Ana Sayfa Keşfet Yardım
Giriş Yap
lqb
/
elasticsearch
şunun yansıması https://gitee.com/mirrors/elasticsearch.git
1
0
Çatalla 0
Dosyalar Sorunlar 0 Wiki
Ağaç: 8dd563134c
Dallar Biçim İmleri
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
securing-communications
/
security-minimal-setup.asciidoc

security-minimal-setup.asciidoc 5.1 KB
Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149 
  1. [[security-minimal-setup]]
    2. 

  2. === Set up minimal security for {es}
    3. 

  3. ++++
    4. 

  4. <titleabbrev>Set up minimal security</titleabbrev>
    5. 

  5. ++++
    6. 

  6. 

  7. You enable the Elasticsearch security features and then create
    8. 

  8. passwords for built-in users. You can add more users later, but using the
    9. 

  9. built-in users simplifies the process of enabling security for your
    10. 

  10. cluster.
    11. 

  11. 

  12. ==== Prerequisites
    13. 

  13. 

  14. . Install and configure {es} and {kib}. See https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-elastic-stack.html[Getting started with the Elastic Stack].
    15. 

  15. 

  16. . Verify that you are using a license that includes the specific security
    17. 

  17. features you want.
    18. 

  18. +
    19. 

  19. The basic license includes minimal security settings for the Elastic Stack, so
    20. 

  20. you can just download the distribution and get to work. You can also enable a
    21. 

  21. free trial license to access all features of the Elastic Stack. See https://www.elastic.co/subscriptions[subscriptions] and https://www.elastic.co/guide/en/kibana/current/managing-licenses.html[license management].
    22. 

  22. 

  23. ==== Enable {es} security features
    24. 

  24. 

  25. When you use the basic license, the {es} security features are disabled by
    26. 

  26. default. Enabling the {es} security features enables basic authentication so
    27. 

  27. that you can run a local cluster with username and password authentication.
    28. 

  28. 

  29. . Stop both {kib} and {es} if they are running.
    30. 

  30. 

  31. . Add the `xpack.security.enabled` setting to the `ES_PATH_CONF/elasticsearch.yml` file and set the value to `true`:
    32. 

  32. +
    33. 

  33. [source,yaml]
    34. 

  34. ----
    35. 

  35. xpack.security.enabled: true
    36. 

  36. ----
    37. 

  37. +
    38. 

  38. NOTE: The `ES_PATH_CONF` variable is the path for the {es}
    39. 

  39. configuration files. If you installed {es} using archive distributions
    40. 

  40. (`zip` or `tar.gz`), the variable defaults to `ES_HOME/config`. If you used
    41. 

  41. package distributions (Debian or RPM), the variable defaults to `/etc/elasticsearch`.
    42. 

  42. 

  43. [[security-create-builtin-users]]
    44. 

  44. ==== Create passwords for built-in users
    45. 

  45. 

  46. To communicate with the cluster, you must configure a username for the built-in
    47. 

  47. users. Unless you enable anonymous access, all requests that don’t include a
    48. 

  48. user name and password are rejected.
    49. 

  49. 

  50. NOTE: You only need to set passwords for the `elastic` and `kibana_system` users
    51. 

  51. when enabling minimal or basic security.
    52. 

  52. 

  53. . Start Elasticsearch. For example, if you installed Elasticsearch with a
    54. 

  54. `.tar.gz` package, run the following command from the Elasticsearch directory:
    55. 

  55. +
    56. 

  56. [source,shell]
    57. 

  57. ----
    58. 

  58. ./bin/elasticsearch
    59. 

  59. ----
    60. 

  60. 

  61. . In another terminal window, set the passwords for the built-in users by
    62. 

  62. running the `elasticsearch-setup-passwords` utility. Using the `auto` parameter
    63. 

  63. outputs randomly-generated passwords to the console that you can change later
    64. 

  64. if necessary:
    65. 

  65. +
    66. 

  66. [source,shell]
    67. 

  67. ----
    68. 

