elasticSearch 设置用户名密码 && 查询 |
您所在的位置:网站首页 › oc40账号密码 › elasticSearch 设置用户名密码 && 查询 |
elasticSearch 设置用户名密码 && 查询
|
一、设置密码
1.需要在配置文件中开启x-pack验证, 修改config目录下面的elasticsearch.yml文件,在里面添加如下内容,并重启. xpack.security.enabled: true xpack.license.self_generated.type: basic xpack.security.transport.ssl.enabled: true2,执行设置用户名和密码的命令,这里需要为4个用户分别设置密码,elastic, kibana, logstash_system,beats_system bin/elasticsearch-setup-passwords interactive网上设置时出现的: Initiating the setup of passwords for reserved users elastic,kibana,logstash_system,beats_system. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: passwords must be at least [6] characters long Try again. Enter password for [elastic]: Reenter password for [elastic]: Passwords do not match. Try again. Enter password for [elastic]: Reenter password for [elastic]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [elastic]我设置密码时出现的: [es@k8snode2 elasticsearch-7.3.0]$ ./bin/elasticsearch-setup-passwords interactive Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Passwords do not match. Try again. Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
其中,用户权限分别如下: elastic 账号:拥有 superuser 角色,是内置的超级用户。kibana 账号:拥有 kibana_system 角色,用户 kibana 用来连接 elasticsearch 并与之通信。Kibana 服务器以该用户身份提交请求以访问集群监视 API 和 .kibana 索引。不能访问 index。logstash_system 账号:拥有 logstash_system 角色。用户 Logstash 在 Elasticsearch 中存储监控信息时使用。 二、修改密码修改密码命令如下: curl -H "Content-Type:application/json" -XPOST -u elastic 'http://127.0.0.1:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "123456" }' 三、带密码查询Elasticsearch设置用户名密码之后,不能再直接使用Elasticsearch head 访问,可以在查询等API上加上用户等参数: curl -XGET --user user:passwd 'http://XXXX:9200/XX/XXX'比如想要清空某个索引下的数据: curl -XPOST --user admin:admin 'http://XXXX:9200/XXXX/XXX/_delete_by_query' -H "Content-Type: application/json" -d '{ "query":{"match_all":{}}}' 四、添加自定义角色添加角色接口为:POST /_xpack/security/role/ 下面添加一个超级管理员角色为例: [elastic@data-backup elasticsearch-6.2.4]$ curl -XPOST -H 'Content-type: application/json' -u elastic:elastic123 'http://10.163.19.231:9600/_xpack/security/role/admin?pretty' -d '{ "run_as":["elastic"], "cluster":["all"], "indices":[ { "names":["*"], "privileges":["all"] } ] }' { "role" : { "created" : true } } [elastic@data-backup elasticsearch-6.2.4]$ curl -XGET -H 'Content-type: application/json' -u elastic:elastic123 'http://10.163.19.231:9600/_xpack/security/role/admin?pretty' { "admin" : { "cluster" : [ "all" ], "indices" : [ { "names" : [ "*" ], "privileges" : [ "all" ] } ], "run_as" : [ "elastic" ], "metadata" : { }, "transient_metadata" : { "enabled" : true } } } 五、添加自定义用户添加用户接口为:POST/_xpack/security/user/ 下面以添加一个test用户并添加至admin角色为例: [elastic@data-backup elasticsearch-6.2.4]$ curl -XGET -H 'Content-type: application/json' -u test:Test123654% 'http://10.163.19.231:9600/_cat/indices?pretty' green open .monitoring-es-6-2019.09.17 J1K2XG1eTXqw0GHSOH5Gwg 1 0 848 104 846.9kb 846.9kb green open .watches qHj5owowRC-3DeK8DaLD-g 1 0 6 0 47.8kb 47.8kb green open .triggered_watches 2pm3BwCnTaKgyzl39eFpUw 1 0 0 0 5.1kb 5.1kb yellow open monitor yFnfztziSguTq9VsfSANpw 5 1 48 0 226.7kb 226.7kb green open .watcher-history-7-2019.09.17 uz6RA_8vRraHHLAitWKtAw 1 0 74 0 259.8kb 259.8kb green open .monitoring-alerts-6 ZPTqnNVOQ5GlUK1ncXNQDQ 1 0 2 0 18.1kb 18.1kb yellow open track AqSGAZnAQE2NGvZXlp9zcw 5 1 1343729 175384 201mb 201mb green open .security-6 83fAslPbQDSGbGWfhiMAXA 1 0
注:这里要注意的是用户密码最好不要有"$" "!"之类的字符,这样有可能会导致密码认证不成功,其他字符测试过暂时没问题(具体原因不详,反正我遇到过这个坑) 修改配置文件elasticsearch.yml,增加 http.cors.allow-headers: Authorization 访问head时,url如下所示: http://192.168.100.100:9100/?auth_user=elastic&auth_password=changeme 七、java api带密码访问 //初始化ES操作客户端 final CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("elastic", "123456")); //es账号密码(默认用户名为elastic) RestHighLevelClient esClient =new RestHighLevelClient( RestClient.builder( new HttpHost("127.0.0.1",9200) ).setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() { public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) { httpClientBuilder.disableAuthCaching(); return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider); } })/.setMaxRetryTimeoutMillis(2000)/ );
|
【本文地址】