Elasticsearch安全配置 #
一、安全概述 #
1.1 安全功能 #
text
Elasticsearch安全功能
├── 认证(Authentication)
│ └── 验证用户身份
├── 授权(Authorization)
│ └── 控制访问权限
├── 加密(Encryption)
│ ├── TLS/SSL
│ └── 节点间加密
└── 审计(Auditing)
└── 记录操作日志
1.2 安全架构 #
text
安全架构
├── 安全领域(Realms)
│ ├── Native
│ ├── LDAP
│ ├── Active Directory
│ ├── SAML
│ └── OpenID Connect
├── 角色(Roles)
│ └── 权限集合
└── 用户(Users)
└── 角色分配
二、启用安全 #
2.1 配置启用 #
yaml
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
2.2 生成证书 #
bash
./bin/elasticsearch-certutil ca
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
2.3 配置证书 #
yaml
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
2.4 设置内置用户密码 #
bash
./bin/elasticsearch-setup-passwords interactive
或自动生成:
bash
./bin/elasticsearch-setup-passwords auto
三、用户管理 #
3.1 创建用户 #
bash
POST /_security/user/john
{
"password": "secret123",
"roles": ["kibana_user"],
"full_name": "John Doe",
"email": "john@example.com"
}
3.2 查看用户 #
bash
GET /_security/user
GET /_security/user/john
3.3 修改用户 #
bash
PUT /_security/user/john
{
"password": "newsecret",
"roles": ["kibana_user", "monitoring_user"]
}
3.4 删除用户 #
bash
DELETE /_security/user/john
3.5 修改密码 #
bash
POST /_security/user/john/_password
{
"password": "newpassword"
}
四、角色管理 #
4.1 内置角色 #
| 角色 | 说明 |
|---|---|
| superuser | 超级用户,所有权限 |
| kibana_admin | Kibana管理员 |
| kibana_user | Kibana用户 |
| monitoring_user | 监控用户 |
| reporting_user | 报表用户 |
| watcher_admin | Watcher管理员 |
| watcher_user | Watcher用户 |
4.2 创建角色 #
bash
PUT /_security/role/products_reader
{
"indices": [
{
"names": ["products*"],
"privileges": ["read", "view_index_metadata"]
}
]
}
4.3 角色权限 #
| 权限 | 说明 |
|---|---|
| all | 所有操作 |
| create | 创建文档 |
| index | 索引文档 |
| delete | 删除文档 |
| read | 读取文档 |
| write | 写入文档 |
| manage | 管理索引 |
4.4 查看角色 #
bash
GET /_security/role
GET /_security/role/products_reader
4.5 删除角色 #
bash
DELETE /_security/role/products_reader
五、API密钥 #
5.1 创建API密钥 #
bash
POST /_security/api_key
{
"name": "my-api-key",
"role_descriptors": {
"role-a": {
"indices": [
{
"names": ["products*"],
"privileges": ["read"]
}
]
}
}
}
响应:
json
{
"id": "VuaCfGcBCdbkQm-e5aOx",
"name": "my-api-key",
"api_key": "ui2lp2axTNmsyakw9tvNnw",
"encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=="
}
5.2 使用API密钥 #
bash
curl -H "Authorization: ApiKey VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==" \
https://localhost:9200/products/_search
5.3 查看API密钥 #
bash
GET /_security/api_key
GET /_security/api_key?name=my-api-key
5.4 删除API密钥 #
bash
DELETE /_security/api_key
{
"name": "my-api-key"
}
六、文档级安全 #
6.1 配置文档级安全 #
bash
PUT /_security/role/products_reader
{
"indices": [
{
"names": ["products"],
"privileges": ["read"],
"query": "{\"term\": { \"brand\": \"apple\" }}"
}
]
}
6.2 字段级安全 #
bash
PUT /_security/role/products_reader
{
"indices": [
{
"names": ["products"],
"privileges": ["read"],
"field_security": {
"grant": ["name", "price"],
"except": ["internal_field"]
}
}
]
}
七、TLS/SSL配置 #
7.1 HTTP层TLS #
yaml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /path/to/key.pem
xpack.security.http.ssl.certificate: /path/to/cert.pem
xpack.security.http.ssl.certificate_authorities: /path/to/ca.pem
7.2 传输层TLS #
yaml
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /path/to/key.pem
xpack.security.transport.ssl.certificate: /path/to/cert.pem
xpack.security.transport.ssl.certificate_authorities: /path/to/ca.pem
7.3 验证模式 #
| 模式 | 说明 |
|---|---|
| none | 不验证 |
| certificate | 验证证书 |
| full | 验证证书和主机名 |
八、审计日志 #
8.1 启用审计 #
yaml
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [index, logfile]
8.2 审计事件 #
yaml
xpack.security.audit.events.include: [
"access_denied",
"authentication_failed",
"connection_denied",
"anonymous_access_denied"
]
8.3 查看审计日志 #
bash
GET /.security-audit-*/_search
{
"query": {
"match_all": {}
}
}
九、安全最佳实践 #
9.1 基本原则 #
text
安全原则
├── 最小权限
│ └── 只授予必要权限
├── 启用认证
│ └── 所有访问需认证
├── 启用加密
│ └── TLS/SSL加密通信
├── 定期审计
│ └── 检查用户和权限
└── 更新密码
└── 定期更换密码
9.2 网络安全 #
text
网络安全
├── 限制访问IP
│ └── 防火墙规则
├── 使用VPN
│ └── 私有网络访问
├── 禁用不必要的端口
│ └── 只开放必要端口
└── 使用代理
└── Nginx/HAProxy
9.3 密码策略 #
text
密码策略
├── 长度要求
│ └── 至少12位
├── 复杂度要求
│ └── 大小写+数字+特殊字符
├── 定期更换
│ └── 建议90天
└── 历史检查
└── 不能使用最近密码
十、总结 #
本章介绍了Elasticsearch安全配置:
- 启用安全需要配置认证和加密
- 用户和角色管理控制访问权限
- API密钥用于程序访问
- 文档级和字段级安全细粒度控制
- TLS/SSL保护通信安全
- 审计日志记录操作
下一步,我们将学习备份与恢复。
最后更新:2026-03-27