ES 默认提供了 Authentication , 集成在 X-pack 当中. 称之为 Realms.

Realms 有两种:

• 内置Realms, 免费, 集成了 File 和 Native (用户名密码保存在ES种)
• 外部Realms, 收费, 支持 LDAP、Active Directory、PKI、SAML、Kerberos

启用

# 配置文件中添加
-E xpack.security.enabled=true

# 用于设置默认用户的密码
bin/elasticsearch-setup-passwords interactive

用户操作

POST /_security/user/jacknich
{
	"password" : "j@rV1s",
	"roles" : [ "admin", "other_role1"] ,
	"full_name" : "Jack Nicho lson",
	"email" : "jacknich@example. com",
	"metadata" : {
		"intelligence" : 7
	}
}

添加TLS

bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

参考官方文档: https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-tls.html

启用节点之间的TLS通讯

# yml
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

启用https

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12