elasticsearch的更新速度飞快,刚开始玩还是elasticsearch5,现在已经发展到elasticsearch7的版本了。听说elasticsearch7.X已经支持XPack部分功能不再需要付费,可以直接加固了,但是很多公司的elasticsearch还是基于es6.X的版本。elasticsearch存在一个最大的问题,就是版本不向下兼容,比如elasticsearch5还是多mapping结构,到了elasticsearch6直接删除了这一概念,这就导致5不能直升6,今天在写java端时候发现关于xpack的客户端居然和之前常用的客户端连接不是一个父类,这是很头疼的一件事。
文章目录
一、概述
elasticsearch6之前的版本,需要单独安装x-pack,这篇文章基于es6.6.2,因此默认自带了x-pack。
二、X-pack启用及配置
1.启用license机制
curl -H "Content-Type:application/json" -XPOST http://localhost:9200/_xpack/license/start_trial?acknowledge=true
{"acknowledged":true,"trial_was_started":true,"type":"trial"}
这里显示已经开启试用。此时通过执行_license命令,可以看到elasticsearch证书的情况:
[root@node14 es]# curl -XGET http://127.0.0.1:9200/_license
{
"license" : {
"status" : "active",
"uid" : "8529d6f9-2bb5-4116-800b-d8ca19ce3600",
"type" : "trial",
"issue_date" : "2019-12-03T07:49:02.864Z",
"issue_date_in_millis" : 1575359342864,
"expiry_date" : "2020-01-02T07:49:02.864Z",
"expiry_date_in_millis" : 1577951342864,
"max_nodes" : 1000,
"issued_to" : "powercloud_log",
"issuer" : "elasticsearch",
"start_date_in_millis" : -1
}
}
由于是收费的功能,实际上这里是只能适用30天的。
2.修改配置,开启安全验证
vim config/elasticsearch.yml
增加该条配置:
xpack.security.enabled: true
修改完以后重启elasticsearch。
3.设置用户名和密码
./bin/elasticsearch-setup-passwords interactive
[root@node14 config]# ./bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Passwords do not match.
Try again.
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Passwords do not match.
Try again.
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
我这里设置的密码统一都是elastic。
4.查看license
这时候就发现需要用我们刚才设置的密码登陆了:
5.破解x-pack
这里不要眨眼,因为像你高数课一样,捡笔的功夫,可能你就再也听不懂这门课了。
创建两个java文件:
(1) LicenseVerifier.java
package org.elasticsearch.license;
import java.nio.*;
import java.util.*;
import java.security.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.common.io.*;
import java.io.*;
public class LicenseVerifier {
public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
return true;
}
public static boolean verifyLicense(final License license) {
return true;
}
}
(2)XPackBuild.java
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild {
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() {
final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try { return PathUtils.get(url.toURI()); }
catch (URISyntaxException bogus) {
throw new RuntimeException(bogus); }
}
XPackBuild(final String shortHash, final String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date(){
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0157: { shortHash = "Unknown"; date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
编译为.class文件
[root@node14 lib]# javac -cp "/app/soft/elasticsearch-6.6.2/lib/elasticsearch-6.6.2.jar:/app/soft/elasticsearch-6.6.2/lib/lucene-core-7.6.0.jar:/app/soft/elasticsearch-6.6.2/modules/x-pack-core/x-pack-core-6.6.2.jar:/app/soft/elasticsearch-6.6.2/lib/elasticsearch-core-6.6.2.jar" LicenseVerifier.java
[root@node14 lib]# javac -cp "/app/soft/elasticsearch-6.6.2/lib/elasticsearch-6.6.2.jar:/app/soft/elasticsearch-6.6.2/lib/lucene-core-7.6.0.jar:/app/soft/elasticsearch-6.6.2/modules/x-pack-core/x-pack-core-6.6.2.jar:/app/soft/elasticsearch-6.6.2/lib/elasticsearch-core-6.6.2.jar" XPackBuild.java
现在的目的是,把这两个.class文件替换掉x-pack包里面的:
[root@node14 lib]# mkdir x-pack-core-6.6.2
[root@node14 lib]# unzip ../modules/x-pack-core/x-pack-core-6.6.2.jar -d x-pack-core-6.6.2/
此时可以看到:
放入解压后的目录:
[root@node14 lib]# cp LicenseVerifier.class x-pack-core-6.6.2/org/elasticsearch/license/
