解决单台Elasticsearch 未授权访问漏洞

一、单机部署

1、新增密码

编辑配置文件 bin/elasticsearch.yml，新增配置

#开启密码验证
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true

如下截图所示：

2、java应用调用ES服务

报错提示没有用户信息：

Elasticsearch exception [type=security_exception, reason=missing authentication credentials for REST request [/seproject/_search?typed_keys=true&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true]]

3、设置一下用户及密码

ES要先启动才能设置否则报错，如下图：

启动ES：

./elasticsearch -d

设置密码：

./elasticsearch-setup-passwords interactive

4、访问需要密码，输入刚才设置的密码就正常访问

5、java程序修改，新增用户及密码，密码放到配置里

    RestHighLevelClient client() {
        RestClientBuilder build = RestClient.builder(createHosts()).setRequestConfigCallback(new RestClientBuilder.RequestConfigCallback() {
            @Override
            public RequestConfig.Builder customizeRequestConfig(RequestConfig.Builder builder) {
                return builder.setConnectTimeout(5000 * 1000) // 连接超时（默认为1秒）
                        .setSocketTimeout(6000 * 1000);// 套接字超时（默认为30秒）//更改客户端的超时限制默认30秒现在改为100分钟
            }
        });
        //加密码后增加
        CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
        build.setHttpClientConfigCallback((HttpAsyncClientBuilder httpAsyncClientBuilder) -> httpAsyncClientBuilder.setDefaultCredentialsProvider(credentialsProvider));
       //加密码后增加
        RestHighLevelClient restHighLevelClient = new RestHighLevelClient(build);
        return restHighLevelClient;
    }

5、重启java应用再次访问，正常

6、Kibana，连不上

7、配置Kibana config/kinana.yml

默认是注释掉的

elasticsearch.username: kibana
elasticsearch.password: password

8、使用刚才设置密码的用户登录