Elasticsearch+X-pack和Java Transport方式连接
本文只对整个加密过程和连接配置过程进行描述记录,如对相关名词不清楚,请自行百度。
一. 软件及依赖包版本
名称 | 版本号 |
---|---|
Elasticsearch | 6.8.11 |
X-pack | 6.8.11 |
jdk | 1.8.0_191 |
spring-boot-starter-data-elasticsearch | 2.1.1.RELEASE |
x-pack-transport | 6.8.11 |
二. 修改X-pack-core.jar
X-pack监控组件本身需要收费,本文只进行个人研究练习使用,推荐使用正版。
通过下面步骤反编译x-pack-core-6.8.11.jar,并将修改后的x-pack-core-6.8.11.jar替换Elasticsearch目录中的x-pack-core-6.8.11.jar
x-pack-core-6.8.11.jar包地址目录:elasticsearch-6.8.11/modules/x-pack-core/x-pack-core-6.8.11.jar
1. 通过idea插件(java-decompiler)将x-pack-core-6.8.11.jar进行反编译
java-decompiler插件在idea安装目录的plugins下面如:D:\Program Files\JetBrains\IntelliJ IDEA 2019.1.3\plugins\java-decompiler\lib\java-decompiler.jar
通过下面的命令将jar包进行反编译,反编译完成后会在指定的目录下生成源码jar包,利用解压文件解压即可
# ./x-pack-core-6.8.11 目录可自定义,但必须提前手动创建,否则反编译报错
java -cp "D:\Program Files\JetBrains\IntelliJ IDEA 2019.1.3\plugins\java-decompiler\lib\java-decompiler.jar" org.jetbrains.java.decompiler.main.decompiler.ConsoleDecompiler -dhs=true ./x-pack-core-6.8.11.jar ./x-pack-core-6.8.11
2. 修改源码文件LicenseVerifier.java和XPackBuild.java
LicenseVerifier.java目录:x-pack-core-6.8.11/org/elasticsearch/license/LicenseVerifier.java
XPackBuild.java目录:x-pack-core-6.8.11/org/elasticsearch/xpack/core/XPackBuild.java
修改结果如下:
LicenseVerifier.java
package org.elasticsearch.license;
import java.nio.*;
import java.util.*;
import java.security.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.common.io.*;
import java.io.*;
public class LicenseVerifier {
public static boolean verifyLicense(License license, byte[] publicKeyData) {
return true;
}
public static boolean verifyLicense(License license) {
return true;
}
}
XPackBuild.java
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild {
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(
reason = "looks up path of xpack.jar directly"
)
static Path getElasticsearchCodebase() {
URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try {
return PathUtils.get(url.toURI());
} catch (URISyntaxException var2) {
throw new RuntimeException(var2);
}
}
XPackBuild(String shortHash, String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date() {
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0157: {
shortHash = "Unknown";
date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
3. 编译修改后的LicenseVerifier.java和XPackBuild.java
编译所在的环境在Elasticsearch服务Linux环境上
所需的依赖包:
名称 | 依赖包地址 |
---|---|
elasticsearch-6.8.11.jar | elasticsearch-6.8.11/lib/elasticsearch-6.8.11.jar |
elasticsearch-core-6.8.11.jar | elasticsearch-6.8.11/lib/elasticsearch-core-6.8.11.jar |
lucene-core-7.7.3.jar | elasticsearch-6.8.11/lib/lucene-core-7.7.3.jar |
x-pack-core-6.8.11.jar | elasticsearch-6.8.11/modules/x-pack-core/x-pack-core-6.8.11.jar |
将依赖包和修改后的LicenseVerifier.java,XPackBuild.java放置同一个目录,执行以下命令进行编译
javac -cp "lucene-core-7.7.3.jar:elasticsearch-6.8.11.jar:x-pack-core-6.8.11.jar" LicenseVerifier.java
javac -cp "lucene-core-7.7.3.jar:elasticsearch-6.8.11.jar:x-pack-core-6.8.11.jar:elasticsearch-core-6.8.11.jar" XPackBuild.java
编译完成后在当前目录会生成LicenseVerifier.class和XPackBuild.class文件
4. 替换LicenseVerifier.class和XPackBuild.class文件
