[Elasticsearch]集群X-Pack安全加固

最新推荐文章于 2024-01-29 11:36:05 发布

不曾听说

最新推荐文章于 2024-01-29 11:36:05 发布

阅读量2k

点赞数

分类专栏： Elasticsearch 文章标签： Elasticsearch

本文链接：https://blog.csdn.net/a112626290/article/details/103367867

版权

Elasticsearch 专栏收录该内容

3 篇文章 0 订阅

订阅专栏

elasticsearch的更新速度飞快，刚开始玩还是elasticsearch5,现在已经发展到elasticsearch7的版本了。听说elasticsearch7.X已经支持XPack部分功能不再需要付费，可以直接加固了，但是很多公司的elasticsearch还是基于es6.X的版本。elasticsearch存在一个最大的问题，就是版本不向下兼容，比如elasticsearch5还是多mapping结构，到了elasticsearch6直接删除了这一概念，这就导致5不能直升6，今天在写java端时候发现关于xpack的客户端居然和之前常用的客户端连接不是一个父类，这是很头疼的一件事。

一、概述

elasticsearch6之前的版本，需要单独安装x-pack，这篇文章基于es6.6.2，因此默认自带了x-pack。

二、X-pack启用及配置

1.启用license机制

curl -H "Content-Type:application/json" -XPOST http://localhost:9200/_xpack/license/start_trial?acknowledge=true
{"acknowledged":true,"trial_was_started":true,"type":"trial"}

这里显示已经开启试用。此时通过执行_license命令，可以看到elasticsearch证书的情况：

[root@node14 es]# curl -XGET http://127.0.0.1:9200/_license
{
  "license" : {
    "status" : "active",
    "uid" : "8529d6f9-2bb5-4116-800b-d8ca19ce3600",
    "type" : "trial",
    "issue_date" : "2019-12-03T07:49:02.864Z",
    "issue_date_in_millis" : 1575359342864,
    "expiry_date" : "2020-01-02T07:49:02.864Z",
    "expiry_date_in_millis" : 1577951342864,
    "max_nodes" : 1000,
    "issued_to" : "powercloud_log",
    "issuer" : "elasticsearch",
    "start_date_in_millis" : -1
  }
}

由于是收费的功能，实际上这里是只能适用30天的。

2.修改配置,开启安全验证

vim config/elasticsearch.yml

增加该条配置：

xpack.security.enabled: true

修改完以后重启elasticsearch。

3.设置用户名和密码

./bin/elasticsearch-setup-passwords interactive

[root@node14 config]# ./bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Passwords do not match.
Try again.
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Passwords do not match.
Try again.
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

我这里设置的密码统一都是elastic。

4.查看license

这时候就发现需要用我们刚才设置的密码登陆了：
在这里插入图片描述

5.破解x-pack

这里不要眨眼，因为像你高数课一样，捡笔的功夫，可能你就再也听不懂这门课了。
创建两个java文件：
（1） LicenseVerifier.java

package org.elasticsearch.license;
import java.nio.*; 
import java.util.*;
import java.security.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.common.io.*;
import java.io.*;

public class LicenseVerifier {
    public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
        return true;
    }

    public static boolean verifyLicense(final License license)     {
        return true;
    }
}

（2）XPackBuild.java

package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild {
    public static final XPackBuild CURRENT;
    private String shortHash;
    private String date;
    @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() {
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try { return PathUtils.get(url.toURI()); }
        catch (URISyntaxException bogus) {
            throw new RuntimeException(bogus); }
        }

    XPackBuild(final String shortHash, final String date) {
            this.shortHash = shortHash;
            this.date = date;
            }

    public String shortHash() {
        return this.shortHash;
        }
    public String date(){
        return this.date;
        }

    static {
        final Path path = getElasticsearchCodebase();
        String shortHash = null;
        String date = null;
        Label_0157: { shortHash = "Unknown"; date = "Unknown";
    }

    CURRENT = new XPackBuild(shortHash, date);
    }
}

编译为.class文件

[root@node14 lib]# javac -cp "/app/soft/elasticsearch-6.6.2/lib/elasticsearch-6.6.2.jar:/app/soft/elasticsearch-6.6.2/lib/lucene-core-7.6.0.jar:/app/soft/elasticsearch-6.6.2/modules/x-pack-core/x-pack-core-6.6.2.jar:/app/soft/elasticsearch-6.6.2/lib/elasticsearch-core-6.6.2.jar" LicenseVerifier.java
[root@node14 lib]# javac -cp "/app/soft/elasticsearch-6.6.2/lib/elasticsearch-6.6.2.jar:/app/soft/elasticsearch-6.6.2/lib/lucene-core-7.6.0.jar:/app/soft/elasticsearch-6.6.2/modules/x-pack-core/x-pack-core-6.6.2.jar:/app/soft/elasticsearch-6.6.2/lib/elasticsearch-core-6.6.2.jar" XPackBuild.java

