Elasticsearch7.7设置账号密码时的逻辑矛盾问题
Posted BasicLab基础架构实验室
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Elasticsearch7.7设置账号密码时的逻辑矛盾问题相关的知识,希望对你有一定的参考价值。
2019年1月30日,外媒又报道了一起Elasticsearch数据泄露事件!2019年1月份的至少有6起Elasticsearch数据泄露事件了。原因何在,很简单,开发者在服务启动之后总是懒得去修改,哪怕是添加个密码,不信?你去看看你们公司的REDIS服务器,看看有多少设置了密码,至少我公司不相关的部门的业务,他们的REDIS我都能远程登录(因对接关系我知道了redis服务器IP)。
好吧,回到Elasticsearch7.7的密码设置问题上来吧,说说我遇到的Elasticsearch设置账号密码时的矛盾问题,很扯蛋。不过也不要上纲上线,因为这问题肯定是可以解决的,但我在写这篇笔记的时候还没有找到方法,而我又想基于此留下点笔记。操作过程如下:
#1.开始给elasticsearch设置密码
tiger@n21-045-025:/usr/share/elasticsearch$ sudo bin/elasticsearch-setup-passwords interactive
It doesn't look like the X-Pack security feature is enabled on this Elasticsearch node.
Please check if you have enabled X-Pack security in your elasticsearch.yml configuration file.
ERROR: X-Pack Security is disabled by configuration.
#提示没有在配置文件中开启X-Pack,OK
#2.开启X-Pack配置
tiger@n21-045-025:/opt/elasticsearch$ sudo vim /etc/elasticsearch/elasticsearch.yml
http.cors.enabled: true
http.cors.allow-origin: "*"
#新增加了以下两行配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
#3.增加完配置之后要重启elasticsearch不?你说不重启能行吗?不重启就还是没有配置啊。
#重启elasticsearch之后,然后我们再来配置密码
#修改完配置重启es之后使用elasticsearch-setup-passwords interactive
tiger@n21-045-025:/usr/share/elasticsearch$ sudo bin/elasticsearch-setup-passwords interactive
#Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Unexpected response code [503] from calling PUT http://192.21.15.25:9200/_security/user/apm_system/_password?pretty
Cause: Cluster state has not been recovered yet, cannot write to the [null] index
Possible next steps:
* Try running this tool again.
* Try running with the --verbose parameter for additional messages.
* Check the elasticsearch logs for additional error details.
* Use the change password API manually.
ERROR: Failed to set password for user [apm_system]
#看设置报错:
tiger@n21-045-025:/usr/share/elasticsearch$ sudo bin/elasticsearch-setup-passwords interactive --verbose
Running with configuration path: /etc/elasticsearch
Testing if bootstrap password is valid for http://192.21.15.25:9200/_security/_authenticate?pretty
Checking cluster health: http://192.21.15.25:9200/_cluster/health?pretty
"error" :
"root_cause" : [
"type" : "master_not_discovered_exception",
"reason" : null
],
"type" : "master_not_discovered_exception",
"reason" : null
,
"status" : 503
Failed to determine the health of the cluster running at http://192.21.15.25:9200
Unexpected response code [503] from calling GET http://192.21.15.25:9200/_cluster/health?pretty
Cause: master_not_discovered_exception
It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.
Do you want to continue with the password setup process [y/N]ERROR: User cancelled operation
看上面的报错,这时提示9200服务报503错误,什么原因呢?我设置了要要账号密码啊。现在从浏览器访问9200端口也是需要账号密码才能登录的,请求http://192.21.15.25:9200/_cluster/health?pretty接口也会阻塞一直不响应,因为在等待账号密码呢。
这就矛盾了:我没启用xpack.security.enabled时,不能进入设置密码。但我启动了之后设置密码时它会调用_cluster/health?pretty检查集群状态然后就有问题了。这不矛盾了吗?
网上找了一些资料,包括google,但也都没有解决:比如 https://stackoverflow.com/questions/61884976/apply-security-on-elk-cluster-authentication-issue 这里说把所有的节点都加上上面的X-pack配置重启,然后使用auto进行密码设置。一样会出现无法检查集群健康状态的问题。Failed to determine the health of the cluster running at http://192.21.15.25:9200 Unexpected response code [503] from calling GET http://192.21.15.25:9200/_cluster/health?pretty
这个肯定不能是个问题!这个也一定能解决的,暂时挺脑火,留个笔记在这里!
以上是关于Elasticsearch7.7设置账号密码时的逻辑矛盾问题的主要内容,如果未能解决你的问题,请参考以下文章