前两天做实验的ES居然被人meow攻击了… type中的mapping被人无故删除,想想ES也是数据库,怎么能没有权限控制?所以想着给ES和Kibana都加个权限管理。好在ES本身就已经提供了xpack插件,直接撸。
ES + Kibana版本:5.6.16(实验限制,并非6.x不好..)环境:docker
Elasticsearch
docker配置
直接使用docker-compose.yml来配置,该镜像已自带xpack插件:
# docker-compose.yml
# Containers' name can't contain _ (underscore) because scrapy is not able to handle it.
version: '2'
services:
elasticsearch:
#image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.3.0
image: elastic/elasticsearch:5.6.16
environment:
- discovery.type=single-node
- cluster.name=tor-elasticsearch
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms2g -Xmx2g -Xmn1g"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- /etc/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- /etc/elasticsearch/data:/usr/share/elasticsearch/data
ports:
- 9200:9200
- 9300:9300
container_name: "tor-elasticsearch"
bootstrap.memory_lock
代表是否锁住内存,避免jvm交换(swapped)带来的性能损失,这对节点健康极其重要。
打开bootstrap.memory_lock后出现ES启动失败?
- max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
先要切换到root用户; 然后可以执行以下命令,设置 vm.max_map_count ,但是重启后又会恢复为原值。
sysctl -w vm.max_map_count=262144
持久性的做法是在 /etc/sysctl.conf 文件中修改 vm.max_map_count 参数:echo "vm.max_map_count=262144" > /etc/sysctl.conf sysctl -p
- memory locking requested for elasticsearch process but memory is not locked
我是直接在配置文件中加入如下字段就好了:ulimits: memlock: soft: -1 hard: -1
如果加入以上字段还不行,可能需要打开系统层面锁内存的支持,根据系统去找方法。
"ES_JAVA_OPTS=-Xms2g -Xmx2g -Xmn1g"
代表分配个JVM的堆内存,官方推荐-Xms
和-Xmx
一般设置为系统物理内存的一半,此处物理内存就是分配给该docker容器的限制内存,请自行调整,我的ES容器内存限制如下:
elasticsearch.yml
初始配置如下:
network.host: 0.0.0.0
# xpack
xpack.security.enabled: true
xpack.security.authc.accept_default_password: false
配置x-pack账号密码
因为版本关系,ES5.x不具备elasticsearch-setup-passwords
工具,所以需要手动设置三个账户(elastic
、kibana
、logstash_system
)的密码:
这里首先要将elasticsearch.yml
中的accept_default_password
打开,改完再关闭:
xpack.security.authc.accept_default_password: true
然后进行密码重置(elastic默认密码:changeme):
curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{
"password" : "yourpassword"
}'
curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -H "Content-Type: application/json" -d '{
"password" : "yourpassword"
}'
curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/logstash_system/_password' -H "Content-Type: application/json" -d '{
"password" : "yourpassword"
}'
Kibana
- 镜像(已自带xpack插件):elastic/kibana:5.6.16
-
volume:/etc/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml
# kibana.yml server.name: kibana server.host: "0" # es地址 elasticsearch.url: http://elasticsearch_host:9200 # 打开xpack插件 xpack.monitoring.ui.container.elasticsearch.enabled: true # Elasticsearch xpack username and password elasticsearch.username: "kibana" elasticsearch.password: "yourpassword"
ok,启动两个镜像就大功告成,可以看到权限控制xpack已经生效。
注意这里最好使用elastic
账号登录,kibana
账号登录会只有monitor
权限。
解决Elasticsearch license失效问题
警告
此方法并不能解决xpack license失效问题,目前解决方法有二:
1. (失效)重新部署docker容器,会自动开启30天试用
2. (建议)反编译xpack包,破解试用时间,请直接跳转到下文
如果打开Kibana
出现Login is disabled because your license has expired
错误,说明需要更新相应的许可证。
这里仅提供低于ES6.2版本的解决方案,因为其实X-Pack对于ES6.3及后续的版本已内置。
- 首先登陆https://register.elastic.co/,填写信息下载Basic License,有效期一年。
- 应用许可证(注意替换你自己的es地址和端口):
curl -XPUT -u elastic 'http://0.0.0.0:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
- 填写
elastic
账户密码,默认为changeme
。 - 请求会返回如下信息:
{ "acknowledged": false, "license_status": "valid", "acknowledge": { "message": "This license update requires acknowledgement. To acknowledge the license, please read the following messages and update the license again, this time with the \"acknowledge=true\" parameter:", "watcher": ["Watcher will be disabled"], "security": ["The following X-Pack security functionality will be disabled: authentication, authorization, ip filtering, and auditing. Please restart your node after applying the license.", "Field and document level access control will be disabled.", "Custom realms will be ignored."], "monitoring": ["Multi-cluster support is disabled for clusters with [BASIC] license. If you are\nrunning multiple clusters, users won't be able to access the clusters with\n[BASIC] licenses from within a single X-Pack Kibana instance. You will have to deploy a\nseparate and dedicated X-pack Kibana instance for each [BASIC] cluster you wish to monitor.", "Automatic index cleanup is locked to 7 days for clusters with [BASIC] license."], "graph": ["Graph will be disabled"] } }
在这种情况下,必须再次发送许可证,但这一次使用参数
acknowledge=true
。curl -XPUT -u elastic 'http://0.0.0.0:9200/_xpack/license?acknowledge=true' -H "Content-Type: application/json" -d @license.json
- 当收到如下返回,则更新Basic License成功:
{"acknowledged":true,"license_status":"valid"}
发表评论