在这里插入图片描述
现在的目的是，把这两个.class文件替换掉x-pack包里面的：

[root@node14 lib]# mkdir x-pack-core-6.6.2
[root@node14 lib]# unzip ../modules/x-pack-core/x-pack-core-6.6.2.jar -d x-pack-core-6.6.2/

此时可以看到：在这里插入图片描述
放入解压后的目录：

[root@node14 lib]# cp LicenseVerifier.class x-pack-core-6.6.2/org/elasticsearch/license/
cp：是否覆盖"x-pack-core-6.6.2/org/elasticsearch/license/LicenseVerifier.class"？ y
[root@node14 lib]# cp XPackBuild.class x-pack-core-6.6.2/org/elasticsearch/xpack/core/
cp：是否覆盖"x-pack-core-6.6.2/org/elasticsearch/xpack/core/XPackBuild.class"？ y

打jar包：

cd x-pack-core-6.6.2
jar -cvf x-pack-core-6.6.2.jar *

此时目录下已经有了这个jar:
在这里插入图片描述
替换掉老的jar：

mv modules/x-pack-core/x-pack-core-6.6.2.jar modules/x-pack-core/x-pack-core-6.6.2.jar_bak
cp lib/x-pack-core-6.6.2.jar modules/x-pack-core/

6.修改配置文件

vim config/elasticsearch.yml

增加xpack.security.transport.ssl.enabled: true

7.重启

在这里插入图片描述

7.官网注册一个免费的“Free Basic License”

https://register.elastic.co/registration
在这里插入图片描述
将文件修改，主要是修改type为platinum，以及expiry_date_in_millis到2100年：

{"license":{"uid":"b0bf08f2-3092-4ef7-83c3-f4e7a55f1907","type":"platinum","issue_date_in_millis":1575331200000,"expiry_date_in_millis":4104439611971,"max_nodes":100,"issued_to":"Young Lu (powersi)","issuer":"Web Form","signature":"AAAAAwAAAA0EywvzQfJ8binnR+HoAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAiwLIGKP6RwVb+9RCLo0jPIuwxy0BVFd03wk/pQ5TRt0NQGbixaE0SV3SdTELJK9jKvd8GQrKWllcfHam5H/X5LEtpueMXkuU/0lWgMFaPmV9bReJ1CtiY0qQTazEm0woHtYsNtO8pH3g8YFdneXuFKQ48fOdvlV0WomzrdMDAwDPnLy4w9R38n0glmU/LKlkj9nOqGSx0LiAATpueJvsV9U1jSaoPvCkpAARykFHhhJDbvHJyG8g1PF4YGLjSk25ny6HKOTL6weDUkGoEAbQYxVXSSbd6rpoCQaKWv4J2DRDfALHcsM9ywFy1x4fq7QEiJzFUdiX3YRz732oZN/nb","start_date_in_millis":1575331200000}}

上传到服务器。比如我上传到了config目录内：
在这里插入图片描述

[root@node14 config]# curl -XPUT -u elastic:elastic 'http://127.0.0.1:9200/_xpack/license?acknowledge=true' -H "Content-Type: application/json" -d @young-lu-b0bf08f2-3092-4ef7-83c3-f4e7a55f1907-v5.json
{"acknowledged":true,"license_status":"valid"}

[root@node14 config]# curl -XGET -u elastic:elastic http://127.0.0.1:9200/_license
{
  "license" : {
    "status" : "active",
    "uid" : "b0bf08f2-3092-4ef7-83c3-f4e7a55f1907",
    "type" : "platinum",
    "issue_date" : "2019-12-03T00:00:00.000Z",
    "issue_date_in_millis" : 1575331200000,
    "expiry_date" : "2100-01-24T02:06:51.971Z",
    "expiry_date_in_millis" : 4104439611971,
    "max_nodes" : 100,
    "issued_to" : "Young Lu (powersi)",
    "issuer" : "Web Form",
    "start_date_in_millis" : 1575331200000
  }
}

三、集群配置

1.修改elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

2.生成证书

[root@node14 bin]# bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 :

[root@node14 bin]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires a SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA).
    * The tool can automatically generate a new CA for you, or you can provide your own with the
         -ca or -ca-cert command line options.

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -keep-ca-key (retain generated CA key)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 : 

Certificates written to /app/soft/elasticsearch-6.6.2/bin/elastic-certificates.p12

This file should be properly secured as it contains the private key for 
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

第一步生成了一个elastic-stack-ca.p12的文件，第二步生成了elastic-certificates.p12。

3.向keystore中存储密码信息：

[root@node14 elasticsearch-6.6.2]# bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
Enter value for xpack.security.transport.ssl.keystore.secure_password: 

[root@node14 elasticsearch-6.6.2]# bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter value for xpack.security.transport.ssl.truststore.secure_password:

4.将配置复制到集群中的其他机器

将elasticsearch.keystore和elastic-certificates.p12拷贝到config目录下，然后重启：

[root@node14 log]# curl -u elastic:elastic -XGET http://127.0.0.1:9200/_cat/health?v
epoch      timestamp cluster        status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1575365534 09:32:14  powercloud_log green           2         2      2   1    0    0        0             0                  -                100.0%