Elasticsearch未授权访问漏洞
ES高版本已经支持x-pack认证,TBDS的ES版本是6.4.2,默认已经安装了x-pack,下面是配置方法。
配置认证步骤
1.停止ES服务
2.备份ES配置文件
登录所有ES节点
[root@tbds-172-27-0-174 bin]# cp /etc/elasticsearch/elasticsearch.yml /tmp/elasticsearch.yml.bak
3.修改配置文件开启认证
提供两种方法修改配置文件
(1)在ES节点直接修改配置文件,但是这种方法在TBDS集群不建议,若通过8088页面重启ES服务会把配置还原
登录所有ES节点,在每个ES节点的/etc/elasticsearch/elasticsearch.yml配置文件中增加以下参数 http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
(2)在TBDS-portal节点修改ambari-server服务集成代码,该方法适用于TBDS集群
登录portal节点,修改/var/lib/tbds-server/resources/common-services/ES/7.6.2/package/templates/elasticsearch.yml.j2文件,加入下面参数
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
修改完文件后重启tbds-server服务
Tbds-server restart
4.配置证书及密钥
生成CA证书
[root@tbds-172-27-0-174 bin]# cd /usr/share/elasticsearch/
[root@tbds-172-27-0-174 elasticsearch]# bin/elasticsearch-certutil ca ##生成证书,直接全部回车到最后
生成P12密钥
[root@tbds-172-27-0-174 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 ##生成密钥直接全部回车到最后
拷贝证书相关文件到其他ES节点,所有ES节点都需要拷贝
[root@tbds-172-27-0-174 elasticsearch]# scp elastic-certificates.p12 elastic-stack-ca.p12 tbds-172-27-0-90:/usr/share/elasticsearch/
以下步骤所有节点都需要操作===================
创建证书存放目录,与配置文件中的xpack.security.transport.ssl.keystore.path能对应上
[root@tbds-172-27-0-174 elasticsearch]# mkdir -p /etc/elasticsearch/certs
[root@tbds-172-27-0-174 elasticsearch]# mv /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/certs/
[root@tbds-172-27-0-174 elasticsearch]# mv /usr/share/elasticsearch/elastic-stack-ca.p12 /etc/elasticsearch/certs/
修改属主
[root@tbds-172-27-0-174 elasticsearch]# chown elasticsearch:elasticsearch -R /etc/elasticsearch/certs
以上步骤所有节点都需要操作===================
5.后台启动ES服务
登录所有ES节点,切换到es用户,启动ES服务
[root@tbds-172-27-0-174 elasticsearch]# su elasticsearch
[elasticsearch@tbds-172-27-0-174 elasticsearch]$ /usr/share/elasticsearch/bin/elasticsearch -p /var/run/elasticsearch/elasticsearch.pid –d
6.设置ES密码
手动设置密码或者自动生成,密码需要记住
[root@tbds-172-27-0-174 elasticsearch]# pwd
/usr/share/elasticsearch
[root@tbds-172-27-0-174 elasticsearch]# bin/elasticsearch-setup-passwords interactive ##手动设置密码方式
[root@tbds-172-27-0-174 elasticsearch]# bin/elasticsearch-setup-passwords auto ##自动生成
7.测试认证是否成功
[root@tbds-172-27-0-174 elasticsearch]# curl http://172.27.0.174:9200 -uelastic:xxxxx
问题处理
1.执行elasticsearch-setup-passwords报错“ERROR: Failed to set password for user [apm_system].”
查看es日志如下
[2020-12-17T16:37:16,729][WARN ][o.e.c.c.ClusterFormationFailureHelper] [tbds-172-27-0-174] master not discovered or elected yet, an election requ
ires at least 2 nodes with ids from [ddeZ8y5iTTKvNFGaWINowA, V6XBAGPMQBqi4JoQKdH_iQ, PAnaiq_iT5OkcerxQgKmdQ], have discovered [{tbds-172-27-0-174}
{ddeZ8y5iTTKvNFGaWINowA}{koDe1kE1TOy93i0cuJvcdQ}{tbds-172-27-0-174}{172.27.0.174:9300}{dilm}{ml.machine_memory=33568198656, xpack.installed=true,
ml.max_open_jobs=20}] which is not a quorum; discovery will continue using [172.27.0.90:9300, 172.27.0.221:9300] from hosts providers and [{tbds-1
72-27-0-174}{ddeZ8y5iTTKvNFGaWINowA}{koDe1kE1TOy93i0cuJvcdQ}{tbds-172-27-0-174}{172.27.0.174:9300}{dilm}{ml.machine_memory=33568198656, xpack.inst
alled=true, ml.max_open_jobs=20}] from last-known cluster state; node term 5, last-accepted version 227 in term 5
该问题主要是配置文件中配置了多个master地址导致,可以先修改ES配置文件只保留一个master地址,待认证配置完毕后再修改回去,解决方法可按如下操作
(1)首先选择任意一台ES节点作为master,然后登录这台服务器,修改/etc/elasticsearch/elasticsearch.yml配置文件,cluster.initial_master_nodes参数只保留master节点
(2)登录其他ES节点,修改配置文件/etc/elasticsearch/elasticsearch.yml
注释node.master参数,cluster.initial_master_nodes参数只保留master节点
(3)所有节点修改完后,重启ES服务
[root@tbds-172-27-0-174 elasticsearch]# su elasticsearch
[elasticsearch@tbds-172-27-0-174 elasticsearch]$ cat /var/run/elasticsearch/elasticsearch.pid |xargs kill
[elasticsearch@tbds-172-27-0-174 elasticsearch]$ /usr/share/elasticsearch/bin/elasticsearch -p /var/run/elasticsearch/elasticsearch.pid -d
2.启动es服务,ES日志报错No available authentication scheme
[2020-12-17T16:49:59,210][WARN ][o.e.t.TcpTransport ] [tbds-172-27-0-174] exception caught on transport layer [Netty4TcpChannel{localAddress
=/172.27.0.174:9300, remoteAddress=/172.27.0.221:16449}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No available authentication scheme
该问题主要是因为没有配置ca证书导致,通过本文中第4步配置证书后该报错消失
