在Elasticsearch 8.x正确创建Kibana Service Account Token

1. 创建 Kibana Token

1
2
3
curl -X POST "http://localhost:9200/_security/service/elastic/kibana/credential/token/kibana" \
-u elastic:321.321 \
-H "Content-Type: application/json"

也可以写成:

1
2
curl -X POST "http://localhost:9200/_security/service/elastic/kibana/credential/token/kibana?pretty" \
-u elastic:321.321

由于该接口没有 Request Body,因此无需 -d '{}'
返回示例:

1
2
3
4
5
6
7
{
"created": true,
"token": {
"name": "kibana",
"value": "AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYTo2eE1..."
}
}

其中:

1
token.value

就是需要填入 .env 的值:

1
ES_TOKEN=AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYTo2eE1...

然后重启 Kibana:

1
docker compose restart kibana

2. 查看当前已有的 Token

1
2
curl -X GET "http://localhost:9200/_security/service/elastic/kibana/credential?pretty" \
-u elastic:321.321

返回类似:

1
2
3
4
5
6
7
8
9
10
11
12
{
"service_account": "elastic/kibana",
"count": 2,
"tokens": [
{
"name": "kibana"
},
{
"name": "kibana-prod"
}
]
}

3. 删除旧 Token

例如删除 kibana

1
2
curl -X DELETE "http://localhost:9200/_security/service/elastic/kibana/credential/token/kibana?pretty" \
-u elastic:321.321

4. 验证 Token 是否可用

使用刚创建的 Token:

1
2
curl -X GET "http://localhost:9200/_security/_authenticate?pretty" \
-H "Authorization: Bearer AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYTo2eE1..."

正常会返回:

1
2
3
4
5
6
7
8
{
"username": "elastic/kibana",
"roles": [],
"authentication_type": "token",
"token": {
"name": "kibana"
}
}

5. Docker Compose 配置

Kibana 使用该 Token 时配置如下:

1
2
3
4
5
kibana:
image: docker.elastic.co/kibana/kibana:8.13.4
environment:
ELASTICSEARCH_HOSTS: http://elasticsearch:9200
ELASTICSEARCH_SERVICEACCOUNTTOKEN: ${ES_TOKEN}

.env

1
2
ELASTIC_PASSWORD=321.321
ES_TOKEN=AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYTo2eE1...

补充建议: 如果这是全新的单节点 Docker 环境,其实也可以直接让 Kibana 使用 kibana_system 用户认证:

1
2
3
4
environment:
ELASTICSEARCH_HOSTS: http://elasticsearch:9200
ELASTICSEARCH_USERNAME: kibana_system
ELASTICSEARCH_PASSWORD: <kibana_system密码>