  68. ./bin/elasticsearch-setup-passwords auto
    69. 

  69. ----
    70. 

  70. +
    71. 

  71. If you want to use your own passwords, run the command with the
    72. 

  72. `interactive` parameter instead of the `auto` parameter. Using this mode
    73. 

  73. steps you through password configuration for all of the built-in users.
    74. 

  74. +
    75. 

  75. [source,shell]
    76. 

  76. ----
    77. 

  77. ./bin/elasticsearch-setup-passwords interactive
    78. 

  78. ----
    79. 

  79. 

  80. . Save the generated passwords. You'll need them to add the built-in user to
    81. 

  81. {kib}.
    82. 

  82. 

  83. WARNING: After you set a password for the `elastic` user, you cannot run the
    84. 

  84. `elasticsearch-setup-passwords` command a second time.
    85. 

  85. 

  86. *Next*: <<add-built-in-users,Configure {kib} to connect to {es} with a password>>
    87. 

  87. 

  88. [[add-built-in-users]]
    89. 

  89. ==== Configure {kib} to connect to {es} with a password
    90. 

  90. 

  91. When the {es} security features are enabled, users must log in to {kib} with a
    92. 

  92. valid username and password.
    93. 

  93. 

  94. {kib} also performs some background tasks that require use of the built-in
    95. 

  95. `elastic` user.
    96. 

  96. 

  97. You'll configure {kib} to use the built-in `elastic` user and the
    98. 

  98. password that you created earlier.
    99. 

  99. 

  100. . Add the `elasticsearch.username` setting to the `KIB_PATH_CONF/kibana.yml`
    101. 

  101. file and set the value to the `elastic` user:
    102. 

  102. +
    103. 

  103. [source,yaml]
    104. 

  104. ----
    105. 

  105. elasticsearch.username: "elastic"
    106. 

  106. ----
    107. 

  107. +
    108. 

  108. NOTE: The `KIB_PATH_CONF` variable is the path for the {kib}
    109. 

  109. configuration files. If you installed {kib} using archive distributions
    110. 

  110. (`zip` or `tar.gz`), the variable defaults to `KIB_HOME/config`. If you used
    111. 

  111. package distributions (Debian or RPM), the variable defaults to `/etc/kibana`.
    112. 

  112. 

  113. . From the directory where you installed {kib}, run the following commands
    114. 

  114. to create the {kib} keystore and add the secure settings:
    115. 

  115. 

  116.    a. Create the {kib} keystore:
    117. 

  117. +
    118. 

  118. [source,shell]
    119. 

  119. ----
    120. 

  120. ./bin/kibana-keystore create
    121. 

  121. ----
    122. 

  122. 

  123.    b. Add the password for the `elastic` user to the {kib} keystore:
    124. 

  124. +
    125. 

  125. [source,shell]
    126. 

  126. ----
    127. 

  127. ./bin/kibana-keystore add elasticsearch.password
    128. 

  128. ----
    129. 

  129. +
    130. 

  130. When prompted, enter the password for the `elastic` user.
    131. 

  131. 

  132. . Restart {kib}. For example, if you installed {kib} with a `.tar.gz` package, run the following command from the {kib} directory:
    133. 

  133. +
    134. 

  134. [source,shell]
    135. 

  135. ----
    136. 

  136. ./bin/kibana
    137. 

  137. ----
    138. 

  138. 

  139. . Log in to {kib} as the `elastic` user.
    140. 

  140. 

  141. [[minimal-security-whatsnext]]
    142. 

  142. ==== What's next?
    143. 

  143. 

  144. Congratulations! You enabled password protection for your local cluster to
    145. 

  145. prevent unauthorized access. You can log in to {kib} securely as the `elastic`
    146. 

  146. user.
    147. 

  147. 

  148. To add another layer of security, <<security-basic-setup,Set up basic security for the Elastic Stack>>. You'll configure Transport Layer Security (TLS) to
    149. 

  149. secure all internal communication between nodes in your cluster.
    150.