问题描述
我正在尝试在我们的 ELK 堆栈中启用基本身份验证。以下步骤已尝试启用身份验证
1. docker run -d -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.10.1
2. docker exec -it stoic_darwin /bin/bash
3. In side the container executed # bin/elasticsearch-certutil ca
4. No password entered and exited from the container.
5. copied the generated file to host system - docker cp stoic_darwin:/usr/share/elasticsearch/elastic-stack-ca.p12 .
6. Updated the docker-compose file as below.
version: '3'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.1
container_name: elasticsearch
environment:
- node.name=elasticsearch
- discovery.seed_hosts=elasticsearch
- cluster.initial_master_nodes=elasticsearch
- cluster.name=docker-cluster
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-xms512m -Xmx512m"
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=elastic-stack-ca.p12
- xpack.security.transport.ssl.truststore.path=elastic-stack-ca.p12
- xpack.security.transport.ssl.truststore.type=PKCS12
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./elastic-stack-ca.p12:/usr/share/elasticsearch/config/elastic-stack-ca.p12
- esdata1:/usr/share/elasticsearch/data
ports:
- 9200:9200
kibana:
image: docker.elastic.co/kibana/kibana:7.10.1
container_name: kibana
environment:
ELASTICSEARCH_URL: "http://elasticsearch:9200"
ELASTICSEARCH_USERNAME: "kibana"
ELASTICSEARCH_PASSWORD: "kibana"
ports:
- 5601:5601
depends_on:
- elasticsearch
volumes:
esdata1:
driver: local
7. # docker-compose up -d elasticsearch
8. But it fails with below errors.
elasticsearch | "at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:524) ~[?:?]",elasticsearch | ElasticsearchSecurityException[Failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[Failed to initialize SSL TrustManager - not permitted to read truststore file [/usr/share/elasticsearch/config/elastic-stack-ca.p12]]; nested: AccessDeniedException[/usr/share/elasticsearch/config/elastic-stack-ca.p12];
elasticsearch | Likely root cause: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/config/elastic-stack-ca.p12
elasticsearch | at java.base/sun.nio.fs.UnixException.translatetoIOException(UnixException.java:90)
elasticsearch | at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
elasticsearch | at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
elasticsearch | at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
elasticsearch | "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]",elasticsearch | "at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:455) ~[?:?]",elasticsearch | "at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:288) ~[?:?]",elasticsearch | "at org.elasticsearch.node.Node.lambda$new$15(Node.java:553) ~[elasticsearch-7.10.1.jar:7.10.1]",elasticsearch | "at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]",elasticsearch | "at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]",elasticsearch | "at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]",elasticsearch | at java.base/java.nio.file.Files.newByteChannel(Files.java:375)
我相信启用 ELK 的基本身份验证需要 SSL 证书才能连接到单个/多个集群。那么我该如何解决这个错误?
还有没有办法生成证书Performed at step-3并使用 docker-compose 本身中的 bin/elasticsearch-setup-passwords interactive 命令设置内置用户密码?
(或)如果有任何简单的方法可以通过 docker compose 启用身份验证,将会有所帮助。请帮助我的步骤。提前致谢。
上述错误是由于权限已修改权限并已修复。现在我的 logstash 有争议地抛出错误。
logstash | [2021-01-27T06:27:42,365][ERROR][logstash.licensechecker.licensereader] Unable to retrieve license @R_581_4045@ion from license server {:message=>"Got response code '401' contacting Elasticsearch at URL 'http://elasticsearch:9200/_xpack'"}
logstash | [2021-01-27T06:27:42,738][WARN ][logstash.licensechecker.licensereader] Attempted to resurrect connection to dead ES instance,but got an error. {:url=>"http://elasticsearch:9200/",:error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError,:error=>"Got response code '401' contacting Elasticsearch at URL 'http://elasticsearch:9200/'"}
logstash | [2021-01-27T06:28:12,358][ERROR][logstash.licensechecker.licensereader] Unable to retrieve license @R_581_4045@ion from license server {:message=>"Got response code '401' contacting Elasticsearch at URL 'http://elasticsearch:9200/_xpack'"}
logstash | [2021-01-27T06:28:12,753][WARN ][logstash.licensechecker.licensereader] Attempted to resurrect connection to dead ES instance,:error=>"Got response code '401' contacting Elasticsearch at URL 'http://elasticsearch:9200/'"}
logstash | [2021-01-27T06:28:42,366][ERROR][logstash.licensechecker.licensereader] Unable to retrieve license @R_581_4045@ion from license server {:message=>"Got response code '401' contacting Elasticsearch at URL 'http://elasticsearch:9200/_xpack'"}
logstash | [2021-01-27T06:28:42,766][WARN ][logstash.licensechecker.licensereader] Attempted to resurrect connection to dead ES instance,:error=>"Got response code '401' contacting Elasticsearch at URL 'http://elasticsearch:9200/'"}
在我的 logstash conf 文件中,output section 已经提供了身份验证凭据。
output {
elasticsearch {
action => "index"
hosts => "http://elasticsearch:9200"
index => "project-info"
user => "elastic"
password => "password"
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)