elasticsearch+logstash+kibana5.5.2集成searchguard实现用户权限管理（二）

上一篇我们完成了elk集成sg的配置，但是，我们的logstash只能使用一台es，这是远远不够的，我们要重新制作自己的授信文件，幸运的是官网给出了一个工具，并且还给出了一个在线制作的网站，支持10个es节点，这里我们使用在线制作
url: https://floragunn.com/tls-certificate-generator/

填写表格，提交就可以了，所有的授信文件，都会发到你的邮箱里。注意查收，可能会被扔到垃圾箱里。
文件名是下面这样，目录结构如下，我们把每个es节点都拷贝一份
里面有一个README.txt文件保存了具体的操作步骤，和用到的密码

search-guard-certificates-<UUID>.tar.gz │└─── client-certificates│        Contains two client certificates named 'admin' and 'demouser'│        The admin certificate can be used with sgadmin and the REST API. │        The CN of this certificate is 'sgadmin'. The demouser certificate can be used │        for HTTPS client authentication. └─── node-certificates│        Contains the certificates in jks, p12 and pem format to be used │        on your Elasticsearch nodes. You will find certificates for all │        hostnames you specified when submitting the form.└─── root-ca│        Contains the root CA certificate and private key.└─── config│        Same as above, but for the signing CA└─── truststore.jks│        The truststore containing the certificate chain│        of the root and signing CA. Can be used on all nodes.

先把集群都停止了
1.拷贝truststore.jks和CN=[hostname]-keystore.jks文件（每个节点）

* Copy the file 'truststore.jks' to the config directory of your node（替换掉原来的即可）* Copy the file 'node-certificates/CN=[hostname]-keystore.jks' to the config directory of your node, where [hostname] is the hostname of your Elasticsearch node（es主机名叫什么，拷贝相应的keystore文件）

2.重新配置es。更改原来默认的配置为下（每个节点）

######## Start Search Guard Demo Configuration ########searchguard.ssl.transport.keystore_filepath: CN=[hostname]-keystore.jkssearchguard.ssl.transport.keystore_password: [keystore password for this node]searchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: 62ef1c559f6ba96e4ca1searchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=[hostname]-keystore.jkssearchguard.ssl.http.keystore_password: [keystore password for this node]searchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: 62ef1c559f6ba96e4ca1searchguard.authcz.admin_dn:                                  - CN=sgadmin  ######## End Search Guard Demo Configuration ########

3.启动es，拷贝证书文件到tools文件夹下（任意一台es）

* Copy the file 'truststore.jks' to the directory 'plugins/search-guard-5/tools'* Copy the file 'client-certificates/CN=sgadmin-keystore.jks' to the directory 'plugins/search-guard-5/tools'

4.重新初始化sg（用到的密码都在README文件下面，请改成自己的）
./sgadmin.sh -ts truststore.jks -tspass 62ef1c559f6ba96e4ca1 -ks CN=sgadmin-keystore.jks -kspass f0fbad3ec91139f75136 -nhnv -icl -cd ../sgconfig/

至此es上面的配置就完成了，如果我们更改sg_config的用户的权限，要重新初始化sg，我们之前说过了，再强调一下。

我们更改es的truststore文件，相应的logstash也要重新配置。

    elasticsearch {        user => admin        password => admin        ssl => true        ssl_certificate_verification => true        truststore => "/etc/logstash/truststore.jks"        truststore_password => "62ef1c559f6ba96e4ca1"        hosts => [ "node1:9200","node2:9200","node3:9200" ]        index => "mysql-%{+YYYY.MM.dd}"     }

别忘了在/etc/hosts文件中做好主机名解析工作

贴一个truststore 配置错误的报错

[2017-09-13T15:14:24,265][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://admin:xxxxxx@node1:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://admin:xxxxxx@node1:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}