注: 由于是测试,搭建的环境就在一台机器上(操作系统是 CentOS 7) 配置 Elasticsearch Elasticsearch 的配置文件是 elasticsearch/elasticsearch.yml
集群的名称
配置集群的名称,所有的node节点集群名称要一致
# Use a descriptive name for your cluster: # cluster.name: my-application
节点的名称
配置每个节点的名称,节点的名称要在集群中唯一
# Use a descriptive name for the node: # node.name: node-1
索引文件的存储位置
默认是在当前目录下的data目录,可以自行修改
# Path to directory where to store the data (separate multiple locations by comma): # #path.data: /path/to/data
日志文件的存储位置
默认是在当前目录下的logs目录,可以自行修改
# Path to log files: # #path.logs: /path/to/logs
Elasticsearch 运行绑定的 Host,默认是无法公开访问的,如果设置为 0.0.0.0 就可以公开访问
# Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 0.0.0.0
HTTP访问端口,默认是9200
http.port: 9200
transport 端口,默认是9300(transport用于集群内节点之间的内部通信)
transport.port: 9300
discovery.seed_hosts 配置集群的主机和端口地址
discovery.seed_hosts: ["127.0.0.1:9300","127.0.0.1:9301","127.0.0.1:9302"]
cluster.initial_master_nodes(第一次启动全新的Elasticsearch集群时,会出现一个集群引导步骤,该步骤确定在第一次选举中计票的主要合格节点集,这些节点的投票应在第一次选举中计算)
cluster.initial_master_nodes: ["node-1", "node-2","node-3"]
该节点是否有资格成为主节点
node.master: true
是否是数据节点
node.data: true
防止集群发生“脑裂”,即一个集群分裂成多个,通常需要配置集群最少主节点数目,通常为 (可成为主节点的主机数目 / 2) + 1,我有3个节点有资格成为主节点,那么结果就是 2
discovery.zen.minimum_master_nodes: 2开启安全认证(注意在生成证书时,集群是在没有密码的状态下生成的)
进入bin目录,执行下面的命令,为Elasticsearch 节点生成私钥和 X.509 证书(注: 进入任意一个node节点下,然后将生成的文件拷贝到所有的node节点下)
// 生成CA证书,执行命令后,系统还会提示你输入密码,可以直接留空 elasticsearch-certutil ca //生成证书和私钥,系统还会提示你输入密码,你可以输入证书和密钥的密码,也可以留空 elasticsearch-certutil cert --ca elastic-stack-ca.p12
执行后,你会在,es目录下看到对应的两个文件
在所有node节点下,在 config目录中创建 certs 文件夹
将elastic-certificates.p12 文件拷贝到certs 目录下(注:是所有的node节点对应的/config/certs)
设置开启安全认证
# 设置密码,对外访问安全认证 xpack.security.enabled: true xpack.license.self_generated.type: basic
开启集团内部通信认证
#开启集群内部通信安全认证 xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
启动所有ES节点
需要在其中一个节点进行密码的设置(设置一个即可)
elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
最后,可以通过kibana 看到如下界面
安全认证
集群设置