cp:是否覆盖"x-pack-core-6.6.2/org/elasticsearch/license/LicenseVerifier.class"? y
[root@node14 lib]# cp XPackBuild.class x-pack-core-6.6.2/org/elasticsearch/xpack/core/
cp:是否覆盖"x-pack-core-6.6.2/org/elasticsearch/xpack/core/XPackBuild.class"? y
打jar包:
cd x-pack-core-6.6.2
jar -cvf x-pack-core-6.6.2.jar *
此时目录下已经有了这个jar:
替换掉老的jar:
mv modules/x-pack-core/x-pack-core-6.6.2.jar modules/x-pack-core/x-pack-core-6.6.2.jar_bak
cp lib/x-pack-core-6.6.2.jar modules/x-pack-core/
6.修改配置文件
vim config/elasticsearch.yml
增加xpack.security.transport.ssl.enabled: true
7.重启
7.官网注册一个免费的“Free Basic License”
https://register.elastic.co/registration
将文件修改,主要是修改type为platinum,以及expiry_date_in_millis到2100年:
{"license":{"uid":"b0bf08f2-3092-4ef7-83c3-f4e7a55f1907","type":"platinum","issue_date_in_millis":1575331200000,"expiry_date_in_millis":4104439611971,"max_nodes":100,"issued_to":"Young Lu (powersi)","issuer":"Web Form","signature":"AAAAAwAAAA0EywvzQfJ8binnR+HoAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAiwLIGKP6RwVb+9RCLo0jPIuwxy0BVFd03wk/pQ5TRt0NQGbixaE0SV3SdTELJK9jKvd8GQrKWllcfHam5H/X5LEtpueMXkuU/0lWgMFaPmV9bReJ1CtiY0qQTazEm0woHtYsNtO8pH3g8YFdneXuFKQ48fOdvlV0WomzrdMDAwDPnLy4w9R38n0glmU/LKlkj9nOqGSx0LiAATpueJvsV9U1jSaoPvCkpAARykFHhhJDbvHJyG8g1PF4YGLjSk25ny6HKOTL6weDUkGoEAbQYxVXSSbd6rpoCQaKWv4J2DRDfALHcsM9ywFy1x4fq7QEiJzFUdiX3YRz732oZN/nb","start_date_in_millis":1575331200000}}
上传到服务器。比如我上传到了config目录内:
[root@node14 config]# curl -XPUT -u elastic:elastic 'http://127.0.0.1:9200/_xpack/license?acknowledge=true' -H "Content-Type: application/json" -d @young-lu-b0bf08f2-3092-4ef7-83c3-f4e7a55f1907-v5.json
{"acknowledged":true,"license_status":"valid"}
[root@node14 config]# curl -XGET -u elastic:elastic http://127.0.0.1:9200/_license
{
"license" : {
"status" : "active",
"uid" : "b0bf08f2-3092-4ef7-83c3-f4e7a55f1907",
"type" : "platinum",
"issue_date" : "2019-12-03T00:00:00.000Z",
"issue_date_in_millis" : 1575331200000,
"expiry_date" : "2100-01-24T02:06:51.971Z",
"expiry_date_in_millis" : 4104439611971,
"max_nodes" : 100,
"issued_to" : "Young Lu (powersi)",
"issuer" : "Web Form",
"start_date_in_millis" : 1575331200000
}
}
三、集群配置
1.修改elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
2.生成证书
[root@node14 bin]# bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :
[root@node14 bin]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires a SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA).
* The tool can automatically generate a new CA for you, or you can provide your own with the
-ca or -ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -keep-ca-key (retain generated CA key)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :
Certificates written to /app/soft/elasticsearch-6.6.2/bin/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
第一步生成了一个elastic-stack-ca.p12的文件,第二步生成了elastic-certificates.p12。
3.向keystore中存储密码信息:
[root@node14 elasticsearch-6.6.2]# bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
Enter value for xpack.security.transport.ssl.keystore.secure_password:
[root@node14 elasticsearch-6.6.2]# bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter value for xpack.security.transport.ssl.truststore.secure_password:
4.将配置复制到集群中的其他机器
将elasticsearch.keystore
和elastic-certificates.p12
拷贝到config目录下,然后重启:
[root@node14 log]# curl -u elastic:elastic -XGET http://127.0.0.1:9200/_cat/health?v
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1575365534 09:32:14 powercloud_log green 2 2 2 1 0 0 0 0 - 100.0%