利用压缩软件打开原依赖包x-pack-core-6.8.11.jar,并将修改编译后的LicenseVerifier.class和XPackBuild.class文件替换到jar包中对应的位置。
三. 添加Elasticsearch安全验证配置
1.将下面配置添加至elasticsearch.yml配置文件末尾,然后重启elasticsearch服务
xpack.security.enabled: false
2.将下面证书信息保存至服务器,下面给出的证书有效期至2050年,type: platinum标识白金会员,expiry_date_in_millis标示结束的日期,文件名称为license.json
或者通过官网申请license(https://license.elastic.co/registration)
{“license”:{“uid”:“864c20ea-b26f-4f1d-bfe5-4f02a26f90a9”,“type”:“platinum”,“issue_date_in_millis”:1570752000000,“expiry_date_in_millis”:2524579200999,“max_nodes”:100,“issued_to”:“deng pang (yiren)”,“issuer”:“Web Form”,“signature”:“AAAAAwAAAA3m1fB/yRfUho18V4FpAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQB4zgpe5lluBbJYaQBWNDxrK0J9V4fnb8KWMmgIGj7ymw++bvV9rkmNtjDixWZkdSbWVQr0WLBpZoye+yQCqWB559BTqinUmIazgRpVFtaggN4RXgJA6V/N9NgOv0Vw0DvN9FI2aU5iRv7nXaNmpkMPlaCngI+2F3FoBuF9GyHsXYaOqDYkMdazT3W757QnP58ZCQT9S98gIcU75yqyWlKZek8UlUtUxSCSTtOyMtWrwag238/OgXv8BlmtQcH9A/XQBmAQlkzbgBVBkWoS0w2aqCM4Q3X7qTOH/Ea+xT/IJVhZgeTXh947kW1unEBEfwF6GZQkQQW+4pH6GEtCGTO/”,“start_date_in_millis”:1570752000000}}
3.导入license
在license.json存放的目录执行下面导入命令,elastic为认证用户名
curl -XPUT -u elastic 'http://192.168.1.100:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
4.导入成功后,修改elasticsearch.yml配置文件打开xpack安全认证,并重启Elasticsearch,添加内容如下:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
5.重启后,在Elasticsearch服务目录下执行下面命令,初始化认证密码
./bin/elasticsearch-setup-passwords interactive
6.用浏览器访问9200,根据提示输入认证用户名和密码即可查看Elasticsearch信息;
下面的步骤用于客户端连接认证或集群连接认证
7.在Elasticsearch程序目录执行下面命令生成为证书颁发机构,生成过程会提示输入密码,作用是访问证书的安全性,可以不设置;
elasticsearch-certutil ca
8.在Elasticsearch程序目录执行下面命令生成证书和秘钥,同上会提示输入密码,根据上面可以不设置;
elasticsearch-certutil cert --ca elastic-stack-ca.p12
9.将生成的证书文件elastic-certificates.p12,放置Elasticsearch服务目录conf/certs下,certs目录不存在,用mkdir命令创建即可;
# 在elasticsearch服务目录下执行
mkdir -p conf/certs
10.修改elasticsearch.yml配置文件,添加TLS/SSL加密Transport通信配置或加密https访问,根据需要添加,这里我只用TLS/SSL加密Transport通信配置,修改完后重启Elasticsearch服务;
TLS/SSL加密Transport通信配置:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs\elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs\elastic-certificates.p12
加密https访问配置:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs\elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs\elastic-certificates.p12
四. Java客户端Transport连接配置
1.pom.xml文件Elasticsearch配置
<properties>
<elastic.version>6.8.11</elastic.version>
</properties>
<dependencies>
<!-- Elasticsearch相关配置开始 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-elasticsearch</artifactId>
<exclusions>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>x-pack-transport</artifactId>
</exclusion>
<exclusion>
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>transport-netty4-client</artifactId>
</exclusion>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>transport</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.elasticsearch.client</groupId>
<artifactId>x-pack-transport</artifactId>
<version>${elastic.version}</version>
<exclusions>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>transport</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>transport-netty4-client</artifactId>
<version>${elastic.version}</version>
