowA}{koDe1kE1TOy93i0cuJvcdQ}{tbds-172-27-0-174}{172.27.0.174:9300}{dilm}{ml.machine_memory=33568198656, xpack.installed=true,

ml.max_open_jobs=20}] which is not a quorum; discovery will continue using [172.27.0.90:9300, 172.27.0.221:9300] from hosts providers and [{tbds-1

72-27-0-174}{ddeZ8y5iTTKvNFGaWINowA}{koDe1kE1TOy93i0cuJvcdQ}{tbds-172-27-0-174}{172.27.0.174:9300}{dilm}{ml.machine_memory=33568198656, xpack.inst

alled=true, ml.max_open_jobs=20}] from last-known cluster state; node term 5, last-accepted version 227 in term 5

该问题主要是配置文件中配置了多个master地址导致，可以先修改ES配置文件只保留一个master地址，待认证配置完毕后再修改回去，解决方法可按如下操作

（1）首先选择任意一台ES节点作为master，然后登录这台服务器，修改/etc/elasticsearch/elasticsearch.yml配置文件，cluster.initial_master_nodes参数只保留master节点

（2）登录其他ES节点，修改配置文件/etc/elasticsearch/elasticsearch.yml

注释node.master参数，cluster.initial_master_nodes参数只保留master节点

（3）所有节点修改完后，重启ES服务

[root@tbds-172-27-0-174 elasticsearch]# su elasticsearch

[elasticsearch@tbds-172-27-0-174 elasticsearch]$ cat /var/run/elasticsearch/elasticsearch.pid |xargs kill

[elasticsearch@tbds-172-27-0-174 elasticsearch]$ /usr/share/elasticsearch/bin/elasticsearch -p /var/run/elasticsearch/elasticsearch.pid -d

2.启动es服务，ES日志报错No available authentication scheme

[2020-12-17T16:49:59,210][WARN ][o.e.t.TcpTransport ] [tbds-172-27-0-174] exception caught on transport layer [Netty4TcpChannel{localAddress

=/172.27.0.174:9300, remoteAddress=/172.27.0.221:16449}], closing connection

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No available authentication scheme

该问题主要是因为没有配置ca证书导致，通过本文中第4步配置证书后该报错消失