Elasticsearch7.6 集群部署、集群认证及使用

window版本测试部署,centos使用docker-compose部署,springboot连接使用,集群配置ssl和CA证书配置

  • 配置参考

Elasticsearch的一些概念和配置参数说明Elasticsearch集群内部配置TLS加密通信及身份验证。

具体可参考我的csdn博客:

window 环境部署集群

elasticsearch 下载地址kibana 下载地址

注意:window下载解压elasticsearch一定需要解压多次。例如搭建的3节点的,需要解压3次,防止生成 cluster UUID 一致导致只能看到一个节点

1、elasticsearch.yml配置:

node.name区别:elastic_node1、 elastic_node2、 elastic_node3

cluster.name: elastic_cluster

node.name: elastic_node1

node.master: true
node.data: true

#path.data: /usr/local/elastic_node1/data
#path.logs: /usr/local/elastic_node1/logs

bootstrap.memory_lock: true

network.host: 127.0.0.1
network.tcp.no_delay: true
network.tcp.keep_alive: true
network.tcp.reuse_address: true
network.tcp.send_buffer_size: 256mb
network.tcp.receive_buffer_size: 256mb

transport.tcp.port: 9301
transport.tcp.compress: true

http.max_content_length: 200mb
http.cors.enabled: true
http.cors.allow-origin: "*"
http.port: 9201

discovery.seed_hosts: ["127.0.0.1:9301","127.0.0.1:9302","127.0.0.1:9303"]
cluster.initial_master_nodes: ["127.0.0.1:9301","127.0.0.1:9302","127.0.0.1:9303"]
cluster.fault_detection.leader_check.interval: 15s
discovery.cluster_formation_warning_timeout: 30s
cluster.join.timeout: 30s
cluster.publish.timeout: 90s
cluster.routing.allocation.cluster_concurrent_rebalance: 16
cluster.routing.allocation.node_concurrent_recoveries: 16
cluster.routing.allocation.node_initial_primaries_recoveries: 16

2、依次运行生成集群

浏览器打开:http://127.0.0.1:9201/_cat/nodes?v

ip       heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
127.0.0.1           19         64 37                         dilm     -     elastic_node3
127.0.0.1           13         64 47                         dilm     -     elastic_node1
127.0.0.1           22         64 50                         dilm     *     elastic_node2

3、生成证书

es集群通过证书来安全的组成集群

  • 运行

bin/elasticsearch-certutil cert

一直按回车就行, 其他 还有ca等生成方式,生成之后会在bin同级目录,然后复制到config目录下

注意:密码后面需要单独设置,这里是集群安全认证,建议密码不设置,成功后生成的证书默认在es的config目录里面 elastic-certificates.p12;分别copy一份到其他节点的config里面(默认目录)

在elasticsearch.yml配置添加

xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

4、给认证的集群创建用户密码

bin/elasticsearch-setup-passwords anto

自动生成密码,也可以使用 interactive 方式自定义密码

  • elastic 账号:拥有 superuser 角色,是内置的超级用户。
  • kibana 账号:拥有 kibana_system 角色,用户 kibana 用来连接 elasticsearch 并与之通信。Kibana 服务器以该用户身份提交请求以访问集群监视 API 和 .kibana 索引。不能访问 index。
  • logstash_system 账号:拥有 logstash_system 角色。用户 Logstash 在 Elasticsearch 中存储监控信息时使用。
  • beats_system账号:拥有 beats_system 角色。用户 Beats 在 Elasticsearch 中存储监控信息时使用。

elastic是超级用户

5、配置kibana认证

kibana.yml设置

elasticsearch.username: "kibana"
elasticsearch.password: "Fuq7Sp43pjYoPglu71QU"
# 设置为中文
i18n.locale: "zh-CN"