</dependency>
<dependency>
<groupId>org.elasticsearch.client</groupId>
<artifactId>transport</artifactId>
<version>${elastic.version}</version>
<exclusions>
<exclusion>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
<version>${elastic.version}</version>
</dependency>
<!-- Elasticsearch相关配置结束 -->
</dependencies>
2.applicatoin.properties配置,删除原有spring.data.elasticsearch配置
# 节点名称
elasticsearch.cluster-name=192.168.1.100
# 节点地址
elasticsearch.cluster-nodes=192.168.1.100:9300
# 认证密钥
elasticsearch.cluster-password=elastic:123456
# 证书文件路径,证书文件需和elasticsearch.yml配置的证书一致,否则验证不成功
elasticsearch.cert-path=/data/certs/elastic-certificates.p12
# ssl认证是否开启
elasticsearch.ssl-enabled=true
3.Elasticsearch配置注入
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.io.FileNotFoundException;
import java.net.InetAddress;
import java.net.UnknownHostException;
/**
* Elasticsearch配置
*
* @author allen
* @version 1.0
* @className ElasticsearchConfiguration
* @description Elasticsearch配置
* @date 2021-01-21 0021 下午 16:48
**/
@Configuration
@ConfigurationProperties(prefix = "elasticsearch")
public class ElasticsearchConfiguration {
private String clusterName;
private String clusterNodes;
private String clusterPassword;
private String certPath;
private boolean sslEnabled;
/**
* elasticsearch客户端注入(配置)
*
* @return
* @throws FileNotFoundException
*/
@Bean
public TransportClient transportClient() {
try {
PreBuiltXPackTransportClient packTransportClient = new PreBuiltXPackTransportClient(settings());
String[] split = clusterNodes.split(",");
for (String s : split) {
String[] split1 = s.split(":");
int port = Integer.parseInt(split1[1]);
packTransportClient.addTransportAddress(new TransportAddress(InetAddress.getByName(split1[0]), port));
}
return packTransportClient;
} catch (UnknownHostException e) {
e.printStackTrace();
return null;
}
}
private Settings settings() {
if (sslEnabled) {
Settings.Builder builder = Settings.builder();
builder.put("cluster.name", clusterName);
builder.put("xpack.security.user", clusterPassword);
builder.put("xpack.security.enabled", sslEnabled);
builder.put("xpack.security.transport.ssl.keystore.path", certPath);
builder.put("xpack.security.transport.ssl.truststore.path", certPath);
builder.put("xpack.security.transport.ssl.verification_mode", "certificate");
builder.put("xpack.security.transport.ssl.enabled", sslEnabled);
builder.put("client.transport.sniff", true);
builder.put("thread_pool.search.size", 10);
return builder.build();
} else {
Settings.Builder builder = Settings.builder();
return builder.build();
}
}
public void setClusterName(String clusterName){
this.clusterName = clusterName;
}
public void setClusterNodes(String clusterNodes){
this.clusterNodes = clusterNodes;
}
public void setClusterPassword(String clusterPassword){
this.clusterPassword = clusterPassword;
}
public void setCertPath(String certPath){
this.certPath = certPath;
}
public void setSslEnabled(boolean sslEnabled){
this.sslEnabled = sslEnabled;
}
}
五. 结尾
仅此所有的配置已完成,在配置过程中java的elasticsearch对应版本依赖步骤和证书认证步骤需多注意,不仅elasticsearch服务需要配置证书,java也需要配置证书,没有证书是认证不成功的。
该文章也是对这次的配置做以记录,也是技术成长的过程,欢迎各位给出意见。