完整的elasticsearch.yml配置,注意不同节点node.name区别

# ======================== Elasticsearch Configuration =========================
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
# 集群名称,保证唯一
cluster.name: elastic_cluster
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
# 节点名称,必须不一样
node.name: node-1
# 允许节点是否可以成为一个master节点,ES是默认集群中的第一台机器成为master,如果这台机器停止就会重新选举
node.master: true
# 允许该节点存储索引数据(默认开启)
node.data: true
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#path.data: /path/to/data
# Path to log files:
#path.logs: /path/to/logs
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
# 在ES运行起来后锁定ES所能使用的堆内存大小,锁定内存大小一般为可用内存的一半左右;锁定内存后就不会使用交换分区。
# 如果不打开此项,当系统物理内存空间不足,ES将使用交换分区,ES如果使用交换分区,那么ES的性能将会变得很差。
bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):必须为本机的ip地址,127.0.0.1
# es的HTTP端口和集群通信端口就会监听在此地址上
network.host: localhost
# 是否启用tcp无延迟,true为启用tcp不延迟,默认为false启用tcp延迟
network.tcp.no_delay: true
# 是否启用TCP保持活动状态,默认为true
network.tcp.keep_alive: true
# 是否应该重复使用地址。默认true,在Windows机器上默认为false
network.tcp.reuse_address: true
# tcp发送缓冲区大小,默认不设置
network.tcp.send_buffer_size: 128mb
# tcp接收缓冲区大小,默认不设置
network.tcp.receive_buffer_size: 128mb
#
# Set a custom port for HTTP:
# 定义ES对外调用的http端口、服务端口号,默认是9200,在同一机器下必须不一样
http.port: 9201
# 设置http请求内容的最大容量,默认是100mb
http.max_content_length: 200mb
# 是否开启跨域访问
http.cors.enabled: true
# 开启跨域访问后的地址限制,*表示无限制
http.cors.allow-origin: "*"
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: "X-Requested-With, Content-Type, Content-Length, X-User"
#
# 设置集群节点通信的TCP端口,默认就是9300,在同一机器下必须不一样
transport.tcp.port: 9301
# 设置是否压缩TCP传输时的数据,默认为false
transport.tcp.compress: true
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
# 7.0之前 discovery.zen.ping.unicast.hosts:
# 设置集群自动发现机器ip集合
# Elasticsearch7新增参数,写入候选主节点的设备地址,来开启服务时就可以被选为主节点,由discovery.zen.ping.unicast.hosts:参数改变而来
discovery.seed_hosts: ["127.0.0.1:9301", "127.0.0.1:9302", "127.0.0.1:9303"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
# Elasticsearch7新增参数,写入候选主节点的设备地址,来开启服务时就可以被选为主节点
cluster.initial_master_nodes: ["127.0.0.1:9301", "127.0.0.1:9302", "127.0.0.1:9303"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# Elasticsearch7新增参数,设置每个节点在选中的主节点的检查之间等待的时间。默认为1秒
cluster.fault_detection.leader_check.interval: 15s
# Elasticsearch7新增参数,启动后30秒内,如果集群未形成,那么将会记录一条警告信息,警告信息未master not fount开始,默认为10秒
discovery.cluster_formation_warning_timeout: 30s
# Elasticsearch7新增参数,节点发送请求加入集群后,在认为请求失败后,再次发送请求的等待时间,默认为60秒
cluster.join.timeout: 30s
# Elasticsearch7新增参数,设置主节点等待每个集群状态完全更新后发布到所有节点的时间,默认为30秒
cluster.publish.timeout: 90s
# 集群内同时启动的数据任务个数,默认是2个
cluster.routing.allocation.cluster_concurrent_rebalance: 16
# 添加或删除节点及负载均衡时并发恢复的线程个数,默认4个
cluster.routing.allocation.node_concurrent_recoveries: 16
# 初始化数据恢复时,并发恢复线程的个数,默认4个
cluster.routing.allocation.node_initial_primaries_recoveries: 16
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12